nLayer Comms, Inc. GTT-ARIN-BLK5 204.93.32.0 - 204.93.63.255 Rica Web Services NLYR-204-93-54-0-1 204.93.54.0 - 204.93.54.255
Another Cloud crowd hosting Chinese scrapers.
Pfui
2:53 pm on Aug 26, 2014 (gmt 0)
Assorted nit-picky Qs, please:
- "GTT bots"
Not sure what that means, sorry. What was the specific UA you saw? Did it ask for robots.txt? How did it scrape?
FWIW, the IP's recent UA history suggests a spambot. [projecthoneypot.org...]
- The ISP (servarica.com) appears to be a cloud/VPS server farm in Quebec. What Chinese connection did you see?
- "You may want to fine tune your blocks: I don't"
IMO, virtual/cloud server farms generally, and certainly those with iffy histories (via projecthoneypot.org, stopforumspam.com, etc.), are prime candidates for preemptive blocks.
wilderness
3:49 pm on Aug 26, 2014 (gmt 0)
GTT Communications, Inc. is the parent org and/or dual net name for nLayer. Assume there's some kind of org connection.
keyplyr
7:28 pm on Aug 26, 2014 (gmt 0)
As Wilderness identified...
nLayer 204.93.32.0/19 204.93.32.0 - 204.93.63.255
Angonasec
12:22 pm on Aug 27, 2014 (gmt 0)
"What was the specific UA you saw?" Innocuous UA
"Did it ask for robots.txt?" No, they never do.
"How did it scrape?" This is what gave it away to me, but I'm sure not going to say how, here :)
"FWIW, the IP's recent UA history suggests a spambot. [projecthoneypot.org...]"
I'm not a honey-potter, but if I were I'd give a heads-up.
"What Chinese connection did you see?"
Identical repeated unusual behaviour to known Chinese bots such as "ten-cent" etc...
"IMO, virtual/cloud server farms generally, and certainly those with iffy histories (via projecthoneypot.org, stopforumspam.com, etc.), are prime candidates for preemptive blocks."
Indeed Sir, I too use the cricket bat on such muggins, but others hanging around this alley like to use tweezers to pick out the chaff. Hence its own thread :)
