Note AWS-related prefix below --
= "Stellar.io is a domain controlled by four domain name servers at awsdns-22.org, awsdns-63.net, awsdns-09.com and awsdns-40.co.uk." [robtex.com...]
Noteworthy: awsdns- (Includes employee pet sites/projects?)
Got hits from shopwiki bot today, looking genuine but from an AWS range.
UA: ShopWiki/1.0 ( +http://www.shopwiki.com/wiki/Help:Bot)
If this is genuine then goodbye shopwiki.
I allowed them for a while since I do sell products, but they were crawling the entire site every day of the week, so I now stop them at robots.txt.
So far Shopwiki has always obeyed the deny in robots.txt.
dstiles - one of the (many) irritating dynamics of AWS is the unaccountability. I'm interested in how you would confirm this is a valid Shopwiki bot if coming from an AWS range?
You're right, but I did say "looking genuine" and "if this is genuine". Without a proper rDNS I cannot be sure it's valid except for the crawl pattern, which looks as extensive as others.
My own findings are that shopwiki does not always give a proper rDNS. Of three ranges I get bots from, only one seems to resolve and that is their acknowledged IP range. Two that do not are in Hurricane and XO ranges; they seem to work as expected and not as forgeries.
Yes, the bot crawls every day, as do other SEs that have the capacity (G, B etc). The proper way is to change the cache header times (expire and cachecontrol) from (eg) 24 hours to 240 hours. That should fix the problem. If not, ask the SE why not (NB: it may still crawl to check the timing but should be happy with the header and not reload the complete page.
The above is partly conjectural for SEs as my sites all ask for 24 hour refresh periods. Does anyone have further onfo on this?
FWIW... Baby-botnet bedfellows:
126.96.36.199 <= S. Korea: Threat 22: [projecthoneypot.org...]
188.8.131.52 <= Taiwan: Threat 21 [projecthoneypot.org...]
184.108.40.206 <= Slovakia: Threat 27 [projecthoneypot.org...]
ec2-50-19-13-173.compute-1.amazonaws.com <= Threat 26 [projecthoneypot.org...]
Faked UA of choice today:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts; .NET CLR 1.1.4322; PeoplePal 6.2)
This just in... Kindle Fire's Silk hit html files, graphics, and favicon from amazonaws.com AND, seconds later, from Comcast: [webmasterworld.com...]
I reckon this is G spoofery:
I don't understand the connections, but thought I'd report in because of the surprise tie-in(s) I found after noting a hit from a .zae.cc domain:
= 220.127.116.11/16 Amazon IAD prefix
You'll see that IP and many, many, many more via this extensive (albeit based in Turkey) eye-opener --
Sites published on ISP: Amazon.com, Inc. (598) [livepageranks.com...]
(imagine the data Amazon AWS gets a crack at from hosting all those!)
-- including aggressive Twitter-swarmer bot-runner "paper.li", as in:
Mozilla/5.0 (compatible; PaperLiBot/2.1; httpt://support.paper.li/entries/20023257-what-is-paper-li)
Same-second hits from:
Quora Link Preview/1.0 (http://www.quora.com)
More details in the just-posted "Quora Link Preview" [webmasterworld.com...]
UA: SkimBot/1.0 (www.skimlinks.com <email@example.com>)
Coming from these AWS ranges:
New (to me) Amazon range, registered September 2011...
NetRange: 18.104.22.168 - 22.214.171.124
Comment: The activity you have detected originates from a dynamic hosting environment.
Single hit today from bot calling itself linkdex.com/v2.0. No idea about robots.txt without delving deeper. Page was an unusual mid-site one.
Thanks dstiles, I didn't have that range.
1.) Name change. Note space before closing paren:
SkimBot/1.0 (www.skimlinks.com )
That was from AWS CIDRs:
2.) 'Nother bot (126.96.36.199/16 again):
2.) 'Nother bot (188.8.131.52/16 again):
I use a wider ban:
184.108.40.206 - 220.127.116.11
Speaking of wider bans... Recently I spent some time tracking (the) Amazon back to its sources. With help from robtex [robtex.com...] --
## u1.amazonaws.com; [robtex.com...]
deny from 18.104.22.168/24
## u2.amazonaws.com; [robtex.com...]
deny from 22.214.171.124/24
## u3.amazonaws.com / u3.amazonaws.info; [robtex.com...]
## u3.amazonaws.info and u3.amazonaws.com point to 126.96.36.199. Amazonaws.info, amazonaws.org, amazonaws.com, geo.amazonaws.com, compute-1.amazonaws.com and at least six other hosts use 188.8.131.52 as a name server
deny from 184.108.40.206/24
## u4.amazonaws.com; [robtex.com...]
deny from 220.127.116.11/24
## u5.amazonaws.com / u5.amazonaws.org; [robtex.com...]
deny from 18.104.22.168/24
## u6.amazonaws.com / u6.amazonaws.org; [robtex.com...]
deny from 22.214.171.124/24
Just more drops in the literally world-wide AWS bucket.
Interesting Pfui. AWS may be buying up unused D ranges all over.
And they're infected all over. Literally:
IP Location: Singapore Bedok Amazon Web Services Elastic Compute Cloud Ec2 Sg
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 8.00
Project Honey Pot Threat Rating 26 as of this writing:
= 126.96.36.199 [projecthoneypot.org...]
= .mapmyindia.com [robtex.com...]
Mozilla/5.0 (TREC-KBA-Bot http://www.mit.edu/~jrf/knowledge-base-acceleration/bot/)
Two hits in one sec. UA info is a dead-end. One dir up has info but not about bot.
This same Host came through twice, hours apart, so it may be dedicated. Note the exact UA that appears in logs, backslashed/escaped quotes and all:
\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7\"
In a word: Idiotic.
And now one with no UA and a faked instapaper'esque-service referrer. Hard to say who/what's doing what:
Fake REF: Magazinify - Daemon
Hit from a new (to me) Amazon range today:
Amazon Ireland (IE)
Various sub-ranges registered to FR and NL.
No indication in DNS records that this is cloud but the hit I received was from 88.208.193.nnn (Fasthosts dedicated servers) using an Amazon IP as a proxy. Amazon range appears to be named servers. No obvious registration dates.
Chacking further: I had the range 188.8.131.52/17 blocked as being Amazon but not the first half.
And another EC2, registered last August, updated four weeks ago, first hit today with the UA:
184.108.40.206 - 220.127.116.11
Are they ever going to stop?
|Are they ever going to stop? |
perhaps when hell freezes over.
I don't think they issue weather forecasts for that place. :(
Fresh from the press
GSLFbot - 18.104.22.168
robots.txt : yes
Couldn't find itself (first visit, what did it expect?)
Went on to the home page where it got a 403, all Amazon ranges are blocked
I didn't "heads up", because there was some recent discussion of the IP Range:
22.214.171.124 - - [01/Apr/2012:14:31:35 +0100] "GET /robots.txt HTTP/1.1" 200 2536 "" "GSLFbot"
126.96.36.199 - - [01/Apr/2012:14:31:35 +0100] "GET / HTTP/1.1" 301 234 "" "GSLFbot"
188.8.131.52 - - [01/Apr/2012:14:31:35 +0100] "GET / HTTP/1.1" 403 533 "" "GSLFbot"
I've been getting hammered on several site by this GSLF bot, it has a lot of IP's, they keep changing.
I have been using quick deny on my server to block the IP's individually but this is taking too much of my time.
How can I block the user agent GSLF? I think it ignores robots.
Is this the best way to block, meaning by blocking the user agent?
Block every IP range belonging to Amazon. That's what many of us here are doing and it blocks a LOT of bots. You can find all the ranges we know about in this thread.
|Block every IP range belonging to Amazon |
Are you guys just blocking using IP Deny in shared hosting or quick deny in the Firewall on a VPS server?
About the ranges, is /24 the one that includes the entire range?
I see some people using /18, /15..etc?
| This 88 message thread spans 3 pages: < < 88 ( 1  3 ) > > |