IMO both should be blocked by range:

5.63.145.0/29 #Hosting Services, GB (5.63.145.0 - 5.63.145.7)

67.228.0.0/16 #Softlayer (67.228.0.0 - 67.228.255.255)



Also, 50.22.185.51 is registered to Panopta.com, which is:

50.22.0.0/15 #Softlayer (50.22.0.0 - 50.23.255.255)

FWIW, I've the entire Class A 5. denied.

I remember, we had a discussion about it. There's huge ISPs in that A class, sonic.net & tarassul. Maybe not an asset to you, but maybe to others. Personally, I never know where traffic will start building from. 2 years ago I never got any natural human traffic from RU, now I get 3 digit daily. Sometimes they even buy stuff. China's the one I block with prejudice :)

[edited by: keyplyr at 10:48 am (utc) on Feb 27, 2013]

sonic.net

That's them modern day versions of drive-in restaurants were the car hops wear roller skates ;)

Yeah, but they wear cute skirts :)

FWIW, I've the entire Class A 5. denied.

I wish I could merrily lock out entire continents :) I stop at countries-- and so far there's only one of those. (I would love to lock out Saudi Arabia too, but I never get any visitors from there anyway so it would be amazingly pointless.)

I wish I could merrily lock out entire continents

lucy,
when I first started using htaccess (late-1999 or 2000) my primary goal was Korea and the UK.
Once I got into the ranges, it was genuinely easier (there was no GEO databases back then) to simply expand the countries, rather than separate the IP's for these two countries from the rest.

My widget content is what's makes designation of non-benefit more tangible.

My methods are certainly NOT an option for most webmasters.

FWIW, I've the entire Class A 5. denied.

I wish I could merrily lock out entire continents

You likely have the Class A's of 4 & 8 denied and their close to continents ;)

5.63.145.0/29 should be 5.63.144.0/21

5.63.145.0/29 should be 5.63.144.0/21

ya, thanks

You likely have the Class A's of 4 & 8 denied

Sad to say there are WebmasterWorld members at both locations :( Well, definitely at 4. And there are unsuspecting humans using assorted AV programs at 8. That is, AV programs that load the page before the human does; I don't hesitate to block the ones that check after the fact. ("I'm afraid you don't understand, your Majesty. The taster has to take the first bite, no matter how luscious it looks.")

You likely have the Class A's of 4 & 8 denied

Yes, at one time I did block:
4.0.0.0/8 #Level 3 (4.0.0.0 - 4.255.255.255)
8.0.0.0/8 #Level 3 (8.0.0.0 - 8.255.255.255)

But quickly discovered hundreds of daily humans never made it through.

I now no longer block 4 and only block a small part of 8:
8.28.16.0/23 #Level 3 (8.28.16.0 - 8.28.17.255)

Hi,
I found panopta.com in my weblogs recently, came across this thread, and added the following to .htaccess:

deny from 5.63.144.0/21
deny from 67.228.0.0/16
deny from 50.22.0.0/15

But yesterday I found a bunch of log entries like these:

ch15.lon.monitorengine.com - - [14/Apr/2013:00:43:20 +0100] "HEAD / HTTP/1.1" 403 - "-" "checks.panopta.com"
forever.alone.net - - [14/Apr/2013:00:43:20 +0100] "HEAD / HTTP/1.1" 200 - "-" "checks.panopta.com"
ch06.slc.monitorengine.com - - [14/Apr/2013:00:43:21 +0100] "HEAD / HTTP/1.1" 200 - "-" "checks.panopta.com"
ch15.lon.monitorengine.com - - [14/Apr/2013:00:58:20 +0100] "HEAD / HTTP/1.1" 403 - "-" "checks.panopta.com"
forever.alone.net - - [14/Apr/2013:00:58:21 +0100] "HEAD / HTTP/1.1" 200 - "-" "checks.panopta.com"
ch01.slc.monitorengine.com - - [14/Apr/2013:00:58:34 +0100] "HEAD / HTTP/1.1" 200 - "-" "checks.panopta.com"
ch15.lon.monitorengine.com - - [14/Apr/2013:01:13:21 +0100] "HEAD / HTTP/1.1" 403 - "-" "checks.panopta.com"
forever.alone.net - - [14/Apr/2013:01:13:21 +0100] "HEAD / HTTP/1.1" 200 - "-" "checks.panopta.com"
ch05.slc.monitorengine.com - - [14/Apr/2013:01:13:22 +0100] "HEAD / HTTP/1.1" 200 - "-" "checks.panopta.com"
ch15.lon.monitorengine.com - - [14/Apr/2013:01:28:22 +0100] "HEAD / HTTP/1.1" 403 - "-" "checks.panopta.com"

Any suggestions on what ranges I should block? Using `host ch05.slc.monitorengine.com` and `whois 198.105.219.56` gives a vague IP range. For now, I've added

deny from *.monitorengine.com
deny from forever.alone.net

to my .htaccess file.

198.105.219.56 belongs to...

Hosting Services, Utah
198.105.208.0 - 198.105.223.255
198.105.208.0/20



ch15.lon.monitorengine.com is 66.228.52.108, which belongs to...

Linode Virtual Cloud Servers
66.228.32.0 - 66.228.63.255
66.228.32.0/19



forever.alone.net is 63.251.38.176, which belongs to...

Internap.com Hosting & Datacenters, Georgia
63.251.0.0 - 63.251.255.255
63.251.0.0/16


BTW - Hosting Services, Linode and Internap all have other ranges. These have been listed here in WW forums and can be found using the Search.

And just a FYI, referrers can (and often are) easily be spoofed.

FWIW, unless you've your own server and have your logs intentionally configured to display in this manner?

ch01.slc.monitorengine.com - - [14/Apr/2013:00:58:34 +0100] "HEAD / HTTP/1.1" 200 - "-" "checks.panopta.com"

Rather, if your on shared hosting, the reason the logs dispaly in this manner is because the deny from's are enclosed in a container.