Have some of those ranges blocked for some time due to iffy activity. Just took a look to see if any non-blocked MSFT ranges showed up and it seems clear. There was a CERT message about Adminer having a vulnerability. It might have been scanning for it.

Regards...jmcc

[edited by: jmccormac at 5:33 pm (utc) on Jun 28, 2022]

I haven't had time to examine the bot or what it was doing. Thanks for the info!

Have been for some time. They get blocked as they hit.

Haven't flipped the lever to block the entire range yet, but feeling more and more like doing it...

Yeah, these ranges don't generate a constant level of bots like other sources so I'm kind of inclined to keep these IPs open for now.

:: detour to raw logs before remembering I should see what my htaccess says first ::

SetEnvIf Remote_Addr ^20\. bad_range=$0

That means one or more law-abiding robots must live at this address, or I would have proceeded directly to “Require ip”.

:: riffling through logs ::

Oh, it’s the DDG Favicons-Bot. Overall, the whole /8 shows pretty exactly six times as many 403s as 200s--and a whopping total of three robots.txt requests--which does strongly suggest locking the door was the right idea.