Welcome to WebmasterWorld Guest from 54.159.120.168

Forum Moderators: Ocean10000 & incrediBILL & keyplyr

Message Too Old, No Replies

Drake Holdings LLC

     
6:14 pm on Nov 13, 2015 (gmt 0)

New User

joined:June 7, 2014
posts:3
votes: 0


Who or what is Drake Holdings LLC?

Several weeks ago, I started getting hits from the 192.92.196.0 - 192.92.196.255 range and blocked them. A week or so later, they added a new range (204.79.180.0 - 204.79.180.255) and started accessing through that; I blocked it too.

They will pull a page from the site, and it seems that each individual element of the page is being accessed by a different IP address.

AFAIK, they only use these two ranges:

[myip.ms...]

Consider this:

[bizapedia.com...]

Is anyone here familiar with Drake Holdings?
8:01 pm on Nov 15, 2015 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:May 14, 2008
posts:3148
votes: 4


From an ixquick search:

"Drake Holdings was launched in the mid 1990s as an offshore financial analytics and investment strategy firm, and continues to serve its shareholders today as a holder of income generating corporate equity and intellectual property assets ..."

There is mention of cyberservices[.]com in their WHOIS record and looking into that there are several instances of scams and exploits, although I'm unsure of their domain is a perpetrator or mitigator. In any case, I have blocked the ranges you quoted - thanks for that! :)

Odd... the first is a /24 wedged between two NASA blocks, the second is a /24 in the midst of an MS block. Your references bear out the second one.
8:21 pm on Nov 15, 2015 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:13610
votes: 416


Holy ### I just came by to ask this very question with the very same details, because I had a string of visits from
204.79.180.ddd (where "ddd" means variable, not obfuscated-to-protect-the-guilty)
in each case they got HTML, CSS and piwik but no images. Like this:
204.79.180.140 - - [13/Nov/2015:03:51:55 -0800] "GET /games/ColorGames.html HTTP/1.1" 200 5485 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0;  Trident/5.0)"

That's two spaces between the two "Trident" elements-- a form that is used regularly by the plainclothes bingbot (from all the assorted MSN ranges). More often it's NT 6.1, but I think it's always MSIE 9.

The question may not be "Who is Drake Holdings?" but rather "What is the connection between Drake Holdings and Microsoft?"
8:47 pm on Nov 15, 2015 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:8035
votes: 286


They will pull a page from the site, and it seems that each individual element of the page is being accessed by a different IP address.
That can be typical of an organization's internal IT system load-balancing (intranet.) I see it occasionally.
4:20 pm on Dec 5, 2015 (gmt 0)

New User

joined:Dec 5, 2015
posts: 3
votes: 0


Hello, I'm glad to find this forum. Since several weeks I noticed about 50 connections a day on my website from Drake Holdings.
They are scanning every page on my web site, every day, from various IP addresses of their range. Very odd !?!
So I wrote 2 Emails to the abuse contact of this organisation asking what they are looking for, because my site is very ordinary (I am a computer professionnal in a small town in France) but obtained no response.
I was affraid that my server was attacked, so I investigated a bit on Google, and found that this company is owned by 3 attorneys, who are also members of Microsoft Company. See:
<snip>
If someone has some more light on this strange comportement, I would be curious to know..

[edited by: incrediBILL at 11:23 pm (utc) on Dec 20, 2015]
[edit reason] Links Removed - See WebmasterWorld TOS and Forum Charter [/edit]

5:31 pm on Dec 5, 2015 (gmt 0)

Senior Member

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2001
posts:5459
votes: 3


If the UA is the same as lucy provided? Broken with two trailing spaces after semicolon!
Than it's simple enough to prevent access without using IP's.

SetEnvIf User-Agent "; " keep_out
8:51 pm on Dec 5, 2015 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:13610
votes: 416


owned by 3 attorneys, who are also members of Microsoft Company

Well now that's awfully interesting, and may explain the UA match.

:: detour to check raw logs for two-spaces-in-UA pattern ::

:: pause midway to exclude various known Bing IPs, and constrain to one site because I can't deal with robots from 2011 ::

Yup, there they are:
209.147.118.145 - - [19/Sep/2014:03:58:52 -0700] "GET /dir/subdir/file.html HTTP/1.1" 200 358240 "http://www.bing.com/search?q={long search string which is blatant cut-and-paste from homework assignment}" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0;  Trident/5.0)" 
... which would seem human if they had picked up all supporting files, but they didn't. Buncha 209.147.blahblah along with the expected 192.92.blahblah. September 2014 seems to be the earliest, lots more in April, and then again in recent months.

There are also quite a few of this clear robot:
104.207.155.129 - - [23/Oct/2015:02:12:36 -0700] "GET /dir/subdir/ HTTP/1.1" 200 20754 "-" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv: 11.0) like Gecko" 

But then there's
Mozilla/5.0 (X11; U; Linux; en-GB) AppleWebKit/534.34 (KHTML, like Gecko)  QtWeb Internet Browser/3.8.4 http://www.QtWeb.net
That's a legitimate human with two spaces in the UA string (but not preceded by colon or semicolon). Noting with interest that it says "en-GB" although the user is in fact located in Italy, so there's one for the "dialect" contingent So probably "[;:]  " is safe but not an all-encompassing "  "

Who the heck is 209.147.118? Notes say "Optic Fusion" in Tacoma and/or Seattle, but Microsoft don't own the whole northwestern quadrant of Washington state do they? Uh... do they?
7:03 am on Dec 6, 2015 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:8035
votes: 286


Drake Holdings Las Vegas
192.92.196.0/24
192.92.196.0 - 192.92.196.255
204.79.180.0/24
204.79.180.0 - 204.79.180.255

[edited by: keyplyr at 11:12 am (utc) on Jul 8, 2016]

8:14 am on Dec 6, 2015 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:13610
votes: 416


Oh, wait, so what have we got? A couple of Microsoft lawyers vacationing in Las Vegas, and while they're there they decide to do some spot checks with the plainclothes bingbot? Or is the plainclothes bingbot borrowing some Drake IPs to see if they get the same results as when crawling from Bing ranges?

I'm confused :(

:: wandering off to confirm hunch that cat is meowing for absolutely no earthly reason whatsoever ::
9:20 am on Dec 6, 2015 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:8035
votes: 286


I'm not following. What do "lawyers vacationing" have to do with it? What does "Bingbot" have to do with it? It's a VPN (among other things) registered in Las Vegas.

I get requests from various d subnets all the time. Usually these are from schools where they subscribe to a bandwidth service, then routed through different unique IPs. Sometimes these types of hits come from other sources, like VPNs or an organization's internal IT system which tend to do the same thing if the routers are set-up that way.

But this does not answer "why" these requests are targeting your servers. Some type of data mining I would assume, like everything else. I don't see the conspiracy here however.
1:03 pm on Dec 6, 2015 (gmt 0)

Senior Member

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2001
posts:5459
votes: 3


Ever been in a casino, restaurant or hotel in Vegas and wanted to get on the internet. You have to use (and pay for) their bandwidth. These are some of the guys selling it to you. I don't block this range.


FWIW, most of the hotels in Vegas no longer offer access as a sole option, rather multiple services (pool, sauna, wifi, and others) are unadvertised in the booking packages. However, upon check-in visitors are charged (even if you don't wish or never use any of the services) a 'resort fee' for each nights that stay.
Just do a google on 'Las Vegas Resort Fees'.
1:08 pm on Dec 6, 2015 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:8035
votes: 286


Don I work Vegas a couple times a month. No Google search necessary :)

[edited by: keyplyr at 11:13 am (utc) on Jul 8, 2016]

8:56 pm on Dec 6, 2015 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:13610
votes: 416


What does "Bingbot" have to do with it?

Only the fact that it's the identical UA as the current plainclothes bingbot.
5:03 pm on Dec 7, 2015 (gmt 0)

New User

joined:Dec 5, 2015
posts: 3
votes: 0


From my apache logs:

grep 204.79.180 www.[mysite].log.1 | wc -l
gives me about 1800 lines of log for each day, since several monthes, from all IP addresses in Drake Holdings LLC range.
Far more that all my other visitors cumulative.
I think I have a fan club in this company :o)
9:43 pm on Dec 7, 2015 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:8035
votes: 286


" it's the identical UA as the current plainclothes bingbot"

OK but what leads you to think it's bingbot? There are lots of agents in that range. It's not tagged as Azure, but clearly there are a few squatters.
11:04 pm on Dec 7, 2015 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:13610
votes: 416


I don't think it's bingbot, I just think there's got to be a Microsoft connection, otherwise why the matching UA? Recall that it's not an ordinary humanoid like "Chrome/46"; there's that distinctive hiccup at the end.
12:32 am on Dec 8, 2015 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:8035
votes: 286




If these guys do have a M$ connection, maybe they're crawling from both their own ranges & M$. As said above, there are lots of unidentified agents that come from M$, even outside of their Azure platform. I block several.

[edited by: keyplyr at 11:14 am (utc) on Jul 8, 2016]

11:17 pm on Mar 31, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:13610
votes: 416


:: bump ::

In the ensuing months, has anyone gained any enlightenment? They're still coming around regularly, typically in clumps of a few visits a day for several days, and then a break of a few days.

User-agent varies between two near-identical forms:
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0;  Trident/5.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0;  Trident/5.0)
That's two spaces between the two Tridents. Query: Under what circumstances would one upgrade an operating system but not the browser? Isn't MSIE up to eleven* now?

Generally no referer, but sometimes from a plausible bing search. Always bing.

HTML-- just one page per visit-- any and all stylesheets, any and all scripts including piwik.js-- which they act on, leading to piwik.php. No images, no embedded fonts. Requests for supporting files come in at a leisurely pace, anywhere from a few seconds up to almost half a minute from beginning to end. (At this point I had to pull up some other random IPs from raw logs to assure myself that my site isn't that slow!) Sometimes they're spaced far enough apart that the bingbot** has time to nip in for a quick file pickup in the interval.

Headers are, let's say, minimalist-human except that they include "Pragma: no-cache" which is far more characteristic of search engine spiders, notably-- wait for it-- the bingbot and its relatives.

Further poring over requests for piwik.php (this is easier than actually going into piwik and extracting the information that way) reveals that they always profess to have a resolution of 1024x768 -- a size which is otherwise all but nonexistent. And, more interestingly still: in the rare cases where the initial page request comes in with a referer (bing search), this information is not passed on to piwik, although it does show up in logs (that is, they send the Referer: header). That means they're picking and choosing which lines of the script to act on.


* Insert "up to 11" witticism ad lib.
Incidentally, harking back to the earlier semicolon-plus-two-spaces question, I found this:
Mozilla/5.0 (compatible, MSIE 11, Windows NT 6.3; Trident/7.0;  rv:11.0) like Gecko
Two spaces after the Trident.

** I checked. It isn't always the bingbot-- which would have been beyond weird-- it just seems that way.
3:07 pm on Apr 1, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2004
posts:1889
votes: 56


All requests have different targeted Bing referrer:

http: //www.bing.com/search?q=targeted+keyphrase&form=MSNH14&sc=8-4&sp=-1&qs=n&sk=

Every request has highlighted vars attached to ref.

They might be scraping Bing for all I know.

403d.
8:46 pm on Apr 1, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:13610
votes: 416


403d.

I keep thinking about 403ing them, but the workload for the server would be pretty much identical either way. (My 403 page invokes a stylesheet and a small image, primarily so I can detect wrongly excluded humans.)

&form=MSNH14&sc=8-4&sp=-1&qs=n&sk=

Do you happen to know what, exactly, this means? I don't get enough bing referers to recognize "form" (sometimes "FORM") as anomalous, or at least uncommon.

Cross-checking MSNH14 I find it in requests from:
65.55.218
131.253.24
192.92.196 (the Drake Holdings range that started this thread)
209.147.118 (Optic Fusion, Tacoma, mentioned earlier in this thread)
in addition to 204.79.etcetera.

bingdude? You out there?
8:37 am on Apr 2, 2016 (gmt 0)

New User

joined:Dec 5, 2015
posts: 3
votes: 0


This is what I have done to redirect all request coming from this strange "Drake holding" organisation,
to a dedicated page for them:

In my web site config file
/etc/apache2/sites-available<snip>

# ------ Redirection of strange requests coming from "Drake Holdings" ---
RewriteCond %{REMOTE_ADDR} ^204\.79\.180\.
RewriteRule .* /drake.html
# --- End redirection of strange requests from "Drake Holdings" ---


And page "drake.html" contains:

Hello "Drake Holdings, LLC"

You are again visiting our website ?

What are you looking for ? Maybe I can help you Mrs Kiviat, Mr Dolliver or Mr Orndorff.

Are you trying to hack our site ?

You did not answer to the emails I sent to your "abuse" contact.

Other persons are wondering what game you are playing. Please have a look at:

[webmasterworld.com...]
Hope you will finally have the honesty to explain me your odd activity...

Regards

<snip>


But since today, no reply from them..

[edited by: keyplyr at 9:15 am (utc) on Apr 2, 2016]
[edit reason] Removed domain & email address per forum charter & TOS [/edit]

1:30 pm on Apr 2, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2004
posts:1889
votes: 56


This is what I have done to redirect all request coming from this strange "Drake holding" organisation,
to a dedicated page for them: .....

mine is a bit less unique :)
RewriteCond %{REMOTE_ADDR} ^204\.79\.180\.
RewriteRule .? -[F]


@Lucy
&form=MSNH14&sc=8-4&sp=-1&qs=n&sk=


Every search box has a hidden form var, as well as a search bar when the search is submitted.

src=IE-SearchBox&FORM=IE10SR for IE10

pc=MOZI&form=MOZSBR for Firefox in general.

Not sure what the other "combo-jumbo" is though.
7:26 pm on Apr 2, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:13610
votes: 416


This is what I have done

Ooh, what fun. How long ago did you do this? Just now, or a while ago?

If it were me, I'd express the rule as
RewriteRule (^|/|\.html)$ http://www.example.com/drake.html [R=301,L]
(and same, mutatis mutandis, if you take the [F] route). That way the server doesn't have to stop and evaluate conditions on non-page requests. In fact: you said "redirect". The rule as written is a rewrite, unless you just forgot to paste-in the flags. You'll also need a REQUEST_URI condition to exempt requests for "drake.html".

Oh, and I'm not sure I said this unambiguously enough:
Cross-checking MSNH14 I find it in requests from

I meant that I find it only in requests from etcetera. At least within the last two years; in earlier years (going back to 2011) it comes up in any old random Bing search request from any old random IP. It would be pretty funny-- but not especially surprising-- if it turned out that Microsoft Corporate was stuck using an older browser/OS combo that is no longer found in the wild.
3:29 pm on Apr 24, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Aug 1, 2013
posts:1338
votes: 22


I'm also seeing the same behavior from this range 204.79.180.x Different IP with every hit (in bunches).

User Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; Trident/5.0)

Added: just noticed that @blend27 included this range in a rule.

This is a fishy range. Looked at the IP in IP2Location and the url field comes back with cyberservices.com which appears to be nothing but an ad site. There is a link on the site "Inquire about this domain" which goes to the domain worldaccelerator.com. Doesn't seem to be anything legitimate about this at all. I've decided to block the range.
8:36 pm on Apr 24, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:13610
votes: 416


I've started redirecting them. Rather than make up new code, I send them to an existing page that I've used for various purposes in the past. The page text basically says, disingenously,
You’ve accidentally replicated the behavior of an undesirable robot, so we have to take this brief detour.
and then there's a link to their originally requested URL. It took me a few weeks to remember that I'd forgotten to poke a hole, so if they do make a repeated attempt they'll end up right back on the same page. Oops. So far, nobody has made the attempt*: they just follow the redirect (including script and stylesheet, but no image or favicon) and that's the last of them. So there.


* The behavior of the rare human who does end up on my 403 page suggests that in some areas there is little difference in intelligence between a human and a robot. One recent specimen caught my attention by requesting seven different pages before figuring out that they were getting comprehensively blocked.
2:39 am on May 2, 2016 (gmt 0)

New User

joined:May 2, 2016
posts:1
votes: 0


For what it's worth, this page [nevadacorporates.com...] as well as nvsos.gov (which is Nevada Secretary of State website, go to it and search for Drake Holdings LLC) show Drake Holdings LLC officers and not surprisingly, all three have addresses of One Microsoft Way in Redmond. So.. it's Microsoft.
5:42 pm on May 13, 2016 (gmt 0)

New User

joined:May 13, 2016
posts: 1
votes: 0


This has been a fascinating topic to read and I registered just to contribute my 2 cents.

I keep a different kind of log file, and hits from the Drake Holdings 204.79.180.xxx block lead me here. I don't capture as much raw data. I don't know referrers, or supporting files. I basically just track html page requests and my site traffic is slow enough that I can read my logs daily and scan for suspicious bot behavior based on click patterns and time on site. I run a [widget] site that sells custom sizes. So I can follow what models and unique sizes a person is shopping for.

Sometimes a bot is obvious: systematically and quickly scanning every [widget] for a given size. Or grabbing a new page exactly every 5 seconds. Or having variable access delays of 5-20 seconds but randomly jumping between 20 unusual sizes such that no human would ever need such a variety of. Sometimes the pattern is immediately obvious. Other times I have to look at several days or weeks worth of random behavior to conclude this is a bot and not just a curious human. I error on the side of curious/stupid user traffic.

And then there are the (bots?) like Drake. It will come in and spend a few minutes looking at a few pages of similar [widget] just like a human. But then jump between a few random sizes. Maybe come back in a few hours for the original sizes. It will occasionally generate unnatural URLs to valid pages based on my directory structure. (for example, my urls use ID/SIZE/name and the name part is optional SEO text, Drake will navigate to ID/SIZE without the SEO text, a behavior I usually only see in bots but could be a clever human) but it never generates bad URLs or misuses form inputs. While the vast majority of traffic from this IP looks humanoid, most humans shop for a few days and then leave. Drake has been casually browsing almost-random pages for a month now. it would have to be the most indecisive ADHD person you've ever met... Or it's the dumbest, slowest bot ever: at 10-30 pages per 24 hours and just 140 pages in 20 days...

I'm almost convinced this is a dumb bot. I just wish I knew what it was up to.

Does anyone know if this Drake browser accepts cookies or maintains a session key?

[edited by: keyplyr at 10:56 pm (utc) on May 13, 2016]
[edit reason] keep products names generic [/edit]

9:19 pm on May 13, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:13610
votes: 416


Does anyone know if this Drake browser accepts cookies

I log headers on page requests, so I can tentatively answer this with a No.

Long version: Among the hundreds of requests from 204.79 since their first appearance in November 2015, none has ever come in with a cookie. So either they don't accept cookies, or they don't send cookies (a cookie only becomes meaningful on a subsequent request) ... or every single visit has been from a different physical machine. That last explanation seems too improbable to consider.

My site hardly ever uses cookies on its own behalf-- but piwik does, so a repeat visit from a human will come in with "Cookie: _pk_blahblah". Drake Holdings visitors do request and process the piwik.js file, leading to piwik.php-- but, as noted in an earlier post, they're selective in how they process the script.

:: shuffling papers ::

Yup, still the same behavior. I found one from just a couple of days ago. In an ordinary human visit, any request with a referer will result in "_ref=" as part of piwik.php's query string. In visits from 204.79., this parameter is not sent. The most recent specimen I found contains a highly plausible search string (I've changed + signs back to spaces):
In {identifying words omitted} there is a discussion of certain issues at hand in the lives of {identifying words omitted}. Which of the following statements best explains how this might be significant for us today?
The request was for a page that happens to contain the exact literal text of the query string (it involves students copying-and-pasting an assigment, but that's a subject for another thread ;)). I'm fully prepared to believe that they're spot-checking Bing Search in some way; the search query is always a good match for the page, not just something random. But that still leaves the question of what all the other requests-- the referer-less majority-- are looking for.

Incidentally, I started redirecting them around 10 April. So far I don't see any change in behavior.

Come to think of it: when there is a referer involving Bing Search, it's always a long, multi-word query. But then, I do not have a great deal of content that would bob to the surface on a one-word query, so that may be a red herring.
4:09 pm on May 14, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2004
posts:1889
votes: 56


I'm fully prepared to believe that they're spot-checking Bing Search in some way;

or scraping urls that rank in Bing on Page 1-2. They are spot-on on search terms though.

I've been blocking them for very long time with no effect on Bing Rankings(what ever the relation to MSFT they might have) & never seen them come from GOOG or any other SE for that matter.
6:19 pm on May 14, 2016 (gmt 0)

Moderator from GB 

WebmasterWorld Administrator andy_langton is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 27, 2003
posts: 3332
votes: 140


I see something like 1 out of 50 of these bots behave slightly differently - more than one pageview in a session (accepting cookies) or executing javascript after the initial pageview.

The company owners are the listed owners of numerous Microsoft companies, incidentally. I don't think the legal angle or the investment side is anything to do with it. It's a Microsoft test of some sort I would be fairly certain (or a test conducted on Microsoft's behalf).
This 40 message thread spans 2 pages: 40
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members