67.55.64-127
67.55.64.0/18
WebAir Internet Development: colo, hosting and-- darn it!-- cloud, so ymmv

I couldn't find any humans from the area. The one that caught my attention was

"HEAD / HTTP/1.1" 200 252 "http://www.google.com"

aka "Yeah, right" ... on a typo domain.

Edit:
Now, if anyone out there reads Czech, can we verify that
93.89.144.0/20
Gradace spol. (I think the second word just means inc. or a/s or similar)
is hosting? The contact info says "hostmaster" but apparently some Eastern European ISPs just use that word generically.

... and ran out of time. I think these are servers too:

80.79.112.0/20
WaveCom, Estonia. Series of HEAD requests from a robot at 80.79.119.235 wanting to know if I've got joomla or drupal.

Another Choopa bot trapped from 64.237.45.116

Latest Choopa deny list please...

Anybody home?

Choopa list please.

Choopa list please

[whois.arin.net...]

Choopa list please.

It took me a few years, but I have figured out how to do this.

#1 go to arin [whois.arin.net]
#2 in the search box, enter some random IP that you already know belongs to Choopa. It may take a few tries, but look for one with an "Organization:" line with a link that's recognizably some contraction of your target-- here "CHOOP-1".
#3 Click on this Organization link.
#4 In the new page, click on the "See also: Related networks" link.
#5 abracadabra

The final list will be in random garbled order. Sort using the tool of your choice (in mine, I have to pad with leading zeros before it will sort as desired).

meanwhile, my choopa list is... :)

45.32.0.0 - 45.32.255.255
45.63.0.0 - 45.63.127.255
64.237.32.0 - 64.237.63.255
66.55.128.0 - 66.55.159.255
68.232.160.0 - 68.232.191.255
104.156.224.0 - 104.156.255.255
104.207.128.0 - 104.207.159.255
104.238.128.0 - 104.238.191.255
107.191.32.0 - 107.191.63.255
108.61.0.0 - 108.61.255.255
173.199.64.0 - 173.199.127.255
185.92.220.0 - 185.92.223.255
208.167.224.0 - 208.167.255.255
209.222.0.0 - 209.222.31.255
216.155.128.0 - 216.155.159.255

fwiw, ARIN claims also
172.86.144.0 - 172.86.144.255
and-- for the sake of completeness--
2001:19F0:: - 2001:19F0:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
They don't, of course, list the 185. range. They also claim that a bunch of 8 is choopa, but who cares about 8 ;)


Edit: Looks like 172.etcetera is a sublet from Psychz, which was probably already listed somewhere. 172.86.144-159 i.e.
172.86.144.0/20

Careful...
There are Choopa mobile (humans) ranges within:
64.237.32.0 - 64.237.63.255
64.237.32.0/19
66.55.128.0 - 66.55.159.255
66.55.128.0/19
(I allow iPhone, Android, Silk, Lumia, Nokia, etc)

And Choopa Broadband (PrivateInternetAccess.com*) within:
104.156.224.0 - 104.156.255.255
104.156.224.0/19
108.61.0.0 - 108.61.255.255
108.61.0.0/16
208.167.224.0 - 208.167.255.255
208.167.224.0/19
209.222.0.0 - 209.222.31.255
209.222.0.0/19

I punch holes for *PrivateInternetAccess.com:
104.156.240.128/26
108.61.101.128/26
208.167.254.64/26
209.222.5.224/28

can we verify that 93.89.144.0/20 Gradace spol...is hosting?

Not hosting IMO - there may be web servers there, but jicinet.cz (that's the company web page) says it's an ISP:

• fast Internet "without waiting"
• independence from a fixed telephone line
• unlimited internet for pauální the monthly fee
• nepřeberné the amount Tariffs For All Types Viewers
(companies, institutions, školy, small živnostníci, households)

...so maybe your poser hits came from either an infected account or a lone gunman.

corporatecolo.com
173.247.224.0 - 173.247.255.255
173.247.224.0/19

I have the following for corporatecolo:

66.117.0.0 - 66.117.15.255
74.124.192.0 - 74.124.223.255
173.247.224.0 - 173.247.255.255
205.134.224.0 - 205.134.255.255

CorpColo
66.117.0.0 - 66.117.15.255
66.117.0.0/20
Adobe
66.117.16.0 - 66.117.31.255
66.117.16.0/20
Carpathia
66.117.32.0 - 66.117.63.255
66.117.32.0/19

Cab be combined: 66.117.0.0/18

Just a FYI

What *was* HostNoc
184.22.0.0 - 184.22.255.255
184.22.0.0/16

Is now Fixed Broadband: ais.co.th
Mobile & Desktop, but mostly Mobile since this is Thailand

Many thanks Don, Lucy, and Mr. Stiles for the Choopa data.
A very useful post Lucy. Don had already explained it to me previously; it is quite a tedious process isn't it?
If only kind Mr. Stiles had included the cidrs too.
(I must be flagging... and I admit I thought you'd all lost interest :)

As if.

More on Choopa - looks like *every* Choopa range has a broadband sub-range. Seeing more & more PrivateInternetAccess human visits.

looks like *every* Choopa range has a broadband sub-range

The day grows ever closer when a significant chunk of my current "Deny from" entries will have to change to

SetEnvIf Remote_Addr ^{long-complicated-regex-here} check_ID

BrowserMatch {short-but-still-complicated-regex-here} human

followed by site-specific

RewriteCond %{ENV:check_ID} .
RewriteCond %{ENV:human} !.

etcetera.

Darn it all.

Tell me about it... Ya really notice it if you're using social media to bring-in traffic. Mostly mobile, but I've recently discovered that a lot of these so-called "mobile" ranges also have valid desktop traffic. And the broadband ranges that formerly had only desktop users, now have a mix of mobile & desktop.

I'm waiting for Apache to support mod_rewrite w/ CIDR. Then I could actually remove a hundred lines of code.

I'm waiting for Apache to support mod_rewrite w/ CIDR.

:: poring over docs [httpd.apache.org], with accompanying nasty feeling I've done this before, to no avail ::

I think this is it:

If the TestString has the special value expr, the CondPattern will be treated as an ap_expr [httpd.apache.org].

where "has the special value expr" means "is the literal string 'expr'", and then you go into the binary operator -ipmatch. See the second #5 (that is, the one for CondPattern, not for TestString) under RewriteCond in 2.4 docs.

:: further pause to scream with excitement at realization that this should finally make it possible to identify autoreferers within mod_rewrite ::

Well, I can never make much sense of the apache.org docs; I always need to see it in the wild. But from what I see, it looks like more code than less - for me anyway.

What I'm hoping for is something along the lines of:

RewriteCond %{REMOTE_ADDR} ^12.34.56.78/20 23.45.67.89/22...etc
RewriteCond %{HTTP_USER_AGENT} !^ (Android|iPhone|etc...)
RewriteRule !^(forbidden\.html|robots\.txt)$ - [F]

<topic drift>
The more I look [httpd.apache.org] (see especially "Authorization Containers"), the more I think access control in 2.4 will be all about the <Require> set of envelopes: <RequireAll>, <RequireAny> or <RequireNone>, which can be nested at will. These in turn are holders for the Require directive, which can be used with IP as before-- replacing the former Allow or Deny-- with environmental variables, and also with expr.

And if <Require> doesn't do it there's the <If> family, including <ElseIf> and <Else>. (Can't figure out if these are nestable, but are definitely allowed in htaccess.) Net result: much less need for the shooting-flies-with-an-elephant-rifle methodology of mod_rewrite.

Hm. Looks as if the makers of 2.4 really, really want us to read the "Expressions" section; everything links to it. ("Backus-Naur"? wtf? since when does apache dot org have to fall back on a wikipedia link?!)
</td>

> If only kind Mr. Stiles had included the cidrs too.

Sorry. My database has start and end IPs and it's beyond my current time capacity to convert to CIDRs. :(

My database has start and end IPs

66.117.0.0 - 66.117.15.255
74.124.192.0 - 74.124.223.255
173.247.224.0 - 173.247.255.255
205.134.224.0 - 205.134.255.255
=
66.117.0.0/20
74.124.192.0/19
173.247.224.0/19
205.134.224.0/19

I've got a javascript file that does it for me.

I've got a javascript file that does it for me.

I can do most in my head now, but for the not-so-intuitive ones, there's always:
kgsoft.com/products/iprange2cidr
Installed on my local machine & pinned from the browser :)

I can do most in my head now

For me, working out "224-255 = /19" isn't the problem. (I learned the /20 or /12 groups first, and worked outward from there.) It's physically typing it without a spurious "224-266" or "224-254" sneaking in. Easier to copy-and-paste, click one button, and then copy-and-paste the result.

Lucy - I do not use JS unless really necessary, including my own tools. :)

However, if you are willing to let me have the JS I could convert the algorithm to use in ASP. I could then provide both formats when I post.

I checked my code. Not a pretty sight, since it only has to work locally*, and is filled with extra doodads to account for all the ways I can misspell things. At bottom it's a combination of brute force and Math.pow(2,blahblah).


* Loosely analogous to the difference between a RegEx that will work in a single text file while I twiddle my thumbs and talk to the cat, and a RegEx for use on your production server when nanoseconds matter.

Ok. Thanks, anyway. :)

I'll find time to make a converter some day.

dstiles - Try the one I listed above. It's a free app you install on your local machine, then pin it to whatever so it pops-up when you need it. Built for Apache code, but will run on anything.