I had a hit to /wp-login.php recently (so yea, a garbage bot hit). The user-agent was

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.203

And this was in the cookie field (this could be entirely new subject):

humans_21909=1

The IP was 5.102.103.198. This comes back as AS397630 (Private Customer) 5.102.103.0/24. The whois for this has a "geofeed" line that reads

[geofeed.ipxo.com...]

IPXO eh? When you bring that up, it will tell you the geographic location for various CIDR's. These all appear to be related to IPXO.

I did a little experiment. First I searched for all CIDR's using HE's BGP tool for IPXO (the string). For which I got 1244 IPv4 CIDR's. Of which 34 were new to me (so they've been added in the past few months). So I added them to my IP blocking list.

Next I took all the IPv4 CIDR's from the geofeed list and found how many were not in my completely updated blocking list. Of the 4573 CIDR's in the geofeed list, 1225 were new. They boiled down to 954 non-contiguous CIDR's.

I picked a random one (109.106.1.0/24) and it is assigned to FyfeWeb-Ltd AS212396. A look at the whois record shows mnt-by: IPXO-MNT. I picked 5 more random CIDR's, they were all MNT by IPXO. I added all 954 CIDR's to my blocking list.

The geofeed list seems to be updated constantly, and is a good way to get presumably all IPXO CIDR's for those that maintain their own IP-based blocking list.