I see in my logs today a hit from 178.38.119.X (what-ever.adslplus.ch). On the HTML side, a sequence of 5 file requests, the first one for an HTML file using this UA:

Mozilla/5.0 (iPhone; CPU iPhone OS 14_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML like Gecko) Version/14.0.2 Mobile/15E148 Safari/604.1

6 seconds later, all during the same second, 4 file requests, the first being the same HTML file, the 3'rd being favicon.ico, the last two for an apple-touch-icon png. These 4 requests had this UA:

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/601.2.4 (KHTML like Gecko) Version/9.0.1 Safari/601.2.4 facebookexternalhit/1.1 Facebot Twitterbot/1.0

None of these have referrer. No previous history of any hits from 178.38/16

The two requests for the HTML file were re-directed (301) to my HTTPS server, where they requested the file (twice) using the same two UA's given above. No other files were requested that normally should be to fully render the page.

One other file (a different apple icon png) was requested on the HTTPS side, but using this UA:

MobileSafari/604.1 CFNetwork/1209 Darwin/20.2.0

The fact that no other files referenced in the HTML file were requested that normally would be by a human browser to render the page is to me a dead giveaway that a bot was behind this hit, but yet the requesting IP seems to come from a residential ISP (I have had hits from Sunrise IP's before, but not from this /16, and have attributed them to be organic/human).

If it matters in the context of this event, I do block Fecebook IP's and periodically see their attempts to retrieve files.

Is there indeed a combined, legit Facebot / Twitterbot? Does Fecebook have such a business affiliation with Twitter?

If this is bot activity (FB/TW or someone else) then Sunrise is renting IP's to them?

Or is this "in-app" bot behavior - bots hitting my site through someone's iphone?