#
# $Id: hostiles.txt 12287 2006-11-09 20:15:51Z cbiere $
#
# Hostile IP addresses, completely banned from the Gnutella network.
#
# We don't accept connections from those hosts, never connect to them,
# and drop their query hits on the floor without relaying them.
#
# The following list is a default, based on a list provided by BearShare.
# If you want to customize this list, put it into your ~/.gtk-gnutella
# directory and edit it.  When hostiles.txt is present under that directory,
# the global list is ignored.
#
# This file may be changed whilst gtk-gnutella is running: it will notice
# the update and reload the file.
#

4.43.96.0/24
4.43.124.192/26
24.102.41.154
24.116.85.216
24.162.203.114
24.207.184.134
24.226.54.165
24.77.11.239
24.79.193.6
24.83.108.12
24.84.58.65
24.86.202.220
#38.118.0.0/16
#38.119.64.0/22
38.144.195.0/24
38.144.198.0/24
38.144.68.0/24
38.144.72.0/24
38.144.96.0/24
63.148.99.224/27
64.124.130.128/27
64.14.0.0/16
64.156.27.93
64.217.126.87
65.118.41.192/26
65.247.105.240/28
65.29.191.213
65.3.12.25
66.111.32.0/19
66.117.0.0/19
66.169.40.17
66.250.24.0/22
66.250.52.0/24
66.28.0.0/16
66.67.112.128
66.70.109.20
66.76.151.146
67.29.135.3
67.83.184.69
68.47.205.58
68.65.171.88
80.136.226.217
80.193.117.105
81.0.210.152
128.208.45.126
128.40.161.71
130.111.87.162
131.107.20.0/22
131.235.9.146
134.173.120.25
138.47.110.49
140.180.153.233
147.188.189.44
162.33.154.69
172.168.232.225
192.217.228.0/24
194.213.194.37
194.228.211.204
194.237.72.231
195.58.60.164
198.63.0.0/16
198.64.0.0/15
198.66.0.0/16
202.44.41.84
205.251.209.62
207.243.139.233
209.122.130.0/24
209.204.128.0/18
213.67.177.135
216.122.0.0/16
216.144.233.0/24

# Exodus Communications
64.37.192.0/18
64.209.128.0/20
64.210.192.0/19
167.216.232.0/21
209.67.0.0/16
209.143.224.0/20
209.202.128.0/18
216.109.64.0/19
216.104.224.0/19
216.177.64.0/19
216.182.192.0/19
216.219.96.0/20
216.32.0.0/14
216.74.128.0/18

###
### The following gathered by the gtk-gnutella team
###

# gtk-gnutella up to 0.94 handles CIDR notation WRONG!
# 66.186.39.0/26 -> 66.186.39.0/26

32.105.110.0/24

# Performance Systems International (PSI) is an extremely hostile range
# Macrovision has SmokeBlowers there; they poll GWebCaches etc. pp.
# There are certainly non-hostile hosts but it's not worth or possible to
# differ.
38.112.0.0/12

64.15.0.0/16
66.186.39.0/26

# hosted by WV FIBER LLC
66.186.194.192/26

# Media Sentry
64.124.145.0/25
66.250.46.0/24
66.250.47.0/25

# ServerBeach (Peer 1 network)
64.34.160.0/19

# Sound Control Media Protection, Ltd.
# Professional bots: "LimeWire/4.9.11 1.4 GiB 462 files"; purpose unknown
# The same ranges seem to contain bots which emit buzzword spam for
# audio files which are not downloadable but also executables.
64.71.160.0/27
64.71.162.64/27
64.71.164.128/27
64.71.178.160/27
65.19.134.160/27
65.19.142.32/27
65.19.154.160/27
65.19.176.32/27
66.160.128.192/27
66.220.2.224/27
66.220.3.192/27
66.220.6.64/27
66.220.11.64/27
66.220.12.0/24
66.220.26.128/25

209.51.160.0/19
216.66.0.0/18
216.218.128.0/17


# Surreal Host / Surreal Services
# obviously the same as Sound Control Media Protection
64.71.191.160/27

# Range at Peer1; seemingly also used by SCMP
69.90.119.128/27

# Range at FDC Servers.net, LLC, also used by SCMP
66.90.119.128/27

# Minnesota valley television
65.160.241.0/25

# DONet, Inc.
65.171.151.0/24

# Share dozens or hundreds of completely corrupted WMVs
67.18.128.0/24
67.18.129.0/24
67.18.213.0/24
67.19.6.0/24
67.19.8.0/24
205.177.73.0/24

# sBoOb.net, pr0n spammer
194.146.227.8

# cumfiesta, pr0n spammer
207.150.179.0/24

# goudkov.com, spammer
66.98.252.210
207.44.144.3
207.44.144.148

# Another DRM pr0n spammer
66.63.162.128/25

# Generic DRM pr0n spammer (mostly ASX files)
66.90.103.0/24
67.19.77.0/24
67.19.221.0/24
67.159.5.0/24
208.53.138.0/24
208.53.158.0/23

# DRM WMV pr0n spammer "Hollywood Interactive, Inc." using Mutella
# DRM header links to smutlounge dot com
64.27.0.0/19
216.240.128.48/28
216.240.128.64/30
217.115.128.48/29

# isaveclub.com AKA esaveclub.com AKA edirectclub.com
69.44.155.0/24
69.44.156.0/24
69.44.157.0/24
69.44.158.0/24

# hosted by voxel.net, massive spamming, uploaded file contains also GWebCache
# URLs and possibly a trojan, SHA1 match fails continously
69.9.186.0/23
69.9.188.0/23
69.9.190.0/24

# hosted by net-sentry.net, suspicious GWebCache polling
69.26.174.0/24
69.26.191.0/24

# suspicious GWebCache polling
63.218.20.0/24
64.70.4.0/24
72.35.224.0/24
207.226.112.0/24
# The ranges below also upload corrupt/fake MP3s
216.152.250.192/26
72.35.231.64/26

# weasel.net, diverse GWebCache spamming/trashing
66.68.124.56

# Generic spammer, results don't even match query
70.85.111.0/24
70.86.48.0/24
70.86.75.0/24

# Generic pr0n spammer, adds search term to filenames (mostly WMVs)
63.243.162.0/27
63.243.181.0/27

# ZIP files containing setup.exe and small DRMed WMA files.
# Uses Shareaza; identifies as "Jironimo"; hosted by surfplanet.de
# results copy the query string adding diverse prefixes.
85.88.2.192/27
85.88.9.0/26
# Versatel; dynamic pool but keep them for a while anyway
89.246.53.174
87.122.23.75
87.122.147.34
87.122.158.215
# Does not identify as Jironimo but seems to be the same
85.176.167.202

# Spammer hosted by pie.us
# (Sansui Ltd. has 206.223.156.0/24)
206.223.156.128/26

# WMA-DRM spam; affiliated with artistdirect.com et al.
# hosted by Fastserve
66.172.60.0/24

# WMA-DRM spam; files are 99% compressible (zero-filled); filenames
# imitate scene releases; WMA header contains URL pointing to
# artistdirect.com. In other words, this is MediaDefender.
66.180.205.0/24

# DRM spam
63.246.153.64/28
64.40.98.106
# drmspace.com, 66103.vidlock.com
216.55.178.165
# vidlock.com
216.255.180.114
217.116.225.250
64.72.124.0/24
64.72.126.0/24

# getlaidquickly dot com; spam results for files which do not even exist;
# seemingly just an attempt to make the website well-known
38.99.20.0/23

# WMA-DRM spam; DRM URL links to intentmediaworks; giFT-based
63.216.80.0/24
205.177.5.0/24
205.252.3.0/24
206.161.30.0/24
207.176.42.0/24
207.226.148.0/24
209.8.0.0/24
209.9.79.0/24

# WMV spammer with over-sensitive buzzword sensor; fake LimeWire; giFT-based
38.96.5.128/26
38.100.232.193

# Gnucleus-based DRM WMV spammer hosted by GoDaddy
68.178.200.89
68.178.225.162

# DRM License server used by DRM WMV spam
216.93.188.81

# Spams DRM WMV files with license URL pointing to 68.178.225.162; filenames
# are bogus but are neither random nor matching the query. Examples are
# "basketball*wmv", "flytrain*wmv", "landing*wmv" etc. with variations in the
# trailing part like "_full-l", "part-l", "part-s" etc.); usually Gnucleus
64.182.136.130
64.151.98.36
# Same as above; DRM header links to 216.93.188.81; WhenU/SaveNow spam
206.51.230.2
206.51.230.176
206.51.230.180
66.232.104.0/24
66.232.111.196
66.232.112.62
66.232.112.128/26
66.232.118.0/27
66.240.254.18
72.21.50.90/31
61.129.51.119
61.129.251.204

# Gnucleus-based DRM WMV spammer hosted by HopOne
209.160.32.221
209.160.35.84
209.160.35.8
209.160.40.147

# Gnucleus-based DRM WMV spammer hosted by DMG Networks
209.165.244.242

# Gnucleus-based DRM WMV spammer hosted by CNAP; it's no typo, the IP
# address are really very similar
209.190.22.86
209.190.122.186

# DRM WMV spammer; license URL links to 209.190.122.186
68.178.144.112

# Gnucleus-based DRM WMV spammer hosted by ServerBeach/Peer-1
72.51.37.145
72.51.42.70
72.51.33.176

# Gnucleus-based DRM WMV spammer hosted by eNET
206.222.26.34
206.222.26.38

# Shareaza-based DRM WMV spammer hosted by Peer 1 (PEER1-CALYEUNG-*)
# The ranges are assigned to "Calvin Yeung". Servers host thousands of
# DRMed ASX and WMV files; all about 100KB large; files point to
# p2ptips dot com which is owned by the same person/organization.
64.34.248.160/27
65.39.185.240/28
65.39.195.64/27
66.199.142.0/26
66.199.142.224/28
69.28.230.192/27
69.90.74.0/25
69.90.216.64/26
69.90.242.64/26
# PEER1-NYCAT1AVLAN1-03; seemingly not part of PEER1-CALYEUNG-*
# but the servers are.
66.199.177.64/27

# Gnoozle; "sponsored results" exploiting a brain-dead LimeWire feature
# The SHA-1s are obviously faked and the files are not downloadable.
68.178.144.2
68.178.160.177
68.178.194.60
68.178.198.68
68.178.206.62
68.178.242.167
68.178.250.209
208.109.21.57
208.109.28.45
208.109.104.191
216.69.164.211

# lowth.com; www.lowth.com is a CNAME for lowth.no-ip.com
# Emits spam for .url files pointing to lowth.com which use frames
# to load an URL at Amazon.co.uk.
# requests to the root are double-redirected to Amazon.com
86.18.3.218

# A colo of lowth as it seems (port 6340). This idiot seriously needs to
# to fix his download.pl though.
87.74.1.198

# Same as above but the primary source is a seemingly random address
# at port 80; these emit also unrequested results.
204.11.216.192/26
204.11.217.0/26
204.11.217.192/26
204.11.222.128/28
204.11.223.0/26

# Aggressivly connecting; getting disconnected due to security violations
# Yes, this is Cisco Systems.
128.108.0.0/16
# Emits "WEIRD" results; not downloadable; bogus alt-locs; urn:none:; primary
# address is always at port 80 at its own /24.
#128.108.111.0/24

# Range belong to Level 3; seems to be related to the peers by Cisco Systems
65.57.247.0/24
65.59.209.0/29

# Another range of Level 3; there are many buggy modded clients in these
# ranges probably engaged in sabotage
8.9.196.0/22

# swapexits.com; DRM license server
74.52.9.122

# DRM WMV pr0n spammer; filenames are all caps; license server is 74.52.9.122
88.85.65.130
88.85.65.175
88.85.66.128/25

# MOV pr0n spammer; giFT-based; results do not match queries at all;
# links to adultpeak dot com.
66.154.112.240/28
66.154.124.2/31
66.63.163.32/28
66.63.167.32/28
66.63.168.128/27
66.63.169.192/26
66.63.170.32/28
72.11.143.0/27
72.11.158.0/29
72.11.158.128/27
216.144.227.64/26
216.144.235.64/26
38.100.236.0/28
38.100.228.161

# MOV pr0n spammer; giFT-based; links to i2cams dot com.
204.69.64.0/18
65.240.96.251
69.45.227.0/28
69.45.229.0/26
65.37.226.0/27

# DRM WMV pr0n spammer; files link to videoaccesspoint dot com; giFT-based
64.45.229.50
65.221.229.56
69.45.233.2
204.69.113.9
204.69.114.9
204.69.119.132

# The one below identifies as "LemonWire"; spams for videoaccesspoint too
65.37.238.145

# DRM WMA spam without SHA-1s; the uploaded chunks are JPEGs;
# sends very weird HTTP responses:
# HTTP 200 OK
# Server: Gnucleus 1.8.4.0
# Content-type:application/binary
# Accept-Ranges: bytes
# Content-Range: bytes=125197-649484/125197
# Content-Length: 524288
# X-Gnutella-Content-URN: urn:sha1:K4JPX22BKXHMEQOJR3FNCUF2DSSK2SHQ
#
67.159.21.0/27

# .exe spam from fake LimeWire; does not match query at all; giFT-based;
# spam is ubiquitous and shows up in *every single* search;
# "Free Game", "Hot Babes Screensavers", "Cute Puppies Screensavers" which
# is AdWare and/or a trojan horse. It is directly related to the
# "getlaidquickly" spam. Apparently Relevance Marketing LTD is the culprit.
67.55.65.20
67.55.65.92/30
67.55.74.180
69.42.74.68
216.255.178.18
216.130.182.228
# Above mentioned adware downloads executables from the following web servers
# puzzledesktop dot com
64.40.106.131
# relevancemarketingltd dot com
64.40.106.132
# a dot downloadmediacentral dot com
64.40.106.133
# sense-super dot com
64.40.106.135
# These belong to Relevance Marketing as well 
64.72.123.100/30
64.72.123.104/30


# Shares over 10000 pictures with all names matching "<celebrity>_pic_1.jpg";
# The JPEGs show nothing but an URL at celebs dot deltaporn dot com on a white
# background; Shareaza; standard port
216.144.224.89

# DRM license server; PetaAd dot com
207.36.209.113

# Eros Digital Technologies and 3Xmarketing; WMV DRM spam; giFT-based
65.240.97.0/24
67.128.53.72/29
67.128.62.168/29

# Little czech DRM WMV spammer with fake(?) Morpheus; results identify
# as LimeWire; uses port 80 and others; results have no SHA-1; filenames
# end with .wm instead of .wma or .wmv.
82.208.41.192/29
87.236.194.75
87.236.194.76/31
212.47.3.250

# pr0n MOV spammer with fake LimeWire; giFT-based
66.11.124.64/29

# fake movie spam; oversensitive to buzzwords; Gnucleus based; results are LIME
213.52.227.128/26

# MP3 spam (white noise); switches User-Agent on the fly during downloads
70.19.110.145

# MP3 spam; fake LimeWire; switches User-Agent on the fly during downloads
72.89.107.244

# pr0n spammer with ancient LimeWire 2.3.3 Pro; results have no SHA-1
# oversensitive buzzword sensor; standard port
63.246.140.16/28
66.232.96.74
66.232.96.162
66.232.99.34
66.232.99.186
66.232.99.218
38.100.229.105

# MOV spammer; adds dozens hundreds of fake alt-locs; links to p2pblast com
# LimeWire-based
63.246.133.22
69.41.171.128/26
69.41.173.31
69.41.173.32/30
72.36.200.120/29
72.36.210.200/29
72.36.216.48/29
72.36.217.176/29
194.126.193.8/30
207.150.184.52/31
207.150.184.36/31

# Mutella-0.4.5 on port 6351 and others;
# Zipped DRM WMV spam and dialer
83.149.98.14
83.149.119.16/31
85.17.36.36
85.118.37.47
85.118.37.51
88.191.11.7
# giFT; belongs to the above Mutella peers
213.251.174.143
# BearShare; belongs to the above Mutella peers
213.251.185.126/31

# PDF spammer; uses Gtk-Gnutella; PDFs link to cyber-spy dot com
72.38.54.146
72.38.54.162

# University of Mississippi
130.74.0.0/16

# University of Delaware
128.175.0.0/16

# reserved range
79.79.55.0/24

114.46.32.0/24
116.108.101.0/24
165.193.220.0/24
167.216.144.0/24
206.251.8.0/25
207.234.131.147
207.234.131.148

# Macrovision Corporation, Inc. - Smokeblower Networks
# Extremely oversensitive buzzword spammers returning bogus results
64.92.245.0/24
64.92.246.0/23
209.10.214.0/24
209.11.121.0/24
209.11.134.0/24
209.11.141.64/26
209.11.141.128/26
209.11.142.0/23
209.193.136.96/27
209.195.16.0/24
209.195.58.192/26

# Strange client pool of Windoze(?) machines; they connect in hordes; most
# of them identify as LimeWire/4.0.5; Macrovision and Xeex are behind this.
63.219.21.0/24
63.220.57.0/24
63.216.76.0/24
154.37.66.0/24
204.193.134.0/24
204.193.136.0/24
205.134.238.0/23
207.171.61.0/25
208.49.28.0/24
209.10.143.0/24
212.71.252.0/24
216.151.154.0/23
216.151.156.0/23

# This is supposedly on a dynamic range but it's a very interesting caught.
# It's listening on the standard port. It's a fake LimeWire that responds with
# a Gnutella handshake no matter what was sent. It passes completely bogus
# addresses. Its job is either wasting resources or sniffing. It is also
# actively connecting to other nodes.
# "The Hinshelwood Building, Edmund Halley Road, Oxford Science Park"
85.210.156.0/24
81.179.85.0/24
# The one below was first caught but might be outdated by now.
81.179.74.0/24
# This one seems to belong to these; it emits results for fake audio and
# video files; switches GUID
64.248.219.196

# Time Warner Telecom
64.128.109.144/28
66.162.178.96/28
168.215.129.64/27
168.215.140.0/23
206.169.0.0/16
207.170.229.96/28
209.163.179.112/29
209.203.64.0/18
216.110.48.48/29

# fsh1.xcite.net and fsh2.xcite.net, reply to queries with $search + .exe
216.169.118.81
216.169.118.82

# GWebCache polling, dubious horde behaviour
204.9.117.0/24
204.9.118.0/24

# Overpeer, Inc
64.89.41.0/24
66.128.64.0/21
66.128.227.0/24
206.132.32.0/24
216.144.64.0/24
216.177.144.0/20

# Tacskill Hill
64.27.173.0/24
66.37.204.0/24
216.64.199.64/27
216.227.226.0/24

# Mindofteren
64.28.69.0/24
64.58.71.192/27
64.58.75.160/27
64.58.84.0/24
64.70.43.0/24
209.225.45.0/24

# Jomcaerten Co.
64.28.67.0/24
64.28.80.32/27
66.37.194.128/27
66.37.195.32/27
66.37.196.0/24
66.37.210.192/27
66.119.47.0/24
216.19.129.0/24
216.64.204.160/27

# Whailtracts
64.28.85.0/24
209.225.43.224/27
216.64.217.224/27
216.69.229.0/24

# Adult Xspace
69.50.160.0/19

# Spamming subnets from Cogent Communications
216.28.31.0/24

# Suspicious spamming ranges from Abovenet
64.124.113.0/24
64.124.15.0/24

# Suspicious individual IP addresses serving fakes
# From Abovenet:
64.124.58.153

###
### The following come from an htaccess denying RIAA/MPAA access
###

12.150.191.0/24
63.199.57.0/24
64.166.187.0/24
64.241.31.0/24
65.244.101.0/24

# Interland
64.224.0.0/14

# Hostway Corporation
66.113.128.0/17

# WareNet
66.252.128.0/20

67.112.252.0/24
67.125.49.0/24
81.4.78.0/24
146.82.174.0/24

# Motion Picture Association (fr)
194.183.226.144/29
194.183.226.192/27

195.20.32.99
198.70.114.0/24

# Motion Picture and Television Fund
204.154.8.0/21

208.192.0.0/16
208.207.98.25
208.209.2.0/24
208.225.90.0/24
208.229.253.0/24
208.49.164.0/24
208.50.66.0/24
212.241.48.0/24

# Quibus International AB -- subnet used by rogue agents (e.g. advertise
# as LimeWire in hits, and when connected, they send User-Agent: Gnucleus).
# They seem to be using giFT now. Their spam includes URLs files but MP3s
# also DRMed WMA and even OGGs that have been messed with (constantly fade
# in/out). These peers seem to maintain a massive amount of connections. The
# URL files link to serv01.quibus.se.
212.209.1.0/24
212.209.34.128/28

# Elemental Codeworks Inc; LimeWire; nodes share thousands of aliases of a
# couple of almost identical MOV files (adult.mov) which is about 8 MB large;
# these files link to bang hypen sluts dot com.
64.59.71.168/31
64.59.72.174/31
64.59.122.34
64.72.117.237
64.72.118.3
64.72.118.4/31
64.72.118.83
64.72.118.86
64.111.196.214
65.38.163.52
65.38.163.60/31
208.122.192.13
208.122.192.208
216.17.100.198

# Open Proxies
24.239.248.21
61.90.250.15
61.222.62.106
62.69.44.15
62.212.101.13
62.248.110.2
63.89.11.236
65.19.238.130
66.47.217.98
66.134.252.243
66.208.201.37
67.120.207.242
68.224.171.7
70.48.100.241
80.50.24.10
80.108.145.79
80.191.114.13
81.115.229.202
83.16.91.210
138.4.183.221
140.121.135.20
148.243.214.14
163.20.121.66
166.114.30.40
192.195.100.42
193.170.210.9
193.170.211.75
195.175.37.38
195.175.37.71
195.175.37.73
195.175.37.74
200.39.103.224
200.167.245.68
200.180.129.218
200.216.61.154
200.253.46.2
202.47.233.234
202.56.253.177
203.144.160.243
203.169.250.29
203.200.201.114
207.248.240.118
207.248.240.119
209.88.8.182
210.212.79.14
210.240.77.6
211.138.91.30
212.0.138.14
213.175.169.2
213.175.181.5
217.27.162.57
218.94.61.136

# Fakes User-Agent randomly for each connection; uploads noisy
# MP3 files using an extremely aggressive buzzword filter.
216.58.72.33