homepage Welcome to WebmasterWorld Guest from 54.242.126.9
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL

Search Engine Spider and User Agent Identification Forum

    
Hunting Picscout
i think i'm on the trail
incrediBILL

WebmasterWorld Administrator incredibill us a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



 
Msg#: 3151673 posted 7:30 pm on Nov 9, 2006 (gmt 0)

I'm posting this here because I'd like more eyeballs on the problem if possible.

Someone requested help locating the PicScout image copyright crawler and I've dug up some data and hope someone else can confirm this activity on other servers, especially if you have a lot of photos.

Since there was NO information on the net about them, no user agent, nothing, I started with their domain name and where it was hosted.

host picscout.com
picscout.com has address 82.80.254.37

host 82.80.254.37
37.254.80.82.in-addr.arpa domain name pointer bzq-80-254-37.dcenter.bezeqint.net.

inetnum: 82.80.248.0 - 82.80.255.255
netname: BEZEQINT-HOSTING
descr: BEZEQINT-HOSTING
country: IL

This led to a list of high volume crawling from these IP's in that range that was trapped by my bot blocker automatically and they never answered the challenges, so it was definitely bot traffic.

82.80.249.195
82.80.249.196
82.80.249.197
82.80.249.201
82.80.249.202
82.80.249.203
82.80.249.204
82.80.252.130

These IPs have only been spotted using the two following user agents:

Mozilla/4.0 (compatible ; MSIE 6.0; Windows NT 5.1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; (R1 1.1); .NET CLR 1.1.4322)

After posting that data on my blog, PicScout hit my site 5 times from this IP block:

inetnum: 62.0.8.0 - 62.0.8.255
netname: NV-PICSCOUT
descr: NV-PICSCOUT
country: IL
admin-c: OG570-RIPE
tech-c: NN105-RIPE
status: ASSIGNED PA
mnt-by: NV-MNT-RIPE
mnt-lower: NV-MNT-RIPE
source: RIPE # Filtered

Anything anyone can confirm on either range of IPs would be great.

 

incrediBILL

WebmasterWorld Administrator incredibill us a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



 
Msg#: 3151673 posted 8:57 pm on Nov 13, 2006 (gmt 0)

Anyone find anything similar?

Anyone?

Anything?

jdMorgan

WebmasterWorld Senior Member jdmorgan us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3151673 posted 9:24 pm on Nov 13, 2006 (gmt 0)

I trapped 82.80.249.193 switching UAs back in August. I haven't seen any recent action from the 62.0.8.x range, or any others in the 82.80.249.x or 82.80.252.x ranges. The malformed NT 5.1 UA you posted would have been be blocked at the door, though.

82.80.249.193 - - [09/Aug/2006:02:48:21 -0400] "GET / HTTP/1.1" 200 29019 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; (R1 1.1); .NET CLR 1.1.4322)"
82.80.249.193 - - [09/Aug/2006:02:48:23 -0400] "GET / HTTP/1.1" 200 29019 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)"
82.80.249.193 - - [09/Aug/2006:02:48:24 -0400] "GET /logo.gif HTTP/1.1" 403 471 "-" "-"

Hopefully, someone with more traffic can contribute more/better info than I can.

Jim

fiestagirl

10+ Year Member



 
Msg#: 3151673 posted 11:29 pm on Nov 13, 2006 (gmt 0)

Caught them harvesting in 4/06.
UA: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; (R1 1.1); .NET CLR 1.1.4322)
82.80.249.193-203

No traffic from the second -62.0.8.0-255

incrediBILL

WebmasterWorld Administrator incredibill us a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



 
Msg#: 3151673 posted 11:41 pm on Nov 13, 2006 (gmt 0)

malformed NT 5.1 UA

That one was blocked, they saw no pages, I used passive blocking so I can still track activity attempts. That was from 82.80.252.130 and I don't think that was them, but it was in the same general range so who knows.

Other than that one IP, I think it sounds like we're on the right trail.

wilderness

WebmasterWorld Senior Member wilderness us a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



 
Msg#: 3151673 posted 1:22 am on Nov 14, 2006 (gmt 0)

Other than that one IP, I think it sounds like we're on the right trail.

Bill,
As I have the majority of both RIPE and APNIC denied any feed back from me would be useless.

I utilize:

deny from 62.
deny from 82.

(and many more).

That's my own choice and NOT for every webmaster.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved