homepage Welcome to WebmasterWorld Guest from 184.72.184.104
register, login, search, subscribe, help, library, PubCon, announcements, recent posts, open posts,
Subscribe to WebmasterWorld

Visit PubCon.com
Home / Forums Index / WebmasterWorld / Website Analytics - Tracking and Logging
Forum Library : Charter : Moderators: Receptional & mademetop

Website Analytics - Tracking and Logging Forum

    
ff-in-fNN.google log entries
legit or not?
arnarn




msg:3731640		 4:28 pm on Aug 26, 2008 (gmt 0)

We've recently seen log entries such as

ff-in-f84.google.com - - .. "GET /#*$!x... HTTP/1.1" ..."Mozilla/5.0 (compatible; Google Keyword Tool;+https://adwords.google.com/select/KeywordToolExternal)"

They're now appearing every 7 minutes (approx) and get the same page each time.

Using netstat, we can see the "equivalent" IP 66.249.85.84 and when we check out that IP, we find the following information:

Reverse DNS: ff-in-f84.google.com.
Reverse DNS authenticity: [Could be forged: hostname ff-in-f84.google.com. does not exist]
ASN: 15169
ASN Name: GOOGLE
IP range connectivity: 1
Registrar (per ASN): ARIN

Should we assume that the ff-in-f84.google.com access is not legit?

I've seen references to ff-in-fNN.google elsewhere in WW, such as in the AdWords forum, but cannot find where anybody has categorically ruled out that these are really coming from Google. Maybe this one is not legit and others of similar syntax are legit?

 

Receptional Andy




msg:3731813		 7:04 pm on Aug 26, 2008 (gmt 0)

If the IP is assigned to Google, it's almost certainly authentic, except in a small number of cases where the connections may be through a proxy at Google. The reverse DNS error just means that Google haven't configured things properly (66.249.85.84 = ff-in-f84.google.com but ff-in-f84.google.com != 66.249.85.84).

See also the thread below on the same UA and similar IP range:

Is this legitimate Google [webmasterworld.com]

arnarn




msg:3731847		 7:42 pm on Aug 26, 2008 (gmt 0)

Thanks for the info and related link.

If this is a legit access, why would we see the same log entry (same page request) coming in every 6-7 minutes?

Not that it's related, but we recently implemented rewrites (301's) to use new simplified url convention and the page that is constantly being pulled is one of those that go thru a re-write AND it uses an option in the query string that indicates its from an AdWords campaign.

g1smd




msg:3731926		 9:17 pm on Aug 26, 2008 (gmt 0)

The IP address 66.249.85.nnn is related to the named GFE-FF datacentre.

The f84- in your URL does match the .84 in the final octet of the IP address.

However, that datacentre stopped being available for search over a year ago. It looks like some other services still reside on servers elsewhere within that Class-C block.

Who or what was accessing your site is unknown to me, but the access came from Google, or from someone using a tool hosted at Google (whether that person was at the GooglePlex, or elsewhere in the world, is also unclear).

See also: [webmasterworld.com...]

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Website Analytics - Tracking and Logging
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
WebmasterWorld ® and PubCon ® are a Registered Trademarks of Pubcon Inc.
© Pubcon Inc. 1996-2012 all rights reserved