Msg#: 4582370 posted 7:54 pm on Jun 8, 2013 (gmt 0)
Met this under the "indexphp botnet" header (a group I can only identify after-the-fact by behavior pattern):
220.127.116.11 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4
As of a few months ago, the range 18.104.22.168/18 was unassigned. It's now 22.214.171.124/18 MailChimp (dunno who they are, but they sure don't sound like a likely source of human traffic) and 126.96.36.199/18 PegTech
The latter name brings up vague mental associations of the not-good variety. Closer investigation turns up two other PegTech ranges involving the same botnet-- each of them alongside a subrange registered in China. Is this one of those "never met a customer they didn't like" hosts?
Msg#: 4582370 posted 12:02 am on Jun 10, 2013 (gmt 0)
MailChimp may not sound like a legit source of traffic, but neither did MailRU when it first came on the scene. That's not to say MailChimp isn't monkey'n around, just that it probably needs further investigation.
Don't know anything PegTech them except they're a server farm and bad behavior has come from their ranges enough times for me to ban them. So far these are the PegTech ranges I have:
Msg#: 4582370 posted 7:02 pm on Jun 10, 2013 (gmt 0)
Mailchimp, to me, is a mailing ;ist provider that sometimes sends me spam - not necessarily their fault, lots of mailing list servers do. :( To my mind, though, mail servers of any kind should not be accessing web sites, either on their own or as a customer proxy.
DNS says the range was registered 17 April. Thanks for the heads-up. Now blocked.
I have a note against my December 2012 database entry for 188.8.131.52/20 that pegtech leases at least some of the range to China.