1. Home
  2. Forums Index
  3. WebmasterWorld / Website Analytics - Tracking and Logging 10:22 am May 14, 2026

Forum Moderators: DixonJones

Message Too Old, No Replies

UA impersonator

         

keyplyr

8:56 am on Dec 18, 2003 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Is anyone familiar with: 209.247.193.211

It kept changing UAs from:
Inktomi
Mac Finder
WISEnut
Fun Web Products
Mozilla...
or no UA at all.

It took 90 pages before I caught it and banned it.
Acted like am email harvester, yeah?

dcrombie

9:53 am on Dec 18, 2003 (gmt 0)



That IP is owned be Level3 which means that any number of people could be using it - not sure about Inktomi and WISENut though...

keyplyr

4:52 am on Dec 19, 2003 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month




...any number of people could be using it

What does that mean?

I'm now blocking this IP because I think that it is an email harvester or other type of bad guy. I was seeing many different UAs from this IP, one right after the other in a close time frame, leading me to believe that these UAs were being spoofed in order to harvest files.

Are you saying that by blocking this IP, I am in fact blocking many, many different users? Or are you saying that Level 3 issues its assigned IP numbers to various users and this bad behavior could be from anyone?

Thanks

dcrombie

11:02 am on Dec 19, 2003 (gmt 0)



Level3 own the Class "B" IP block 209.244.0.0/14

A number of those IP's will be dial-up modems where users are assigned a different address every time they connect. That would explain a changing UA for an IP address as different users would be allocated the same IP address over time.

If the changes are in a _really_ short time (like minutes) then it could be the IP address of some kind of proxy server...

It's highly unlikely that the same user would show up as both EmailSiphon (a known spambot) and WiseNUT (a legitimate search engine spider).

<edit: substitute Mac Finder for EmailSiphon>

keyplyr

6:38 pm on Dec 19, 2003 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month 




209.247.193.211 - - [19/Dec/2003:08:18:52 -0800] "GET /some-page.html HTTP/1.0" 403 559 "-" "Mozilla/5.0 (Slurp/cat; slurp@inktomi.com; h*tp://www.inktomi.com/slurp.html)"
209.247.193.211 - - [19/Dec/2003:08:28:41 -0800] "GET /some-page.html HTTP/1.0" 403 559 "-" "Mozilla/4.0 (compatible; grub-client-1.5.3; Crawl your own stuff with h*tp://grub.org)"
209.247.193.211 - - [19/Dec/2003:08:35:11 -0800] "GET /some-page.html HTTP/1.0" 403 559 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; DP1000)"

Thanks - sure are a lot of different UAs using this one IP. This is a snippet from over 200 hits in a one hour period this morning, with maybe 20 to 30 different UAs. Some of the UAs are known bad agents, i.e. Mac Finder, etc. But on the chance I am blocking legitamate users, I am taking down the block for now.

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. WebmasterWorld / Website Analytics - Tracking and Logging 10:22 am May 14, 2026