i think i'm on the trail
| 7:30 pm on Nov 9, 2006 (gmt 0)|
I'm posting this here because I'd like more eyeballs on the problem if possible.
Someone requested help locating the PicScout image copyright crawler and I've dug up some data and hope someone else can confirm this activity on other servers, especially if you have a lot of photos.
Since there was NO information on the net about them, no user agent, nothing, I started with their domain name and where it was hosted.
|host picscout.com |
picscout.com has address 188.8.131.52
184.108.40.206.in-addr.arpa domain name pointer bzq-80-254-37.dcenter.bezeqint.net.
inetnum: 220.127.116.11 - 18.104.22.168
This led to a list of high volume crawling from these IP's in that range that was trapped by my bot blocker automatically and they never answered the challenges, so it was definitely bot traffic.
These IPs have only been spotted using the two following user agents:
|Mozilla/4.0 (compatible ; MSIE 6.0; Windows NT 5.1) |
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; (R1 1.1); .NET CLR 1.1.4322)
After posting that data on my blog, PicScout hit my site 5 times from this IP block:
|inetnum: 22.214.171.124 - 126.96.36.199 |
status: ASSIGNED PA
source: RIPE # Filtered
Anything anyone can confirm on either range of IPs would be great.
| 8:57 pm on Nov 13, 2006 (gmt 0)|
Anyone find anything similar?
| 9:24 pm on Nov 13, 2006 (gmt 0)|
I trapped 188.8.131.52 switching UAs back in August. I haven't seen any recent action from the 62.0.8.x range, or any others in the 82.80.249.x or 82.80.252.x ranges. The malformed NT 5.1 UA you posted would have been be blocked at the door, though.
184.108.40.206 - - [09/Aug/2006:02:48:21 -0400] "GET / HTTP/1.1" 200 29019 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; (R1 1.1); .NET CLR 1.1.4322)"
220.127.116.11 - - [09/Aug/2006:02:48:23 -0400] "GET / HTTP/1.1" 200 29019 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)"
18.104.22.168 - - [09/Aug/2006:02:48:24 -0400] "GET /logo.gif HTTP/1.1" 403 471 "-" "-"
Hopefully, someone with more traffic can contribute more/better info than I can.
| 11:29 pm on Nov 13, 2006 (gmt 0)|
Caught them harvesting in 4/06.
UA: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; (R1 1.1); .NET CLR 1.1.4322)
No traffic from the second -22.214.171.124-255
| 11:41 pm on Nov 13, 2006 (gmt 0)|
That one was blocked, they saw no pages, I used passive blocking so I can still track activity attempts. That was from 126.96.36.199 and I don't think that was them, but it was in the same general range so who knows.
Other than that one IP, I think it sounds like we're on the right trail.
| 1:22 am on Nov 14, 2006 (gmt 0)|
|Other than that one IP, I think it sounds like we're on the right trail. |
As I have the majority of both RIPE and APNIC denied any feed back from me would be useless.
deny from 62.
deny from 82.
(and many more).
That's my own choice and NOT for every webmaster.