@blend

Yup, I've had 69.12.64.0/19 and all other Quadranet ranges blocked for a while now.

RE: DigitalFyre 23.95.92.0/22 is inside ColoCrossing:
23.94.0.0 - 23.95.255.255
23.94.0.0/15

Never seen this company before. Anyone have any more?

VPSLand
64.186.128.0 - 64.186.159.255
64.186.128.0/19

Been blocking that range since at least 2010, he said smugly. :)

All I have are:

64.186.128.0 - 64.186.159.255
65.75.240.0 - 65.75.255.255

Thanks dstiles

New one on me:

199.33.120.0/21 Rebel Hosting

(location: Folsom CA, which will provoke merriment in some quarters)

Found while looking up a botnet at 107.181.155.77:

107.181.128.0/19
Free lookup doesn't take me beyond "something hinky", with various references to Netherlands, Choopa, Vivid et cetera ad lib. Can anyone shed further light?

I see:
RIJX NET-107-181-152-0-1 (NET-107-181-152-0-1) 107.181.152.0 - 107.181.155.255

in Vivid LLC VIVID-4 (NET-107-181-128-0-1) 107.181.128.0 - 107.181.159.255

Found while looking up a botnet at 107.181.155.77:

107.181.128.0/19
Free lookup doesn't take me beyond "something hinky", with various references to Netherlands, Choopa, Vivid et cetera ad lib. Can anyone shed further light?

belongs to: kgovps.com

They say... "We do Virtual Servers, in the following locations
New Zealand, Australia, Italy, United Kingdom, Las Vegas, Atlanta, Los Angeles"

...so there almost certainly will be more ranges :)

[added] This seems to be connected to another company: iniz.com which offers the usual biz datacenter services. Their ranges are (as of yet) unknown. Anyone?

[more added] iniz.com seems to be leasing ranges from CloudFlareNet:
108.162.192.0 - 108.162.255.255
108.162.192.0/18

I have several ranges for Vivid Hosting. I wonder if these are connected?

Couple new ones for me:

fubra.com
87.124.0.0 - 87.125.255.255
87.124.0.0/15

istanbuldc.com
31.210.127.0 - 31.210.127.255
31.210.127.0/24

31.210.127.0/24 is part of RADORE at 31.210.64.0 - 31.210.127.255 but I actually block right down to 31.210.32.0.

but I actually block right down to 31.210.32.0.

Good, that also takes care of:

MarsGloball
31.210.63.0 - 31.210.63.25
31.210.63.0/24

And other spots in the remaining range I have noted as "pests"

Hmmm... right in the middle of updating post and it timed out. Was going to add the other MarsGloball ranges. No need I guess.

New one for me:

Crystone
83.168.192.0 - 83.168.255.255
83.168.192.0/18

Tried to crawl all (2k) HTML files on my server, changing UA each time. No commonalities besides IP address.

Free lookup says February but I can't find any earlier posts:

107.183
Enzu
(botnet at 107.183.69.130)

103.246.88.0/22 pacificlinktel .com
109.71.40.0/21 ptisp .pt
111.67.0.0/19 web24 .com.au
141.138.192.0/20 xl-is .net
146.185.160.0/21 digitalocean .com
174.140.192.0/18 colocation america
178.170.164.0/23 dom-tel .ru
188.227.176.0/21 redstation .com
190.228.29.0/24 elserver .com
192.254.64.0/20 dacentec .com
193.9.250.0/23 ohoster hosting
194.247.28.0/23 romanelliproject .com
195.78.32.0/23 posluh .hr
197.221.48.0/22 hetzner .co.za
2.232.0.0/13 fastweb .it
212.7.216.0/21 dediserv .eu
212.92.23.0/24 ahrt .hu
212.94.96.0/19 webstream
31.7.184.0/21 core-backbone .com
37.157.192.0/21 wedos .com
41.204.205.0/24 hetzner .co.za
5.250.176.0/20 rainhost .gr
62.197.128.0/19 sitebytes .nl
67.23.224.0/19 hostdime .com
75.98.160.0/20 a2hosting .com
76.72.240.0/20 neptunonetworks .com
77.245.64.0/20 redstation .com
79.99.164.0/22 planet-work .com
82.220.0.0/16 hosttech .eu
91.149.157.0/24 hoster .by
91.200.40.0/22 hvosting .ua
93.190.88.0/21 servado .de
94.142.216.0/22 erdenreich .net
95.85.56.0/21 digitalocean .com

just the few I had time to google check for not being listed here

Good stuff, thanks Hobbs

@Hobbs,

That hetzner 41.204.205.0/24 is inside of:
41.204.192.0 - 41.204.223.255
41.204.192.0/19

That digitalocean 146.185.160.0/21 is inside of:
146.185.128.0 - 146.185.191.255
146.185.128.0/18

That Redstation 188.227.176.0/21 is inside of:
188.227.160.0 - 188.227.191.255
188.227.160.0/19

Lots more like this. If you check both sides of a range, often you'll find they extend farther than the info given in an initial look-up.

Another one that doesn't come up in searches:

170.130
ServerHub/Eonix

Free lookup says November; I think the range used to belong to someone else.

199.195.248.0/21
I don't know who or what FranTech is, but they appear to be servers.

And finally (I hope):
23.227.96.0/19
KVC Hosting

It's been a busy few days for the "contact" botnet (pattern: one random page blocked for bogus referer, followed by contact page not subject to same referer blocks).

I see that EONIX as 170.130.0.0 - 170.130.255.255 in Dallas
and FranTech as some outfit in Wyoming, but the PONYNET is in CA and it looks like servers, yup.
199.195.248.0 - 199.195.255.255
199.195.248.0/21
This doesn't add anything except the range for those of us who can't see it from the CIDR..

I have some other new stuff to add, but it is scattered right now, hope to get it together by this evening.

199.195.248.0/21
I don't know who or what FranTech is, but they appear to be servers.

They're a recent server farm start-up currently operating under the brand: BuyVM
frantech.ca

Thanks... had the others :)

Here's one that's been sending a few pests lately:

Choopa
108.61.0.0 - 108.61.255.255
108.61.0.0/16

keyplr noted one range on April 8th.

Here are their shown ranges (fairly small):

CONTINA 155.254.192.0 - 155.254.255.255 155.254.192.0/18
CONTINA 107.181.64.0 - 107.181.79.255 107.181.64.0/20
CONTINA 167.160.96.0 - 167.160.127.255 167.160.96.0/19

dcsmanage
205.209.128.0 - 205.209.191.255
205.209.128.0/18

Newly registered. SQL Injection attempts from 23.227.196.30

NetRange: 23.227.192.0 - 23.227.207.255
CIDR: 23.227.192.0/20
NetName: SWIFTWAY-7

If it's got "Datacenter" in the name, can we assume it won't be sending a lot of humans? One-off robot from 80.72.9.5
looks like
80.72.0.0/20
Teknik i Media Datacenter (Sweden)

---

Now, since I'd previously blocked
80.72.32.0/20
(Polish robots of some description)
this put me in hopes of filling gaps.
80.72.16.0/20
is Russia, undetermined. Free lookup says ambiguously "Address Space For Linkstar Network" which could mean anything. And unfortunately
80.72.48.0/20
is Telecom Liechtenstein, which sounds fairly human.

Darn.

etop.pl is hosting
80.72.32.0 - 80.72.36.255

32-36? Odd range. What's the remaining 37-47?

Elsewhere:
162.253.144.0/21
Apparently SoftLayer, or a sublet thereof. Robot that happily was locked out on UA grounds even though I didn't know the IP. Would have slipped by unnoticed if it hadn't asked for errorstyles.css, which is exempt from blocking.

This whole neighborhood is fairly recent assignments-- within the last 6 months, mostly-- so I looked up some others. Tentatively:
162.253.128.0/22
Amanah (Canada)
162.253.132.0/22
CyberLynk
162.253.136.0/21
Allstream (Canada-- I'll assume these to be human unless & until it's proven against them)
..
162.253.152.0/22
Reprise Hosting
162.253.156.0/22
ISPrime
162.253.160.0/21
XHop (ymmv, but for me "Hop" is one of those name elements like "Rack" that inspires distrust in advance)

32-36? Odd range. What's the remaining 37-47?

80.72.32.0 - 80.72.47.255 is also etop... thus 80.72.32.0/20 :)

I wasn't disagreeing with you about the /20, only that the 80.72.32.0 - 80.72.36.255 span is hosting. What etop does with the rest is unknown.

I have 162.253.144.0/21 as arvixe.com (hosting)

162.253.160.0/21
XHop (ymmv, but for me "Hop" is one of those name elements like "Rack" that inspires distrust in advance)

Not to mention that XHop is based in Henderson, Nevada where server racks adorn the desert landscape!