From an ixquick search:

"Drake Holdings was launched in the mid 1990s as an offshore financial analytics and investment strategy firm, and continues to serve its shareholders today as a holder of income generating corporate equity and intellectual property assets ..."

There is mention of cyberservices[.]com in their WHOIS record and looking into that there are several instances of scams and exploits, although I'm unsure of their domain is a perpetrator or mitigator. In any case, I have blocked the ranges you quoted - thanks for that! :)

Odd... the first is a /24 wedged between two NASA blocks, the second is a /24 in the midst of an MS block. Your references bear out the second one.

Holy ### I just came by to ask this very question with the very same details, because I had a string of visits from
204.79.180.ddd (where "ddd" means variable, not obfuscated-to-protect-the-guilty)
in each case they got HTML, CSS and piwik but no images. Like this:

204.79.180.140 - - [13/Nov/2015:03:51:55 -0800] "GET /games/ColorGames.html HTTP/1.1" 200 5485 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0;  Trident/5.0)"

That's two spaces between the two "Trident" elements-- a form that is used regularly by the plainclothes bingbot (from all the assorted MSN ranges). More often it's NT 6.1, but I think it's always MSIE 9.

The question may not be "Who is Drake Holdings?" but rather "What is the connection between Drake Holdings and Microsoft?"

They will pull a page from the site, and it seems that each individual element of the page is being accessed by a different IP address.

That can be typical of an organization's internal IT system load-balancing (intranet.) I see it occasionally.

Hello, I'm glad to find this forum. Since several weeks I noticed about 50 connections a day on my website from Drake Holdings.
They are scanning every page on my web site, every day, from various IP addresses of their range. Very odd !?!
So I wrote 2 Emails to the abuse contact of this organisation asking what they are looking for, because my site is very ordinary (I am a computer professionnal in a small town in France) but obtained no response.
I was affraid that my server was attacked, so I investigated a bit on Google, and found that this company is owned by 3 attorneys, who are also members of Microsoft Company. See:
<snip>
If someone has some more light on this strange comportement, I would be curious to know..

[edited by: incrediBILL at 11:23 pm (utc) on Dec 20, 2015]
[edit reason] Links Removed - See WebmasterWorld TOS and Forum Charter [/edit]

If the UA is the same as lucy provided? Broken with two trailing spaces after semicolon!
Than it's simple enough to prevent access without using IP's.

SetEnvIf User-Agent "; " keep_out

owned by 3 attorneys, who are also members of Microsoft Company

Well now that's awfully interesting, and may explain the UA match.

:: detour to check raw logs for two-spaces-in-UA pattern ::

:: pause midway to exclude various known Bing IPs, and constrain to one site because I can't deal with robots from 2011 ::

Yup, there they are:

209.147.118.145 - - [19/Sep/2014:03:58:52 -0700] "GET /dir/subdir/file.html HTTP/1.1" 200 358240 "http://www.bing.com/search?q={long search string which is blatant cut-and-paste from homework assignment}" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0;  Trident/5.0)" 

... which would seem human if they had picked up all supporting files, but they didn't. Buncha 209.147.blahblah along with the expected 192.92.blahblah. September 2014 seems to be the earliest, lots more in April, and then again in recent months.

There are also quite a few of this clear robot:

104.207.155.129 - - [23/Oct/2015:02:12:36 -0700] "GET /dir/subdir/ HTTP/1.1" 200 20754 "-" "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv: 11.0) like Gecko" 

But then there's

Mozilla/5.0 (X11; U; Linux; en-GB) AppleWebKit/534.34 (KHTML, like Gecko)  QtWeb Internet Browser/3.8.4 http://www.QtWeb.net

That's a legitimate human with two spaces in the UA string (but not preceded by colon or semicolon). Noting with interest that it says "en-GB" although the user is in fact located in Italy, so there's one for the "dialect" contingent So probably "[;:]  " is safe but not an all-encompassing "  "

Who the heck is 209.147.118? Notes say "Optic Fusion" in Tacoma and/or Seattle, but Microsoft don't own the whole northwestern quadrant of Washington state do they? Uh... do they?

Drake Holdings Las Vegas
192.92.196.0/24
192.92.196.0 - 192.92.196.255
204.79.180.0/24
204.79.180.0 - 204.79.180.255

[edited by: keyplyr at 11:12 am (utc) on Jul 8, 2016]

Oh, wait, so what have we got? A couple of Microsoft lawyers vacationing in Las Vegas, and while they're there they decide to do some spot checks with the plainclothes bingbot? Or is the plainclothes bingbot borrowing some Drake IPs to see if they get the same results as when crawling from Bing ranges?

I'm confused :(

:: wandering off to confirm hunch that cat is meowing for absolutely no earthly reason whatsoever ::

I'm not following. What do "lawyers vacationing" have to do with it? What does "Bingbot" have to do with it? It's a VPN (among other things) registered in Las Vegas.

I get requests from various d subnets all the time. Usually these are from schools where they subscribe to a bandwidth service, then routed through different unique IPs. Sometimes these types of hits come from other sources, like VPNs or an organization's internal IT system which tend to do the same thing if the routers are set-up that way.

But this does not answer "why" these requests are targeting your servers. Some type of data mining I would assume, like everything else. I don't see the conspiracy here however.

Ever been in a casino, restaurant or hotel in Vegas and wanted to get on the internet. You have to use (and pay for) their bandwidth. These are some of the guys selling it to you. I don't block this range.

FWIW, most of the hotels in Vegas no longer offer access as a sole option, rather multiple services (pool, sauna, wifi, and others) are unadvertised in the booking packages. However, upon check-in visitors are charged (even if you don't wish or never use any of the services) a 'resort fee' for each nights that stay.
Just do a google on 'Las Vegas Resort Fees'.

Don I work Vegas a couple times a month. No Google search necessary :)

[edited by: keyplyr at 11:13 am (utc) on Jul 8, 2016]

What does "Bingbot" have to do with it?

Only the fact that it's the identical UA as the current plainclothes bingbot.

From my apache logs:

grep 204.79.180 www.[mysite].log.1 | wc -l
gives me about 1800 lines of log for each day, since several monthes, from all IP addresses in Drake Holdings LLC range.
Far more that all my other visitors cumulative.
I think I have a fan club in this company :o)

" it's the identical UA as the current plainclothes bingbot"

OK but what leads you to think it's bingbot? There are lots of agents in that range. It's not tagged as Azure, but clearly there are a few squatters.

I don't think it's bingbot, I just think there's got to be a Microsoft connection, otherwise why the matching UA? Recall that it's not an ordinary humanoid like "Chrome/46"; there's that distinctive hiccup at the end.

If these guys do have a M$ connection, maybe they're crawling from both their own ranges & M$. As said above, there are lots of unidentified agents that come from M$, even outside of their Azure platform. I block several.

[edited by: keyplyr at 11:14 am (utc) on Jul 8, 2016]

:: bump ::

In the ensuing months, has anyone gained any enlightenment? They're still coming around regularly, typically in clumps of a few visits a day for several days, and then a break of a few days.

User-agent varies between two near-identical forms:

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0;  Trident/5.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0;  Trident/5.0)

That's two spaces between the two Tridents. Query: Under what circumstances would one upgrade an operating system but not the browser? Isn't MSIE up to eleven* now?

Generally no referer, but sometimes from a plausible bing search. Always bing.

HTML-- just one page per visit-- any and all stylesheets, any and all scripts including piwik.js-- which they act on, leading to piwik.php. No images, no embedded fonts. Requests for supporting files come in at a leisurely pace, anywhere from a few seconds up to almost half a minute from beginning to end. (At this point I had to pull up some other random IPs from raw logs to assure myself that my site isn't that slow!) Sometimes they're spaced far enough apart that the bingbot** has time to nip in for a quick file pickup in the interval.

Headers are, let's say, minimalist-human except that they include "Pragma: no-cache" which is far more characteristic of search engine spiders, notably-- wait for it-- the bingbot and its relatives.

Further poring over requests for piwik.php (this is easier than actually going into piwik and extracting the information that way) reveals that they always profess to have a resolution of 1024x768 -- a size which is otherwise all but nonexistent. And, more interestingly still: in the rare cases where the initial page request comes in with a referer (bing search), this information is not passed on to piwik, although it does show up in logs (that is, they send the Referer: header). That means they're picking and choosing which lines of the script to act on.


* Insert "up to 11" witticism ad lib.
Incidentally, harking back to the earlier semicolon-plus-two-spaces question, I found this:
Mozilla/5.0 (compatible, MSIE 11, Windows NT 6.3; Trident/7.0;  rv:11.0) like Gecko
Two spaces after the Trident.
** I checked. It isn't always the bingbot-- which would have been beyond weird-- it just seems that way.

All requests have different targeted Bing referrer:

http: //www.bing.com/search?q=targeted+keyphrase&form=MSNH14&sc=8-4&sp=-1&qs=n&sk=

Every request has highlighted vars attached to ref.

They might be scraping Bing for all I know.

403d.

403d.

I keep thinking about 403ing them, but the workload for the server would be pretty much identical either way. (My 403 page invokes a stylesheet and a small image, primarily so I can detect wrongly excluded humans.)

&form=MSNH14&sc=8-4&sp=-1&qs=n&sk=

Do you happen to know what, exactly, this means? I don't get enough bing referers to recognize "form" (sometimes "FORM") as anomalous, or at least uncommon.

Cross-checking MSNH14 I find it in requests from:
65.55.218
131.253.24
192.92.196 (the Drake Holdings range that started this thread)
209.147.118 (Optic Fusion, Tacoma, mentioned earlier in this thread)
in addition to 204.79.etcetera.

bingdude? You out there?

This is what I have done to redirect all request coming from this strange "Drake holding" organisation,
to a dedicated page for them:

In my web site config file
/etc/apache2/sites-available<snip>

# ------ Redirection of strange requests coming from "Drake Holdings" ---
RewriteCond %{REMOTE_ADDR} ^204\.79\.180\.
RewriteRule .* /drake.html
# --- End redirection of strange requests from "Drake Holdings" ---


And page "drake.html" contains:

Hello "Drake Holdings, LLC"

You are again visiting our website ?

What are you looking for ? Maybe I can help you Mrs Kiviat, Mr Dolliver or Mr Orndorff.

Are you trying to hack our site ?

You did not answer to the emails I sent to your "abuse" contact.

Other persons are wondering what game you are playing. Please have a look at:

[webmasterworld.com...]
Hope you will finally have the honesty to explain me your odd activity...

Regards

<snip>

But since today, no reply from them..

[edited by: keyplyr at 9:15 am (utc) on Apr 2, 2016]
[edit reason] Removed domain & email address per forum charter & TOS [/edit]

This is what I have done to redirect all request coming from this strange "Drake holding" organisation,
to a dedicated page for them: .....

mine is a bit less unique :)
RewriteCond %{REMOTE_ADDR} ^204\.79\.180\.
RewriteRule .? -[F]


@Lucy

&form=MSNH14&sc=8-4&sp=-1&qs=n&sk=

Every search box has a hidden form var, as well as a search bar when the search is submitted.

src=IE-SearchBox&FORM=IE10SR for IE10

pc=MOZI&form=MOZSBR for Firefox in general.

Not sure what the other "combo-jumbo" is though.

This is what I have done

Ooh, what fun. How long ago did you do this? Just now, or a while ago?

If it were me, I'd express the rule as

RewriteRule (^|/|\.html)$ http://www.example.com/drake.html [R=301,L]

(and same, mutatis mutandis, if you take the [F] route). That way the server doesn't have to stop and evaluate conditions on non-page requests. In fact: you said "redirect". The rule as written is a rewrite, unless you just forgot to paste-in the flags. You'll also need a REQUEST_URI condition to exempt requests for "drake.html".

Oh, and I'm not sure I said this unambiguously enough:

Cross-checking MSNH14 I find it in requests from

I meant that I find it only in requests from etcetera. At least within the last two years; in earlier years (going back to 2011) it comes up in any old random Bing search request from any old random IP. It would be pretty funny-- but not especially surprising-- if it turned out that Microsoft Corporate was stuck using an older browser/OS combo that is no longer found in the wild.

I'm also seeing the same behavior from this range 204.79.180.x Different IP with every hit (in bunches).

User Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; Trident/5.0)

Added: just noticed that @blend27 included this range in a rule.

This is a fishy range. Looked at the IP in IP2Location and the url field comes back with cyberservices.com which appears to be nothing but an ad site. There is a link on the site "Inquire about this domain" which goes to the domain worldaccelerator.com. Doesn't seem to be anything legitimate about this at all. I've decided to block the range.

I've started redirecting them. Rather than make up new code, I send them to an existing page that I've used for various purposes in the past. The page text basically says, disingenously,

You’ve accidentally replicated the behavior of an undesirable robot, so we have to take this brief detour.

and then there's a link to their originally requested URL. It took me a few weeks to remember that I'd forgotten to poke a hole, so if they do make a repeated attempt they'll end up right back on the same page. Oops. So far, nobody has made the attempt*: they just follow the redirect (including script and stylesheet, but no image or favicon) and that's the last of them. So there.


* The behavior of the rare human who does end up on my 403 page suggests that in some areas there is little difference in intelligence between a human and a robot. One recent specimen caught my attention by requesting seven different pages before figuring out that they were getting comprehensively blocked.

For what it's worth, this page [nevadacorporates.com...] as well as nvsos.gov (which is Nevada Secretary of State website, go to it and search for Drake Holdings LLC) show Drake Holdings LLC officers and not surprisingly, all three have addresses of One Microsoft Way in Redmond. So.. it's Microsoft.

This has been a fascinating topic to read and I registered just to contribute my 2 cents.

I keep a different kind of log file, and hits from the Drake Holdings 204.79.180.xxx block lead me here. I don't capture as much raw data. I don't know referrers, or supporting files. I basically just track html page requests and my site traffic is slow enough that I can read my logs daily and scan for suspicious bot behavior based on click patterns and time on site. I run a [widget] site that sells custom sizes. So I can follow what models and unique sizes a person is shopping for.

Sometimes a bot is obvious: systematically and quickly scanning every [widget] for a given size. Or grabbing a new page exactly every 5 seconds. Or having variable access delays of 5-20 seconds but randomly jumping between 20 unusual sizes such that no human would ever need such a variety of. Sometimes the pattern is immediately obvious. Other times I have to look at several days or weeks worth of random behavior to conclude this is a bot and not just a curious human. I error on the side of curious/stupid user traffic.

And then there are the (bots?) like Drake. It will come in and spend a few minutes looking at a few pages of similar [widget] just like a human. But then jump between a few random sizes. Maybe come back in a few hours for the original sizes. It will occasionally generate unnatural URLs to valid pages based on my directory structure. (for example, my urls use ID/SIZE/name and the name part is optional SEO text, Drake will navigate to ID/SIZE without the SEO text, a behavior I usually only see in bots but could be a clever human) but it never generates bad URLs or misuses form inputs. While the vast majority of traffic from this IP looks humanoid, most humans shop for a few days and then leave. Drake has been casually browsing almost-random pages for a month now. it would have to be the most indecisive ADHD person you've ever met... Or it's the dumbest, slowest bot ever: at 10-30 pages per 24 hours and just 140 pages in 20 days...

I'm almost convinced this is a dumb bot. I just wish I knew what it was up to.

Does anyone know if this Drake browser accepts cookies or maintains a session key?

[edited by: keyplyr at 10:56 pm (utc) on May 13, 2016]
[edit reason] keep products names generic [/edit]

Does anyone know if this Drake browser accepts cookies

I log headers on page requests, so I can tentatively answer this with a No.

Long version: Among the hundreds of requests from 204.79 since their first appearance in November 2015, none has ever come in with a cookie. So either they don't accept cookies, or they don't send cookies (a cookie only becomes meaningful on a subsequent request) ... or every single visit has been from a different physical machine. That last explanation seems too improbable to consider.

My site hardly ever uses cookies on its own behalf-- but piwik does, so a repeat visit from a human will come in with "Cookie: _pk_blahblah". Drake Holdings visitors do request and process the piwik.js file, leading to piwik.php-- but, as noted in an earlier post, they're selective in how they process the script.

:: shuffling papers ::

Yup, still the same behavior. I found one from just a couple of days ago. In an ordinary human visit, any request with a referer will result in "_ref=" as part of piwik.php's query string. In visits from 204.79., this parameter is not sent. The most recent specimen I found contains a highly plausible search string (I've changed + signs back to spaces):

In {identifying words omitted} there is a discussion of certain issues at hand in the lives of {identifying words omitted}. Which of the following statements best explains how this might be significant for us today?

The request was for a page that happens to contain the exact literal text of the query string (it involves students copying-and-pasting an assigment, but that's a subject for another thread ;)). I'm fully prepared to believe that they're spot-checking Bing Search in some way; the search query is always a good match for the page, not just something random. But that still leaves the question of what all the other requests-- the referer-less majority-- are looking for.

Incidentally, I started redirecting them around 10 April. So far I don't see any change in behavior.

Come to think of it: when there is a referer involving Bing Search, it's always a long, multi-word query. But then, I do not have a great deal of content that would bob to the surface on a one-word query, so that may be a red herring.

I'm fully prepared to believe that they're spot-checking Bing Search in some way;

or scraping urls that rank in Bing on Page 1-2. They are spot-on on search terms though.

I've been blocking them for very long time with no effect on Bing Rankings(what ever the relation to MSFT they might have) & never seen them come from GOOG or any other SE for that matter.

I see something like 1 out of 50 of these bots behave slightly differently - more than one pageview in a session (accepting cookies) or executing javascript after the initial pageview.

The company owners are the listed owners of numerous Microsoft companies, incidentally. I don't think the legal angle or the investment side is anything to do with it. It's a Microsoft test of some sort I would be fairly certain (or a test conducted on Microsoft's behalf).