Looks like totalserversolutions.com has been shopping.

Yep, I had several under WireSix as well.

This one just a few seconds ago:


ip: 66.71.247.94
remote host: administration.ihearthost.com
time: {ts '2015-09-25 09:56:22'}
http_content:
method: GET
protocol: HTTP/1.0

headers list: content-length,X-REWRITE-URL <<<< both are local headers

content-length: 0
X-REWRITE-URL: /mysql/scripts/setup.php

does not even attempt send any headers...

Looks like you made the list :)

balticservers.com
188.214.128.0 - 188.214.135.255
188.214.128.0/21

Quick question: Is there anything human in 104.238 ? I just met a one-off-- but offensive enough to block-- from what turned out to be Choopa at
104.238.128.0/18
As it happens, I've already blocked GoDaddy next door at
104.238.64.0/18
Unfortunately 18+18 in this case != 17 so I checked the rest of the neighborhood and found
104.238.0.0/19
Cloud South / Network Layer Technologies
104.238.32.0/19
ColorHost / SimpleLink / QuadraNet (some kind of sublet-- I just picked an IP at random and that's what came up)
and finally
104.238.192.0/18
VersaWeb (people in Las Vegas that I've never been able to figure out)

Are there any potential humans in there?

Quick question: Is there anything human in 104.238

Quick answer: absolutely

As you may or may not have read from my previous diatribes about mobile users, many (most?) of these server farms have clients who are VPNs, mobile apps, mobile ISPs, etc. All of which are a new source for human traffic for us.

I have poked well over 200 holes (so far) in server ranges previously blocked. The filters have conditions: UAs, header fields, request behavior, etc. This has been time consuming but has increased my traffic (and income) considerably.

Also, I've been seeing a lot of desktop browser visits from previously blocked server farm ranges. There was always the bored office worker browsing the internet, but I've been finding telecom type ISPs (especially in other countries) tucked away in larger hosts where just a few years ago this was not the case.

Over the years, I came to block a vast number of IP ranges, most of which are either server farms or company ranges. This has been a result of either bad activity or learning of it here or elsewhere. Then things changed with mobile.

I first just started to manually go through my daily server logs looking at all the 403s to see who was getting blocked. I've been doing this every day for a couple years now, investigating and editing my htaccess to allow exceptions (holes) to my blocking rules to let in humans and apps that bring humans.

I think soon I will redo my htaccess to apply these exceptions to all blocked ranges. I didn't know at first how big of a deal this would become, but it now appears to be like Hawking's expanding universe theory.

...more

I've also discovered that IP ranges get sold or re-purposed. I've had to go through and re-validate thousands of ranges several times in the last couple years; each time finding a couple dozen ranges no longer owned by the same company or for the same purpose.

I recently found a 403'd desktop browser hit from a Vanoppen Business Services range which a couple years ago I would have assumed as the collateral damage of an office worker but when I actually looked further, that /20 was now reassigned to Whitman College. Unblocking the range resulted in a few hundred humans over the next couple days.

And almost all server farms & data centers have cloud ranges now, which are attractive to mobile companies. There are a lot of social media companies now hosting at various places. Some of these may bring significant visitors to your site - even if you don't use the service yourself.

• Some Choopa ranges host mobile and I get humans.

• SimpleLink is residential connectivity which could be used to serve a web site but often is broadband. You could ping for open ports and get a rough idea.

• Cloud South has mobile.

• Network Layer Technologies isn't really servers per se, they're IP connection.

• I've never seen humans coming from any Godaddy ranges (yet) and I block them all.

New World Telecom Ltd., Hong Kong

59.188.0.0 - 59.188.255.255
59.188.0.0/16

New World Telecom

Is that servers? It sounds like an ISP.

New World Telecom

Is that servers? It sounds like an ISP.

newworldtel.com is a mix of business servers/connectivity & ISP.

multacom.com
173.82.0.0/16
173.82.0.0 - 173.82.255.255

ifxnetworks.com
200.73.0.0 - 200.73.31.255
200.73.0.0/19

Mixed services: cloud servers & private connectivity (ISP)

webair.com
174.137.128.0 - 174.137.191.255
174.137.128.0/18

braveway.com
45.33.144.0/20
45.33.144.0- 45.33.159.255

New* (for me) quickpacket.com bringing my list to:

69.61.0.0 - 69.61.127.255
69.61.0.0/17
104.247.192.0 - 104.247.223.255 *
104.247.192.0/19
162.223.28.0 - 162.223.31.255
162.223.28.0/22
162.248.208.0 - 162.248.215.255
162.248.208.0/21
170.75.156.0 - 170.75.156.255
170.75.156.0/24
199.101.96.0 - 199.101.103.255
199.101.96.0/21
199.233.232.0 - 199.233.239.255
199.233.232.0/21

pfizer.com
148.168.0.0 - 148.168.255.255
148.168.0.0/16

Not a server far per se, but a source of scraping for years. Possibly infected servers, but I'd think the issue would have been detected by now. Various browser UAs doing mischievous, unappreciated behavior. Lately have been attempts to scrape images directories. There is the possibility Pfizer leases out sub-ranges not displayed in WHOIS. Another possibility is a long-time employee has been the culprit. Nevertheless I continue to block the range.

The following 6 messages were cut out to new thread by ocean10000. New thread at: search_engine_spiders/4774287.htm [webmasterworld.com]
3:07 pm on Oct 23, 2015 (utc -8)

185.112.248.0/22

FatShark, UK
(disclaimer: I just spot-checked. If 248 is Shark Servers and 251 is Shark Servers, I'm going to assume 249 and 250 are too.)

My look-up confirms that sharkservers.co.uk is in fact:
185.112.248.0 - 185.112.251.255
185.112.248.0/22

5.45.64.0/21
Serverius
This is not a new range-- in fact I'd already got it labeled-- but I repeat it here in case anyone had neglected to block it. (I hadn't.) It's currently playing host to that most dangerous of all critters, the intelligent robot:

5.45.71.133 - - [27/Oct/2015:17:41:50 -0700] "HEAD /images/joomla_logo_black.jpg HTTP/1.1" 404 164 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0"
5.45.71.133 - - [27/Oct/2015:17:41:51 -0700] "HEAD /misc/druplicon.png HTTP/1.1" 404 164 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0"

I read this as: "Find out, in the most unobtrusive way possible, whether site uses either of these popular CMS. If yes, come back to engage in further malign behavior."

There are a few severius ranges.

5.255.64.0/19
5.255.64.0 - 5.255.95.255

31.148.220.0/24
31.148.220.0 - 31.148.220.255

46.249.32.0/19
46.249.32.0 - 46.249.63.255

92.63.110.0/23
92.63.110.0 - 92.63.111.255

185.12.12.0/22
185.12.12.0 - 185.12.15.255

185.14.28.0/23
185.14.30.0 - 185.14.31.255

serverius ranges.

Overall they must not be too offensive: I re-checked and found I'd got all those ranges identified, but only a couple are blocked. Generally ones with a Ukrainian connection, though this is of course sheer coincidence.

:: idly wondering how many respectable law-abiding humans from Ukraine happen to read these forums ::

I allow all Ukraine, Russia, Serbia, etc... ISPs but block servers from that part of the glob just as I would anywhere else. I get a small amount of traffic from Russia/Ukraine blogs & forums and a little organic search referrals.

Yes, I recently unblocked a few Russia/Ukraine ranges and almost instantly found a human landing on an extremely obscure etext ... and then following links, which an infected browser wouldn't do. Right now I'm actually more vexed by Indians with cell phones. I don't think they're robots, or even infected machines; they're just phenomenally inept about using search engines (hint! that two-line snippet in the SERP provides a clue about the content of the page), which wastes my bandwidth just as surely as if they were robots.

Indians with cell phones

No doubt Custer's worst nightmare :(


BTW - Next to ServerIUS 5.45.64.0/21 is:
ServerIUS
5.45.76.0/22
5.45.76.0 - 5.45.79.255

(both I neglected to include in the above list)

Note: Some look-ups will display Inferno, some will display ServerIus, others may say 3nt.com. They are all the same company, or at least a conglomerate IMO, possibly divided up due to biz, shared hosting, cloud, etc.

telekenex.com
69.168.192.0/19
69.168.192.0 - 69.168.223.255

Cloud servers; I allow with explicit conditions.

Severius - I have eight...

5.45.64.0 - 5.45.95.255
5.178.64.0 - 5.178.71.255
5.255.64.0 - 5.255.95.255
31.220.42.0 - 31.220.45.255
46.249.32.0 - 46.249.63.255
93.158.200.0 - 93.158.223.255
178.21.16.0 - 178.21.23.255
185.12.12.0 - 185.12.15.255

All netherlands NL except the first, which I have as multi-country with UK address and extending as 3NT etc as noted above.

Overall they must not be too offensive:

This is the kind of offensiveness I get from serverius:

5.255.95.124 - - [30/Oct/2015:03:27:03 -0700] "GET /index.php/administrator HTTP/1.0" 301 545 "-" "-"
5.255.95.124 - - [30/Oct/2015:03:27:04 -0700] "GET /index.php/administrator HTTP/1.0" 301 545 "-" "-"
5.255.95.124 - - [30/Oct/2015:03:27:04 -0700] "GET /index.php/administrator HTTP/1.0" 301 545 "-" "-"
5.255.95.124 - - [30/Oct/2015:03:27:04 -0700] "GET /index.php/administrator HTTP/1.0" 301 545 "-" "-"
5.255.95.124 - - [30/Oct/2015:03:27:04 -0700] "GET /index.php/administrator HTTP/1.0" 301 545 "-" "-"
5.255.95.124 - - [30/Oct/2015:03:27:04 -0700] "GET /index.php/administrator HTTP/1.0" 301 545 "-" "-"
5.255.95.124 - - [30/Oct/2015:03:27:05 -0700] "GET /shop/index.php/administrator HTTP/1.0" 403 1497 "-" "-"
5.255.95.124 - - [30/Oct/2015:03:27:05 -0700] "GET /store/index.php/administrator HTTP/1.0" 403 1497 "-" "-"

This is the kind of offensiveness I get from serverius:

:: detour to check ::

Heh. 5.255.64.0/19 is one of the few Serverius ranges I do block, so someone unattractive must live there. And, for convenience, 5.255.96.0/19 is another blockable Dutch server farm.

Blank UAs and explicit .phps both get blocked a priori, so they'd never get that string of 301s from me ;)

So we can get both 5.255.64.0/19 & 5.255.96.0/19 with 5.255.64.0/18

Blank UAs and explicit .phps both get blocked a priori, so they'd never get that string of 301s from me ;)

As do I, but the server still returns a 301 if they don't use the www. Must be a server config thing. I don't have any forwarding code in htaccess. I'd actually rather not give bots a 301 which says "yeah, this document exists but it moved, let me take you to it." A 403 doesn't confirm the existence of the document (other than the 403 page) does it?