Forum Moderators: DixonJones
ff-in-f84.google.com - - .. "GET /#*$!x... HTTP/1.1" ..."Mozilla/5.0 (compatible; Google Keyword Tool;+https://adwords.google.com/select/KeywordToolExternal)"
They're now appearing every 7 minutes (approx) and get the same page each time.
Using netstat, we can see the "equivalent" IP 66.249.85.84 and when we check out that IP, we find the following information:
Reverse DNS: ff-in-f84.google.com.
Reverse DNS authenticity: [Could be forged: hostname ff-in-f84.google.com. does not exist]
ASN: 15169
ASN Name: GOOGLE
IP range connectivity: 1
Registrar (per ASN): ARIN
Should we assume that the ff-in-f84.google.com access is not legit?
I've seen references to ff-in-fNN.google elsewhere in WW, such as in the AdWords forum, but cannot find where anybody has categorically ruled out that these are really coming from Google. Maybe this one is not legit and others of similar syntax are legit?
See also the thread below on the same UA and similar IP range:
Is this legitimate Google [webmasterworld.com]
Not that it's related, but we recently implemented rewrites (301's) to use new simplified url convention and the page that is constantly being pulled is one of those that go thru a re-write AND it uses an option in the query string that indicates its from an AdWords campaign.
The f84- in your URL does match the .84 in the final octet of the IP address.
However, that datacentre stopped being available for search over a year ago. It looks like some other services still reside on servers elsewhere within that Class-C block.
Who or what was accessing your site is unknown to me, but the access came from Google, or from someone using a tool hosted at Google (whether that person was at the GooglePlex, or elsewhere in the world, is also unclear).
See also: [webmasterworld.com...]
