We've recently seen log entries such as
ff-in-f84.google.com - - .. "GET /#*$!x... HTTP/1.1" ..."Mozilla/5.0 (compatible; Google Keyword Tool;+https://adwords.google.com/select/KeywordToolExternal)"
They're now appearing every 7 minutes (approx) and get the same page each time.
Using netstat, we can see the "equivalent" IP 18.104.22.168 and when we check out that IP, we find the following information:
Reverse DNS: ff-in-f84.google.com.
Reverse DNS authenticity: [Could be forged: hostname ff-in-f84.google.com. does not exist]
ASN Name: GOOGLE
IP range connectivity: 1
Registrar (per ASN): ARIN
Should we assume that the ff-in-f84.google.com access is not legit?
I've seen references to ff-in-fNN.google elsewhere in WW, such as in the AdWords forum, but cannot find where anybody has categorically ruled out that these are really coming from Google. Maybe this one is not legit and others of similar syntax are legit?