Angonasec - does the forum search not work for you?

[webmasterworld.com...]
[webmasterworld.com...]
[webmasterworld.com...]

Barely, thanks for the consolidated update KeyP.
Another Pulsepoint Johnny arrived today.
All strapped down now :)

Jazz is a very common term in the WW archives ;)

Blank UA caught them. Only IP I could locate.

50.93.192.0 - 50.93.207.255 50.93.192.0/20
OrgName: Jazz Network Inc.
50.93.204.109 - - [03/Dec/2014:21:40:33 -0700] "POST / HTTP/1.1" 403 26148 "-" "-"
50.93.204.109 - - [03/Dec/2014:21:40:34 -0700] "GET /wp-content/uploads/wpcron.php HTTP/1.0" 403 794 "-" "-"

A cheeky Sinobot piggy-backing on TRIUNITY/Hetzner tripped the wire.

148.251.214.137 148.251.214.128 - 148.251.214.159 148.251.0.0/16 ber...locked!

New (to me) Hetzner range...

136.243.0.0 - 136.243.255.255
136.243.0.0/16

Odd location: it's sandwiched between US assignments but there are other zones including apnic and other ripe ranges.

Thanks dstiles

New (to me) Linode/Softlayer range...

104.237.128.0 - 104.237.159.255
104.237.128.0/19

Thanks bobothecat2, I didn't have that one either even though it was registered April, 2008. Maybe they just started activity in that range.

Maybe they just started activity in that range.

I've got heaps of ranges flagged as "robot" based on information in the present thread and its siblings. But they can remain un-blocked for years if all they're ever used for is innocuous websites, not bot-running.

I've got heaps of ranges flagged as "robot" based on information in the present thread and its siblings. But they can remain un-blocked for years if all they're ever used for is innocuous websites, not bot-running.

Not me... if they're server farms, they get blocked - period. Machines used for hosting have no legit reason accessing my server.

Q/
Machines used for hosting have no legit reason accessing my server.
/Q

Echoed, but remember the important exception, which is of course; When you file a DMCA be sure to temporarily unblock the recipient Legal bod so they can verify your Notice.

I find they nearly always use a related IP, especially the east-De nasties.

In htaccess, every "Deny from..." line has to be read by the server on every request. So there's no point in blocking a range that will never actually visit. It just makes unnecessary work for the server.

Besides, robots have to start somewhere. You don't control your own IP range from day 1. If the only visit I've ever received from a given range is a well-mannered crawler who reads and heeds robots.txt, there's no reason to block them. Conversely, some legitimate robots (MJ12 comes to mind) find themselves blocked at the gate because they share IP space with undesirables.

In htaccess, every "Deny from..." line has to be read by the server on every request... It just makes unnecessary work for the server.

Technically true and I used to worry about slowing down the server. I can remember years ago when I reached 20 blocked ranges and thought I had too many. I now have well over 10 thousand ranges blocked and there is no noticeable slowness in response time. In fact, Google Page Speed (and every other test) says my server is very fast.

...there's no point in blocking a range that will never actually visit.

Ah, well there lies the real issue. You will never know where the next bad agent will come from. I say be pro-active and block ranges that have absolutely no legit reason to send agents to my server. If you don't block them and they do get to do their mischief, the harm may be significant.

More Rackspace:
Rackspace Hosting RACKS-8-NET-16
104.130.0.0 - 104.130.255.255

(contains Cloud Servers (ORD) RACKS-8-1403192176041218
104.130.64.0 - 104.130.79.255 too)

Good find not2easy, thanks

New to me...

NetRange: 107.172.0.0 - 107.175.255.255
CIDR: 107.172.0.0/14
Organization: ColoCrossing (VGS-9)

also...

NetRange: 107.176.0.0 - 107.177.255.255
CIDR: 107.176.0.0/15
NetName: FDCSERVERS
Organization: FDCservers.net (FDCSE)

That plugged a hole, thanks dstiles

86.58.139.2 - - [26/Dec/2014:02:32:39 -0800] "GET /adform/IFrameManager.html HTTP/1.1" 404 18575 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.103 Safari/537.36"


Jay.net Colo/Cloud/Hosting (Italian company leasing Irish servers)
86.58.128.0/17
86.58.128.0 - 86.58.255.255

How do you decide what to list in these threads?
Most of the AWS ranges that visit me are not here, but in a separate thread in this forum.
Some of the more benign bots are not listed here either.

Is it intended to collect all farms by some criterion? Or are are you just using it to share occasional discoveries?

How do you distinguish between a human-free farm and a provider who just happens to have a human in it with a virus-infected computer?

And how do you decide what range to include? D'you just look up the CIDR in domaintools or some equivalent and block that?

Inquiring minds want to know...

@ trintragula

Some of the legacy threads are gone now, but basically this particular thread, the Server Farms sub-category of the Search Engine Spider and User Agent Identification Forum, does list all known hosting server farms, clouds servers, data centers & colocation company ranges. AWS is so large and prominent, it got its own thread.

All this has been many years in the making and quite a lengthy read but one that will answer most of your questions. These forums are an archive of information for today's webmaster. Most bots do get mentioned in one of the forum's threads, but as I noted, many older threads are now either gone, or unsearchable after the reorganization of WW.

If you see behavior in your server's access logs that is questionable, look up the IP address. Do the research. Find out what type of company the range is assigned to. Many agents disguise themselves as something they're not. In time you'll become skilled at profiling them.

Most of us agree that agents from any of the above have no reason to access our web sites, thus we list the company and their respective server ranges here. What you do with this information is up to you. What works for one webmaster may not for another. One site's bad agent may be thought of as benign or even beneficial to another. Your site, your choice.

How do you distinguish between a human-free farm and a provider who just happens to have a human in it with a virus-infected computer?

By looking them up. Even a free lookup will tell you if it's, say, ColoCrossing or AT&T. With rare exceptions, infected machines are not worth blocking; you may not even be able to tell if it's a fixed or floating IP.

More jay.net
81.7.128.0/18
81.7.166.224 - 81.7.166.255

Media Temple, Inc. old thread from 2012 [webmasterworld.com]

More complete ranges:

Media Temple, Inc. (MEDIAT-10)
MEDIATEMPLE-106 205.186.128.0 - 205.186.191.255 205.186.128.0/18
MEDIATEMPLE-102 216.70.64.0 - 216.70.127.255 216.70.64.0/18
MEDIATEMPLE-103 64.13.192.0 - 64.13.255.255 64.13.192.0/18
MEDIATEMPLE-100 64.207.128.0 - 64.207.191.255 64.207.128.0/18
MEDIATEMPLE-106 70.32.64.0 - 70.32.127.255 70.32.64.0/18
MEDIATEMPLE-101 72.10.32.0 - 72.10.63.255 72.10.32.0/19
MEDIATEMPLE-105 72.47.192.0 - 72.47.255.255 72.47.192.0/18
MEDIATEMPLE-601 2606:2300:: - 2606:2300:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF

My jay list is:

81.7.128.0 - 81.7.191.255
81.19.224.0 - 81.19.255.255
86.48.0.0 - 86.48.255.255
86.58.128.0 - 86.58.255.255
193.28.149.0 - 193.28.149.255

Thanks dstiles. Odd I had never seen this company before.

Oh Boy, I haven't been here in a while.

So many IPzzzz to ban, Yeeahh, Tacos!

Happy Holidays to Everyone! May that ServerFarm never find You!

I got a visit from Oxalide in Paris recently:

95.131.142.xxx

the narrow range is 95.131.142.64 - 95.131.142.79
Oxalide seems to be a web hosting company covering this range:

95.131.136.0/21

I got this information using domaintools, googling oxalide, and visiting their site.

I've never reported one before so would appreciate if someone else would check this to make sure it's an appropriate report.

The visit was just the home page, the UA contained 'WASALive', which I think has been mentioned here before.

It seems to be a trending news aggregator - probably not something everyone would want to block.

I've never had a member or forum post from that range.

Lots of Hosting right there:

Fast2Host
95.128.128.0/21
95.128.128.0 - 95.128.135.255

DigiCube
95.130.8.0/21
95.130.8.0 - 95.130.15.255

Oxalide
95.131.136.0/21
95.131.136.0 - 95.131.143.255

Rackspace
95.138.128.0/18
95.138.128.0 - 95.138.191.255

Anyone have updates on these?

I have nothing additional for the first three, but there are a ton of Rackspace ranges -some on this list go back a few years so I would tread lightly and verify:

31.222.128.0/18Rackspace
31.222.128.0 - 31.222.191.255

37.188.96.0/19 Rackspace
37.188.96.0 - 37.188.127.255

46.38.160.0/19 Rackspace
46.38.160.0 - 46.38.191.255

50.56.0.0/15 Rackspace
50.56.0.0 - 50.57.255.255

64.39.0.0/19 Rackspace
64.39.0.0 - 64.39.31.255

64.49.192.0/18 Rackspace
64.49.192.0 - 64.49.255.255

65.61.128.0/18 Rackspace
65.61.128.0 - 65.61.191.255

66.216.64.0/18 Rackspace
66.216.64.0 - 66.216.127.255

67.192.0.0/16 Rackspace
67.192.0.0 - 67.192.255.255

67.207.128.0/18 Rackspace
67.207.128.0 – 67.207.191.255

67.207.192.0/19Rackspace
67.207.128.0 - 67.207.223.255

69.20.0.0/17 Rackspace
69.20.0.0 - 69.20.127.255

72.3.128.0/17 Rackspace
72.3.128.0 - 72.3.255.255

72.4.112.0/20 Rackspace
72.4.112.0 - 72.4.127.255

72.32.58.0/24 Rackspace
72.32.58.0 - 72.32.58.255

72.32.0.0/16 Rackspace
72.32.0.0 - 72.32.255.255

74.205.0.0/17 Rackspace
74.205.0.0 - 74.205.127.255

78.136.0.0/18 Rackspace
78.136.0.0 - 78.136.63.255

89.234.0.0/18 Rackspace
89.234.0.0 - 89.234.63.255

92.52.64.0/18 Rackspace
92.52.64.0 - 92.52.127.255

94.236.0.0/17Rackspace
94.236.0.0 - 94.236.127.255

95.138.128.0/18 Rackspace
95.138.128.0 - 95.138.191.255

98.129.0.0/16 Rackspace
98.129.0.0 - 98.129.255.255

104.130.0.0/16 Rackspace
104.130.0.0 - 104.130.255.255

108.166.0.0/17 Rackspace
108.166.0.0 - 108.166.127.255

108.171.160.0/19 Rackspace
108.171.160.0 - 108.171.191.255

120.136.32.0/20 Rackspace
120.136.32.0 - 120.136.47.255

162.13.0.0/20 Rackspace
162.13.0.0 - 162.13.15.255

162.209.0.0/17 Rackspace
162.209.0.0 - 162.209.127.255

164.177.128.0/19 Rackspace
164.177.128.0 - 164.177.159.255

166.78.0.0/16 Rackspace
166.78.0.0 - 166.78.255.255

173.203.0.0/16 Rackspace
173.203.0.0 - 173.203.255.255

174.143.0.0/16 Rackspace
174.143.0.0 - 174.143.255.255

184.106.0.0/16 Rackspace
184.106.0.0 - 184.106.255.255

198.61.128.0/17Rackspace
198.61.128.0 - 198.61.255.255

198.101.128.0/17 Rackspace
198.101.128.0 - 198.101.255.255

204.232.128.0/17 Rackspace
204.232.128.0 - 204.232.255.255

207.97.192.0/18Rackspace
207.97.192.0 - 207.97.255.255

209.61.128.0/18Rackspace
209.61.128.0 - 209.61.191.255

209.114.32.0/19Rackspace
209.114.32.0 - 209.114.63.255

212.64.128.0/19Rackspace
212.64.128.0 - 212.64.159.255

212.100.224.0/19 Rackspace
212.100.224.0 - 212.100.255.255


Apologize for the uneven formats, they came from different drives/computers.

Ack - some of them have a missing space between the CIDR and the word Rackspace, so my automated script won't match them... :)

EDIT: no, my regex is okay - I'm not matching on the space character. :)