The following list provides more detailed explanations of the various reasons IPs may be listed in the GPF DNS Block List. This is an ever evolving list, so it may change from time to time as new reasons are added and explanations are expanded. Note in particular that every single one of these reasons represents an unmistakable or highly suspected malicious attack against one of our servers, so we take each one of these seriously.
fdb4:6272:183f:95f2::* address after each entry is the "flag IP" returned by the DNS Block List when a query is successfully answered. You can test the last group of digits of this IP (i.e. the number after the final period or colon) to get the reason for the IP's ban.
You can see a ranking of these reasons by the number of IPs blocked on our reason ranking page.
- Unclassified (127.0.0.1 or fdb4:6272:183f:95f2::1)
- This blocked IP has not been classified yet. There could be many reasons for this, but the most likely reason is that it was added to the database before we kept detailed reason records for each individual IP. However, this IP has been caught directly attacking one of our servers, even if we haven't specified the reason yet.
- Vulnerability Probe (127.0.0.2 or fdb4:6272:183f:95f2::2)
- This IP has actively attempted to scan our scripts for vulnerabilities. While it did not actively attempt to inject code, it did make requests consistent with searching for scripts with known vulnerabilities.
- Environment Scan (127.0.0.3 or fdb4:6272:183f:95f2::3)
- This IP has actively attempted to obtain environment information by searching for known exploits in server-side scripts. This usually means they were trying to access /proc/self/environ or a similar informational UN*X path, or perhaps an attempt to access /etc/passwd or /etc/shadow. These sorts of probes typically are searching for weaknesses in specific OS versions that can be exploited.
- Bad Spider/Bot (127.0.0.4 or fdb4:6272:183f:95f2::4)
- This IP appears to be associated with a malicious or simply poorly designed spider or bot. It may not respect robots.txt or it may not limit its requests as a courtesy to human visitors. Poorly designed bots are a nuisance and can interfere with our readers' ability to use our site. Malicious bots, on the other hand, actively attempt to damage our site or deny access to visitors. Bots that cannot behave themselves or respect our human visitors are not welcome at any of our sites.
- Content Scraper (127.0.0.5 or fdb4:6272:183f:95f2::5)
- This IP appears to be a bot or script specifically designed to harvest content. It differs from our Bad Spider/Bot classification in that it apparently exists specifically to harvest content from our site, most likely to repost elsewhere on the Internet. While we enjoy sharing out content with others, we do place restrictions on where, when, or even if it can be redistributed. We consider bots in this category to be tools specifically designed to violate our copyrights and thus they are unwelcome.
- w00tw00t.at.ISC.SANS.DFind (127.0.0.6 or fdb4:6272:183f:95f2::6)
- IPs flagged with this reason have made mysterious requests in the form of "GET /w00tw00t.at.ISC.SANS.DFind:)" or something similar. These always result in 404 (Not Found) errors since we do not have any such pages or scripts on our sites. The exact nature of these requests is still unclear, but most of the sources we've been able to find indicate that it is likely a DLink vulnerability scan looking for exploits. The inclusion of "ISC.SANS" has also been rumored to be a "reputation attack" against the Internet Storm Center at the SANS Technology Institute. Because of the nature of these requests, we assume the host making the request cannot be trusted and it is now our policy to block all IPs that make such requests.
- Forum/Comment/Wiki Spammer (127.0.0.7 or fdb4:6272:183f:95f2::7)
- This IP attempted to spam one or more of our sites. Spamming usually consists of leaving off-topic promotional comments or forum posts, often filled with links to other websites with the intent of raising search engine rankings. This includes comment spammers on our blogs, forum spammers attempting to spam the GPF Forum, and wiki spammers attempting to hide links on the GPF Wiki. Many of these spammers are blocked by our automated spam filters which check a number of trusted block lists. These filters search by IP and e-mail address (searching by user name results in too many false positives), and if either of these fields match the user that is trying to register is blocked and logged. It is now our policy to ban all IPs that are blocked by these filters to prevent future attacks.
- XML-RPC Attack (127.0.0.8 or fdb4:6272:183f:95f2::8)
- This is a very specific form of code injection and/or vulnerability scan that attacks known vulnerabilities in the XML-RPC protocol. The GPF site does not use XML-RPC, so attempts to access it always result in an error. However, we do host several blogs as well which include XML-RPC code, although it is not currently used. All IPs that attempt XML-RPC attacks are banned.
- Proxy Attempt (127.0.0.9 or fdb4:6272:183f:95f2::9)
- IPs in this category have attempted to use one of our servers as an HTTP or HTTPS proxy to access a third, unrelated server. While we recognize that there are legitimate uses for such tools, we do not use proxying internally so this service is turned off in all of our servers. Thus all attempts to use us as a proxy must come outsiders. In our experience, this is usually a means to redirect an attack on the third-party server and hide the original attacker's true location, making it appear that the attack originated from us. IPs that attempt to make proxy requests through our servers are banned.
- Code Injection (127.0.0.10 or fdb4:6272:183f:95f2::10)
- Suspicious Traffic (127.0.0.11 or fdb4:6272:183f:95f2::11)
- This IP generated traffic to one of our servers that, although we cannot prove it to be malicious, seemed very suspicious. The traffic did not look like normal traffic generated by a human or known search engine or spider. Suspicious IPs are often banned as a preventative measure and are more likely to be removed if the suspicious traffic can be proven to be benign.
- DMARC Violation (127.0.0.12 or fdb4:6272:183f:95f2::12)
- This is a special type of spam classification, in which the offending IP has attempted to send e-mail masquerading as one of our domains. However, the IP violates our DMARC ruleset: it is not one of the IPs listed in the domain's SPF record, nor is the message signed by our designated DKIM key. These IPs are unique in the GPF DNSBL in that the have not directly attacked our servers; rather, it is more of a reputation attack, since the spammer is attempting to send spam in our name. All IPs marked with this reason were reported to us by third-party e-mail providers sending us their DMARC reports.
This site and its contents are © Copyright 2011-2019, Jeffrey T. Darlington. All rights reserved. It is provided as a service to the Internet community at large and is for informational purposes only. This site and its owner cannot be held responsible for any actions taken by others based on the data contained herein.