The numeric part of the UA appears to change so I block on "WebGo". E.g., from September, 2009:

static-204-15-64-**.websense.com
WebGo IS - 3428

robots.txt? NO

(If your ** = 96 backwards, it's the same Host, too.)

(If your ** = 96 backwards, it's the same Host, too.)

Yup

Since we're on the subject, has either of you noticed any effect from blocking websense? -- Any noticeable drop in corporate or working-hour visitors?

Any trouble reports from visitors?

I have no idea what effect blocking their internet security/Web filtering service "checker" would have, but I'm not sure it would be good -- at least, not for all Webmasters or all sites.

Jim

Can't say I've noticed "real" browsing through websense. I get loads of bad-bot-like activity and block it all. No one has yet complained. :)

For example, a couple of days ago I got the following, all in the range 208.80.193.nn. It doesn't look "human" to me - or if it is someone's using a UA rotator and a site rotator together: the sites were very different.

00:26:51
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Ringo; FunWebProducts; .NET CLR 1.1.4322; HbTools 4.8.2)
example.com/index.asp

00:26:51
Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Walsrode Online; FunWebProducts)
www.example.com/index.asp

00:29:51
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50728)
www.anotherexample.co.uk/index.asp

Another triplet an hour or so later showed similar stupid UAs - anyone worried about security certainly wouldn't want some of the "toolbars" noted in the UAs (eg zango).

On the other hand, 204.15.64.0 - 204.15.71.255 is new to me - thanks for the heads up: now banned.

Jim I haven't actually blocked websense's bot/checker/whatever. I just posted as a matter of IDing it, fact finding, etc. Not pleased it doesn't read robots.txt but I guess since it's not a crawler per sey, then that's the loop hole they allow themselves.

I have been blocking 208.80.nnn.nnn for many years without any negative results, I have no use for self-styled big brothers.
On one site in particular 208.80 comes around every day and at a different time in a block of several attempts, as below, and a further one to three times with one to two attempts.
This site is of no corporate interest whatsoever and I doubt that any one surfing at work will waste up to 20 minutes, while changing UA at each attempt, trying to get access.

All these visits are coming from 208.80.193.nn

2010-04-30 19:44:13 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; SpamBlockerUtility 4.7.1)
2010-04-30 19:46:10 - Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; sbcydsl 3.12; YComp 5.0.0.0; yie6_SBCDSL; YPC 3.2.0; Media Center PC 3.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50215; yplus 5.1.04b)
2010-04-30 19:48:22 - Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; FreeprodTB; ZangoToolbar 4.8.3; .NET CLR 2.0.50727)
2010-04-30 19:48:33 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts; .NET CLR 1.1.4322; Hotbar 4.6.1; FDM; .NET CLR 2.0.50727)
2010-04-30 19:51:57 - Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Wanadoo 6.1)
2010-04-30 19:52:03 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Hot Lingo 2.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
2010-04-30 19:52:18 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; YPC 3.2.0; ZangoToolbar 4.8.2)
2010-04-30 19:53:27 - Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; FunWebProducts; CHWIE_SE70; .NET CLR 1.1.4322; InfoPath.1)
2010-04-30 20:05:12 - Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90; YPC 3.2.0; .NET CLR 1.1.4322; yplus 5.1.02b)

I have been blocking it for years as well. And at my day job we use a content filtering service, which is supplied by them. There is an option to block unrated sites, but that is the most drastic option to select. There are very few reasons for using that option, unless your network is truly locked down to only browse a few authorized sites. I know we mainly use it to filter out sites adult themed/gambling type sites.

OK, these two comments sort of illustrate a couple of points that bear repeating:

> I have no use for self-styled big brothers.

Neither do I, but some types of Web sites might lose significant revenue if blocking Websense results in them rating our sites as "bad" or "dangerous" -- which is why I asked the question.

I block an awful lot of sites, user-agents, hosts, countries, and geographical regions, but if someone asks me if my methods are "the best way," I always say, "No, they might be the worst way for your site."

> This site is of no corporate interest whatsoever and I doubt that any one surfing at work will waste up to 20 minutes, while changing UA at each attempt, trying to get access.

Yes, but what if Websense is a "side-car" filter, not a serial filter? That is, serial filters work by passing all user requests through their filter. The User-agent may be the real user's UA string, or it may be a standard one injected by the filter. However, the requests always look "human" because they are indeed being driven by a person clicking links and bookmarks and typing URLs. The requests are being filtered in real-time.

On the other hand, what I'm calling side-car filters just make a list of the URLs visited by their users, and go around checking them after the fact. The actual filtering is done by another part of the software, likely a blacklist compiled from the previous "scan cycle." Maybe they don't block at all, but rather just send reports or "fire this guy" e-mails when surfing policies are violated -- I really don't know.

These side-car filters may also use real users' UA strings, or they may inject a standard one, or they may rotate through a list -- In WebSense's case, it's either the first or the last of these three methods. But because a side-car filter doesn't work in real time, it does not appear to be human, even though its list of page URLs (and possibly its list of UAs as well) was generated by recording actual human requests.

Anyway, I don't explicitly block Websense, but they get denied more often than not, because the request headers rarely correlate to the browser claimed in the UA string.

So, I've been considering "giving Websense a pass" if I ever discover a down-side to kicking them out nine times out every ten they visit...

Thanks,
Jim

Jim, my apologies for the late reply, I had to take care of something else first.

> but if someone asks me if my methods are "the best way," I always say, "No, they might be the worst way for your site."

I agree with you and I am not for a moment pretending that my way is the best way, I only speak for myself and my findings for my websites, it is entirely up to other webmasters to make their own decisions.

I don't know whether Websense is a side-car filter or a serial filter but I very much doubt that there is a real person behind the block of eight to ten attempts every day on one of my sites lasting up to 20 minutes when all they get served is a 404. Frankly, they would have to be quite obtuse not to get the hint that it is time to move on.

While in above example all the visits are coming from 208.80.193.nn most visits have a different ending number, kind of aol style.

What makes it also suspicious is that this happens on one site only and while it might be an extreme coincidence that on a particular day 8 to 10 people would visit the site within a span of 20 minutes all using the websense service it is highly unlikely that this will happen day after day and at different times of the day, the nature of the site just does not lend itself to it, also from a corporate point of view.

I get hits from them every day, however it is not only the / page that they hit, but they are also trying to hit various dynamic PHP pages. Trying to in that they aren't passing the query string correctly and getting 404's repeatedly for the same pages.

208.80.193.x - - [01/Jul/2010:12:24:58 +1200] "GET /glossary.php%3Fwoord%3Dboezem HTTP/1.0" 404 620 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; YPC 3.2.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; yplus 5.3.02b)"

should be
"GET /glossary.php?woord=Boezem HTTP/1.0"

Following a complaint by a customer of one of my clients who is using a websense proxy, I contacted websense.

They do run proxies as well as bots. The ranges I have are as below (proxies are shown as holes drilled in the relevant "server" range; "server" is a general term that includes bots in this case).

The US-based websense person (who had read at least this WebmasterWorld topic) assured me that they only had two proxies in the US but didn't really confirm the UK one nor expand on it. It's possible there are other proxies I do not know about, possibly including one in the 114 range and one in the 91 range.

85.115.48.0 - 85.115.63.255 Servers (UK)
85.115.54.180 - 85.115.54.180 Proxy (one IP)
91.194.158.0 - 91.194.159.255 Servers (UK)
114.255.30.192 - 114.255.30.223 Servers (China)
204.15.64.0 - 204.15.71.255 Servers (US)
208.80.192.0 - 208.80.199.255 Servers (US)
208.87.232.0 - 208.87.239.255 Servers (US)
208.87.233.180 - 208.87.233.180Proxy (one IP)
208.87.234.180 - 208.87.234.180 Proxy (one IP)

Add another proxy, came in half an hour ago:

85.115.52.180