Thanks not2easy, in addition to the Rackspace ranges you listed, I have a few more:

Rackspace
5.79.0.0/18
5.79.0.0 - 5.79.63.255

Rackspace
23.253.0.0/16
23.253.0.0 - 23.253.255.255

Rackspace (notice the corrections)
162.13.0.0/17
162.13.0.0 - 162.13.127.255

Rackspace
162.242.128.0/17
162.242.128.0 - 162.242.255.255

Rackspace
180.150.128.0/19
180.150.128.0 - 180.150.159.255

Rackspace
192.237.128.0/17
192.237.128.0 - 192.237.255.255

2 dozen hits, most 404s... stupid bot:

83.223.122.12 - - [02/Jan/2015:01:01:53 -0800] "GET /href HTTP/1.1" 404 18427 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"


Gyron Datacenters, UK
83.223.96.0/19
83.223.96.0 - 83.223.127.255

So I took a quick sample of 20 server farms I've seen a lot recently and looked them up in this forum.
I found all of them. But only 7 were on this thread and it's predecessors.
I've previously gone through the 42 pages of this extended thread and extracted 1900 CIDRs from it mechanically, so I'm guessing there are probably another 4000 CIDRs in the 8000-odd threads on this forum - probably mostly in the 1000 threads that have been active over the same time 2-3 year period.
This is too many to catalog by hand, even with the help of shell scripts.

On my site I've seen nearly 800 potential server farms in the last three months. 300 or so are listed on this thread and its predecessors.
I can't possibly go through the other 500 by hand, but if I had a more complete list of the server farms that are known here, I could probably sort through the much smaller list that are not listed and find any server farms that are actually unknown here. Probably quite a few of my potential server farms are in fact botnets on DSL/cable, but I won't know until I look.

Probably several of you have such lists, but I'm guessing that in most cases you haven't distinguished CIDRs that were reported here from ones you've found by other means. If you gave me your list, then if we've both seen CIDRs that are not reported here, then I wouldn't know to report them. I've no idea how much that might happen, but it might be worth doing anyway.

I spent some time watching my logs last night and found a couple of server farm CIDRs that are not mentioned here anywhere that I can see.
That's happened before.
If that were typical of the last few months, and they were actually unique, I might have 200 farms to report. Well in all probability not that many, because there will likely be a lot of repeat visits.

Basically I'm exploring the possibility of having most of the filtering done mechanically, and having me check just a few from time to time that might be worth reporting here.

I'm guessing that if you all effectively have the complete list here, you can be reasonably sure that if you haven't seen a server farm before, then neither has anyone else.
But without that list, I can't help...

Ideally the complete list would be published regularly in CSV format or similar, but I'm not aware that anyone has taken that on.

Thanks for the extra info for Rackspace, keyplyr!

Another Hetzner range:
136.243.0.0/16

Unit-Is in the ukraine, doing a slow scrape around the clock, but setting off alarm bells all over the shop:
195.211.152.0/22
I've been seeing these guys visiting since September.

St Petersburg in RU
46.161.41.0/24
I'm not sure if this is a server farm or not, but it's sure scraping my site. Been doing so since I started watching.

I didn't find it here, but it's listed on a blacklist in the WebmasterWorld Apache forum (thanks google):
[webmasterworld.com...]

I might have a closer look at that list, as there are a lot of CIDRs there... it probably should be here?

EDIT: looks like its origin is a maintained list on github, so no.

@ trintraghular - so what you're doing is what we all do. See bad or questionable behavior, look up the IP, make a determination to block or not. That's it.

FYI - the ranges you listed I've had blocked for a while.

Rackspace
162.13.0.0/17
162.13.0.0 - 162.13.127.255

I'd had the whole /16 blocked so I re-checked. I still get Rackspace all the way through.

FYI - the ranges you listed I've had blocked for a while.

But not reported here?
I really don't want to be wasting people's time reporting ranges that have already been reported.
If you've reported any of them, I haven't found them, and I did look...

The Hetzner range was reported a few weeks ago: Msg#: 4722468 posted on Dec 16, 2014 in this thread. I used to do lookups all over the place to make sure I wasn't reporting old news. It's not the end of the world if it happens. If you have filled out your lists from the older info here, it happens less.

Ack, and I thought google would keep up - even if I haven't.
I made a snapshot on Dec 11th, but the Hetzner range that dstiles posted on the 16th, and I missed, still doesn't show in google... sigh. Really need that list in machine readable form.

I'd had the whole /16 blocked so I re-checked. I still get Rackspace all the way through.

Good catch, I concur. Thanks Lucy

But not reported here?
I really don't want to be wasting people's time reporting ranges that have already been reported.
If you've reported any of them, I haven't found them, and I did look...

A huge amount of the archived threads/posts are no longer accessible through the site search utilities since WW was reorganized. Not saying I run over here and report every single intruder's IP range, but yes, most of the significant server farms, clouds, colos and hosting companies have been listed at WW in one place or another, many several times.

Our Sinopals have been quiet over Christmas, but now the Frogs hop into Arin too...

Solid Systems/OVH 198.50.253.48 - 198.50.253.63 198.50.253.48/28 ber..locked!

I thought OVH was the whole 198.50.128.0/17
Can't remember if there's been a comprehensive OVH list posted recently. You'll see plenty of them in ARIN, because they've got tentacles in Montreal.

That's what I have, several smaller sub-ranges, but everything in 198.50.128.0 - 198.50.255.255
I have listed as 198.50.128.0/17OVH-ARIN

Can't remember if there's been a comprehensive OVH list posted recently.

This is what I'm blocking. I don't block all of 8.0.0.0/8 Level 3 because of the dozen or so Mobile ISP and Broadband ranges, so I included the known OVH ranges in there as well. Note that I am not representing the entire Level 3, just the OVH :)

5.39.0.0/17 #OVH 5.39.0.0 - 5.39.127.255
5.135.0.0/16 #OVH 5.135.0.0 - 5.135.255.255
5.196.0.0/16 #OVH 5.196.0.0 - 5.196.255.255
<-- Level 3 -->
8.7.244.0/24 #OVH 8.7.244.0 - 8.7.244.255
8.18.122.0/24 #OVH 8.18.122.0 - 8.18.122.255
8.18.128.0/24 #OVH 8.18.128.0 - 8.18.128.255
8.18.136.0/21 #OVH 8.18.136.0 - 8.18.143.255
8.18.172.0/24 #OVH 8.18.172.0 - 8.18.172.255
8.20.110.0/24 #OVH 8.20.110.0 - 8.20.110.255
8.21.41.0/24 #OVH 8.21.41.0 - 8.21.41.255
8.24.8.0/21 #OVH 8.24.8.0 - 8.24.15.255
8.26.94.0/24 #OVH 8.26.94.0 - 8.26.94.255
8.29.224.0/24 #OVH 8.29.224.0 - 8.29.224.255
8.30.144.0/22 #OVH 8.30.144.0- 8.30.147.255
8.30.208.0/21 #OVH 8.30.208.0 - 8.30.215.255
8.33.96.0/21 #OVH 8.33.96.0 - 8.33.103.255
8.33.128.0/21 #OVH 8.33.128.0 - 8.33.135.255
8.33.136.0/23 #OVH 8.33.136.0 - 8.33.137.255
<-- end Level 3 -->
37.59.0.0/16 #OVH 37.59.0.0 - 37.59.255.255
37.60.48.0/20 #OVH 37.60.48.0 - 37.60.63.255
37.187.0.0/16 #OVH 37.187.0.0 - 37.187.255.255
46.105.0.0/16 #OVH 46.105.0.0 - 46.105.255.255
77.111.192.0/18 #OVH 77.111.192.0 - 77.111.255.255
87.98.128.0/17 #OVH 87.98.128.0 - 87.98.255.255
91.121.0.0/16 #OVH 91.121.0.0 - 91.121.255.255
92.222.0.0/16 #OVH 92.222.0.0 - 92.222.255.255
94.23.0.0/16 #OVH 94.23.0.0 - 94.23.255.255
109.190.0.0/16 #OVH 109.190.0.0 - 109.190.255.255
142.4.192.0/19 #OVH 142.4.192.0 - 142.4.223.255
167.114.0.0/16 #OVH 167.114.0.0 - 167.114.255.255
176.31.0.0/16 #OVH 176.31.0.0 - 176.31.255.255
178.32.0.0/15 #OVH 178.32.0.0 - 178.33.255.255
178.236.224.0/20 #OVH 178.236.224.0 - 178.236.239.255
188.165.0.0/16 #OVH 188.165.0.0 - 188.165.255.255
192.95.0.0/18 #OVH 192.95.0.0 - 192.95.63.255
192.99.0.0/16 #OVH 192.99.0.0 - 192.99.255.255
193.104.19.0/24 #OVH 193.104.19.0 - 193.104.19.255
198.27.64.0/18 #OVH 198.27.64.0 - 198.27.127.255
198.50.128.0/17 #OVH 198.50.128.0 - 198.50.255.255
198.100.144.0/20 #OVH 198.100.144.0 - 198.100.159.255
198.245.48.0/20 #OVH 198.245.48.0 - 198.245.63.255
213.186.32.0/19 #OVH 213.186.32.0 - 213.186.63.255
213.251.128.0/18 #OVH 213.251.128.0 - 213.251.191.255

Disclaimer: I suspect there may be errors or omissions. Use at your own risk. YMMV.

trintragula - if you are using google then you are wasting your time. Quite apart from their horrendous privacy and search reputation, they are not tremendously good at technical internet details.

As noted by me elsewhere: use LOCAL tools if possible, such as linux Network Tools and UMIT.

keyplr - I counted 43 in your OVH list. I haven't had time to compare them with my own, but I have 40 listed - see below. Note: my list includes a few countries other than France and Canada.

5.39.0.0 - 5.39.127.255
5.135.0.0 - 5.135.255.255
5.196.0.0 - 5.196.255.255
8.7.244.0 - 8.7.244.255
8.18.122.0 - 8.18.122.255
8.18.128.0 - 8.18.128.255
8.18.136.0 - 8.18.143.255
8.18.172.0 - 8.18.172.255
8.20.110.0 - 8.20.110.255
8.21.41.0 - 8.21.41.255
8.24.8.0 - 8.24.15.255
8.26.94.0 - 8.26.94.255
8.29.224.0 - 8.29.224.255
8.30.208.0 - 8.30.215.255
8.33.96.0 - 8.33.103.255
8.33.128.0 - 8.33.137.255
37.59.0.0 - 37.59.255.255
37.60.48.0 - 37.60.63.255
37.187.0.0 - 37.187.255.255
46.105.0.0 - 46.105.255.255
77.111.192.0 - 77.111.255.255
87.98.128.0 - 87.98.255.255
91.121.0.0 - 91.121.255.255
92.222.0.0 - 92.222.255.255
94.23.0.0 - 94.23.255.255
109.190.0.0 - 109.190.255.255
142.4.192.0 - 142.4.223.255
167.114.0.0 - 167.114.255.255
176.31.0.0 - 176.31.255.255
178.32.0.0 - 178.33.255.255
178.236.224.0 - 178.236.239.255
188.165.0.0 - 188.165.255.255
192.95.0.0 - 192.95.63.0
192.99.0.0 - 192.99.255.255
198.27.64.0 - 198.27.127.255
198.50.128.0 - 198.50.255.255
198.100.144.0 - 198.100.159.255
198.245.48.0 - 198.245.63.255
213.186.32.0 - 213.186.63.255
213.251.128.0 - 213.251.191.255

Today's scrapings, mentioned here just in case they've been overlooked:

94.103.144.0/20 (NedZone, Netherlands)
The actual offender lived at 94.103.150 (which admits to lots and lots of websites) but I think it's the same gang all the way through.

46.22.208.0/20 (Estonia)
I have never met an Estonian robot before! I don't read Estonian, but a place that describes itself as "Dedicated Servers" can't possibly be up to any good. The exact offender was from 46.22.215.137 if anyone cares.

Just a FYI - TorqHost (46.22.208.0/20) has been around at least 2 years by my records.

Was just using google to search here to avoid duplicate reporting - it let me down :(
Generally I've used domaintools when curious about an IP range, though in the last couple of days of poking around I maxed out their free allowance :p.
Thanks for the pointer to the linux tools.

Was just using google to search here to avoid duplicate reporting - it let me down

You can easily search for numbers such as
46.22.
I do it all the time-- and it often leads to this thread or one of its older sisters.

So do I (at least recently), but at time of writing google still doesn't have the Hetzner range dstiles posted after I took my snapshot of this thread on the Dec 11th and built a CIDR list from it... Google doesn't show a cache of this page, so I can't tell when they last visited.
"site:webmasterworld.com 136.243."
is still drawing a blank.
I was surprised.

EDIT: Hmm the builtin search below also doesn't find it... very odd.

dstiles-- a quick eyeballing says your OVH list is the same as keyplyr's except for 193.104.19.* (I didn't look at 8.) I assume
192.95.0.0-192.95.63.0
was a typo for .255

136.243. ... is still drawing a blank

That is odd. It must have been mentioned at some time somewhere, because I've got the range marked. I might have looked it up independently-- but the only visits from 136.243 I can find are the MJ12bot just a few weeks ago, and I generally ignore those.


* Horrible long string of 24's throughout 193.104-105 not to mention elsewhere in 193. Don't know what's going on there-- and not sure I want to :(

dstiles pointed it out on Dec 16th on the previous page of this thread, which is fine if you're keeping up, but I got distracted for a minute there... :)

So what do you guys do about 163data/chinanet? I've no idea if this is technically a server farm, but I've got a range here that starts 27.148. and is a /14 ... I haven't seen it listed here. I know some of you block the whole of China...

@ trintragula

It's not appropriate to list China ranges here just for being China ranges. There may be another forum(s) at WW that has done this, but I'm not aware of it.

I personally block all known China, Hong Kong, Shanghai, N.Korea, Thailand, Vietnam, Laos, Myanmar & Cambodia ranges. The sum is approximately 20% of the ranges I block.

I do allow Malaysia, Singapore, Philippines & Indonesia because I have a solid user/customer base.

185.31.136.59 - - [04/Jan/2015:16:03:40 -0800] "GET / HTTP/1.1" 403 17520 "-" "NetLyzer FastProbe"
(blocked because of term in UA string)

NetInch Hosting & Site Monitoring
185.31.136.0/24
185.31.136.0 - 185.31.136.255

@keyplyr
Thanks - that makes sense.

@lucy24
Mostly MJ12 for me also - but recently something called ThumbSniper.

Centarra Networks Inc. Tx
198.52.129.0/24 198.52.223.0/24 198.52.224.0/24 ber...locked!

CENTARRA-NETWORKS 192.119.144.0 - 192.119.159.255 192.119.144.0/20
CENTARRA-NETWORKS 192.161.192.0 - 192.161.255.255 192.161.192.0/18
CENTARRA-NETWORKS 192.241.8.0 - 192.241.15.255 192.241.8.0/21
CENTARRA-NETWORKS 198.52.128.0 - 198.52.255.255 198.52.128.0/17
CENTARRA-NETWORKS 199.195.156.0 - 199.195.159.255 199.195.156.0/22
CENTARRA-NETWORKS 66.248.192.0 - 66.248.223.255 66.248.192.0/19