Welcome to WebmasterWorld Guest from

Forum Moderators: DixonJones & mademetop

Message Too Old, No Replies

Is this a bot? Can I block it?

Suspected bot identifies itself as MSIE 7.0

3:00 pm on Feb 5, 2008 (gmt 0)

New User

5+ Year Member

joined:Feb 5, 2008
posts: 2
votes: 0

I have a new website that gets an average of 3-4 real visits a day, plus numerous legitimate bot (Google, Yahoo, MSN etc.) vists.

Given the low traffic, one "visitor" stands out as unusual.

This visitor identifies itself as:

"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"

Each day it visits, starting with a "/" URI, then it fetches another dozen or so pages at the rate of 3-4 per second, clearly faster then a legitimate visitor.

The IP address is different for each visit. The last three visits used the following IP address's:


Has anybody else seen this? It looks like the IP adress and botname are false, so how can I block it?

Comments welcomed! If you need further information please ask.

Thanks :)

11:42 am on Feb 6, 2008 (gmt 0)

Junior Member

5+ Year Member

joined:Jan 23, 2008
posts: 56
votes: 0

Hey avrofan,

I've seen spambots using MSIE's footprint but not your situation.

At 3-4 pages per second it obviously is a bot, another way to tell if they are pulling pages at a slower pace is if they never fetch any of the graphics elements of your page, particularly not grabbing your stylesheet. Lynx browser and other text-only browers won't fetch any of that stuff either.

If I didn't want to just blacklist their IPs I would write a script to detect '3rd page inside a second' *or* 'msie fetch 3rd page without fetching support files' and effectively 'greylist' the IP address of the visitor for about an hour.

Ps. Just blacklist their IPs.

2:35 pm on Feb 6, 2008 (gmt 0)

New User

5+ Year Member

joined:Feb 5, 2008
posts: 2
votes: 0

Thanks for the reply, robsoles.

Another IP address used today: - UNITED STATES - LIQUID WEB INC - LIQUIDWEB.COM

I hesitate to use blocking by IP, as it seems they have a range of IP address's to use. Each day another one appears!

I liked your suggestion of time based blocking - I'll look at writing a brief PHP script for it.

I'm still curious about who they are, and what they are doing. I'd be interested to know if anyone else has had a similar experience.



2:43 pm on Feb 18, 2008 (gmt 0)

New User

5+ Year Member

joined:Feb 18, 2008
posts: 22
votes: 0

>> Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)

I've been seeing this from something that is trying to inject its own URL's into the "&" parameters in my URLs.

See also: [webmasterworld.com...]

4:09 am on Mar 4, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member

joined:July 26, 2006
votes: 0

These same guys are attempting to do link injection is what they were using today
OrgName: Liquid Web, Inc.

4:15 pm on Mar 16, 2008 (gmt 0)

New User

5+ Year Member

joined:Dec 12, 2007
posts: 12
votes: 0

What is this about? Liquid web is, or at least appears to be, a legitimate web host. I was thinking about using them, actually, when I ran a search and find this.
4:45 pm on Mar 16, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 31, 2002
votes: 0

The Web hosts you should not block are those used by your linking partners. Consider it this way: Why would another server be fetching pages from your site?

You expect referrals from other servers (and almost always by domain name, not IP address), but you don't expect page requests from other servers unless a site that links to yours is running a script to check the validity of their out-going links.

Other than that, you can safely block any IP address range that resolves back to "servers" or "hosting."

For a requests-per-second-based blocking script in PHP, see Blocking Badly Behaved Bots [webmasterworld.com] (third of three parts).


1:02 pm on Mar 18, 2008 (gmt 0)

Junior Member from GB 

10+ Year Member Top Contributors Of The Month

joined:July 21, 2004
votes: 24

I think this is similar to the problem I've been trying to deal with in this thread: [webmasterworld.com...]

Searching on Google for some of the addresses mentioned earlier i.e. shows a post titled 'someone's scraping me' this page lists numerous addresses that seem to have been taken over by some malicious s/w that tries to inject URL's in to peoples logs/code.

It's possibly a game or an application that the same people have downloaded which infects their servers.

It seems quite a lot of people are seeing this but I haven't found an answer yet.

Blocking the IP addresses doesn't seem to be the answer as more and more PCs will become infected and the list would grow unmanageable.