any idea?

looked into it, "attack" works like this:

1. read one page that contains "keyword1 keyword2", no referrere info
2. come back after 5 seconds, read same page, but fake google kw referer
3. read 3-5 pages without referer
4. request tons of pages all with identical referer string (fake-google)

I'd just like to know if that is common ripper behaviour, or something that used to be called referer spam, or something new.

nerd.

What's the IP address? Is it a range of IP addresses? There are known nefarious bots operating on IP addresses

69.60.120.n and 64.251.30.n

Matt

212.41.120.n (single ip, not sure if tos-compliant to post full ip)

nerd

212.41.120.n (single ip, not sure if tos-compliant to post full ip)

212.41.120.0 - 212.41.127.255

The Class C range of 120-127 belongs to the same provider in China, thus making the forum policy for omitting the the Class D range slighly assinine.

Actually, class D is for IPv4 multicast addresses (224.0.0.0 - 239.255.255.255), not the least significant byte of an IPv4 address.

I don't think it's a disguise as some rippers try to do something lame with the referrer so people don't bounce them off the site. Some are more clever and actually use the real referrer while crawling.

When it comes to Asian IPs, if you don't do business in Asia the Great Firewall of China will help you sleep nights.

When it comes to Asian IPs, if you don't do business in Asia the Great Firewall of China will help you sleep nights.

Same applies to RIPE