Turkey News Feed? useragent "newspaper/0.2.8"

Forum Moderators: open

Message Too Old, No Replies

Turkey News Feed? useragent "newspaper/0.2.8"

ghostofseo

6:38 pm on Feb 7, 2025 (gmt 0)

Can Someone help me with this.

top IP address making requests is 84.51.29.236 with the useragent "newspaper/0.2.8". This appears to be a IP address that is geolocating to Turkey.

How can I stop this. Top requests by bytes - 86 Request - 156.28 MB

ghostofseo

6:40 pm on Feb 7, 2025 (gmt 0)

I blocked 84.51.29.236 in Wordfence, is that enough? Or should host be involved

not2easy

7:16 pm on Feb 7, 2025 (gmt 0)

If they are coming from 84.51.29.236 and only that IP is blocked, you may see them again and again from 84.51.0.36 or 84.51.55.110 or any IP from 84.51.0.0 to 84.51.63.255. The CIDR for that IP is 84.51.16.0/20 which would block any visits from that range. Better to close the door than use a Do Not Disturb sign, assuming you aren't seeking traffic from its source. Mind you, I don't use WordFence so can't offer ideas for implementing with that.

You could also block the UA (newspaper/0.2.8) if you're working in your .htaccess file

lucy24

10:14 pm on Feb 7, 2025 (gmt 0)

Oh, that sounds familiar.

:: quick run to raw logs ::

Turns out there are two of them: newspaper/0.2.8 as in the present post, but also plenty of �newspaperjs� and-that�s-all.

Since the UA doesn't show up in any legitimate context, while the IP might be an infected human, it may be better to block by UA. But don't make it too narrow; I also find some newspaper/0.3.0

Here's an interesting detail. From last summer I find several paired requests of this pattern (the page varies, the IP is the same):

100.21.115.abc - - [24/Jun/2024:12:02:51 -0700] "GET /ebooks/rebecca/ HTTP/1.1" 403 6977 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0" 
100.21.115.abc - - [24/Jun/2024:12:02:54 -0700] "GET /images/banner-icon.png HTTP/1.1" 200 5233 "https://example.com/ebooks/rebecca/" "newspaper/0.2.8"

In fact they are trios, because each is accompanied by a (blocked) request for piwik/matomo, which lives on a different site, still with the newspaper/ UA. (There are further points of interest, but I don't want to send this thread hopelessly off the rails.)

Here's another one with a different pattern:

154.53.81.abc - - [07/Mar/2024:20:48:42 -0800] "GET /ebooks/chile/chile2.html HTTP/2.0" 200 669647 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0" 
52.73.246.abc - - [07/Mar/2024:20:48:47 -0800] "GET /ebooks/chile/images/pic299.gif HTTP/1.1" 403 6977 "https://example.com/ebooks/chile/chile2.html" "newspaper/0.2.8" 
52.73.246.abc - - [07/Mar/2024:20:48:48 -0800] "GET /ebooks/chile/images/pic299.gif HTTP/1.1" 403 6977 "https://example.com/ebooks/chile/chile2.html" "newspaper/0.2.8"

et cetera, requesting all images associated with the page, which you'll notice came from a different IP.

All this makes it look as if newspaperblahblah is some kind of robotic adjunct, working in association with a humanoid UA.

SumGuy

3:33 am on Feb 11, 2025 (gmt 0)