The full range of the Two Degrees Mobile Limited (NZ) IPs is:

121.98.0.0 - 121.99.255.255 
121.98.0.0/15

But there is a separate range within that for "CallPlus Services Limited" with the IP range of:

121.99.0.0 - 121.99.15.255
121.99.0.0/20

Your

121.99.4.0 - 121.99.4.255
121.99.4.0/24

range is in that CallPlus CIDR but isn't listed separately so you might want to use the /20 rather than the /24 for blocking.

I haven't seen anything from either range.

I continue to see attempts from 121.99.4.0/24 but they're blocked in my router so they get dead air.

There is something operating from that /24, some sort of bot. If these were human-based VPN then they'd try a different exit IP if they are this persistent.

Is nobody else getting hits from that /24 ?

:: quick run to raw logs ::

In early November I see a to-all-appearances-human visit to the front page, where “to all appearances human” means page, stylesheet, all images, analytics--which lives on a sister site--and favicon, in that order. No obvious header deficits, or they would have been blocked.

The site that hosts analytics has an IPv6 address, so the request came through from
2404:4404:2:1::22
aka Two Degree Mobile Limited, still in NZ.

:: further run to headers ::

Oh, now this is interesting.

Sec-Ch-Ua-Platform: "Linux"
...
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36

Wasn't there a discussion of this detail quite recently?

Edit: Searching headers for

Sec-Ch-Ua-Platform: "Linux"\n(.+\n)*User-Agent: .+?(Windows|Mac)

I do find a fair number of them--maybe about 5% of all "Linux" platform headers--but the overwhelming majority were blocked on various grounds so it wouldn't have caught my attention.

Single hit on 11/27

IP: 121.99.4.20 (logged as New Zeland - 121.99.0.0 ~ 121.99.255.255)
Browser resolution: 1905x2019 <<Interesting is that X is less than Y

From headers:

    
"sec-ch-ua-mobile": "?0",
    "Accept-Language": "en-US,en;q=0.9",
    "user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36",    
    "sec-ch-ua": "\"Not;A=Brand\";v=\"99\", \"Chromium\", \"Google Chrome\"",
    "upgrade-insecure-requests": "1",
    "sec-ch-ua-platform": "\"Linux\""

Requested all supported files and executed JavaScript function from an external JS file that draws an image on the pages buttom(last pixel element on the page).

Conclusion: FAKE
Reason: Chrome on Windows 10 OS with Linux(sec-ch-ua-platform) as platform., UAs chrome version does not match Chromium version in sec-ch-ua.

Subsequent request blocked.

I might be totally off here but hear me out....

from my post above: Browser resolution: 1905x2019 <<< Interesting is that X is less than Y

I just looked that up and 1905x2019 there are tons of blocked requests with that same UA and Browser Resolution incoming from:

8.160.0.0/16 CN
AS45102 (Alicloud)

43.174.7.0/24 JP
43.175.77.0/24 BD
43.132.65.0/24 GB
AS139341(Acevile)

86.51.0.0/16 SA
AS35819(MOBILY-BROADBAND-SA)


etc..

So I did a search on Google: [google.com...] and have an Idea now, but don't shoot the messenger, ;), it is just a theory...

Bonus: [ipinfo.io...]

All of the Fake Headers that were blocked so far(3209) belong to IP ranges in that last link.

Holy cow, blend27 - that's a lot of IPs - but useful in its content. :O

Well, time to think about:

SetEnvIf Sec-Ch-Ua-Platform "Linux" lying_linux
BrowserMatch Linux !lying_linux
...
Require env lying_linux

(And now I see that the escaped \" is an artifact of your header logging, as is presumably the case flattening. That led me astray earlier.)

But alas, by the time we get to analytics--which is where things like browser resolution would be detected--the entire request has already been made, so no use blocking on those grounds. But it could be a useful cross-check after the fact.

Besides, does any legit human device have odd-number values for resolution? Looking it up, I find a handful of entrancing requests along the lines of
res=2687.999954223633x1511.9999742507935
File under: wtf? (Answer to my original question, after remembering that "x" is in fact a word character and therefore I need to say \D rather than \b: Yes, plenty of them. But that seems an awful lot of decimal places; who measures their screen in femtometers?)

What is the request-header field-name for the screen resolution? I don't think I see the screen resolution in any of my logged fields...

What is the request-header field-name for the screen resolution?

There isn’t one. Screen resolution can be detected with javascript--and hence analytics, where it tends to be one of the standard bits of information. Mine comes from piwik/matomo; I assume it's also part of the GA package.

-- What is the request-header field-name for the screen resolution? I don't think I see the screen resolution in any of my logged fields... --

There is none of that in headers but here is an old one that will write an image for yo'all:

<script>
function utilSize(q,p) {
var mW = 0, mH = 0;
var r = Math.floor(Math.random() * p);
d = document.documentElement;
b = document.body;
if( typeof( window.innerWidth ) == 'number' ) {//Non-IE
mW = window.innerWidth;
mH = window.innerHeight;
} else if( d && ( d.clientWidth || d.clientHeight ) ) {//IE 6+ in 'standards compliant mode'
mW = d.clientWidth;
mH = d.clientHeight;
} else if( b && ( b.clientWidth || b.clientHeight ) ) {//IE 4 compatible
mW = b.clientWidth;
mH = b.clientHeight;
}
document.write('<img border="0" height="2" alt="" src="/assets/image.gif?u=' +mW+ '.' +mH+ '.' +q+ '.' +p+'">');
}
utilSize(q,p);
</script>

q = what ever you want
p = what ever you want

I use them for session tracking, first hit and subsequent requests incremental counter

if you split that JS Function into a separate JS file and you get requests /assets/image.gif?u=1920.769.n.n in you log file it will mean that you user's browsers loaded and parsed the HTML, requested javascript file, executed script and requested .GIF image.

Now request to /assets/image.gif?u=1920.769.n.n could be rewritten to a dynamic script of your choosing...

RewriteRule /assets/image.gif /tracker_script.php [NC,QSA]

see what i mean?

@Lucy24
-- does any legit human device have odd-number values for resolution--

Mine do on Dual Monitor setup..

Full Screen(Landscape):
Main screen Chrome: 1920x919
Move to Secondary Screen Chrome: 1680x889
Via Windows RDC On Main Screen Chrome to diff Server : 1920x885
Via Virtual Box Linux Mint Cinnamon FireFox Main Screen: 1920x767 (no Sec-Ch-Ua-Platform header BTW)
Via Virtual Box Linux Mint Cinnamon Chrome Main Screen: 1920x798
.... and here are vanilla headers it sends:

"headers": {
 "sec-ch-ua-mobile": "?0",
 "Accept-Language": "en-US,en;q=0.9",
 "sec-fetch-mode": "navigate",
 "host": "www.example.com",
 "priority": "u=0, i",
 "Accept-Encoding": "gzip, deflate, br, zstd",
 "upgrade-insecure-requests": "1",
 "content-length": "0",
 "sec-fetch-dest": "document",
 "Cache-Control": "max-age=0",
 "user-agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36",
 "sec-fetch-site": "cross-site",
 "sec-ch-ua": "\"Google Chrome\";v=\"143\", \"Chromium\";v=\"143\", \"Not A(Brand\";v=\"24\"",
 "sec-fetch-user": "?1",
 "connection": "close",
 "accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",
 "sec-ch-ua-platform": "\"Linux\"" 
 }

^^^ "sec-ch-ua-platform": "\"Linux\"" <<< legit

Now resize the browser to mimic portrait mode, or put 2 windows next 2 each other, or split the screen(cool feature btw) like in Brave Browser.

Mine do on Dual Monitor setup

Yes, so I discovered after whapping myself upside the head and realizing I need \D (non-number) rather than \b (word boundary). But I remain inclined to doubt any monitor's resolution is measured in femtometers (twelve decimal places) ;)

:: irritably wondering why host thinks my test site can't handle php 8.5 even though there is nothing even deprecated, let alone discontinued, in the three lines of php it uses ::

Is it a given that any given browser will execute these screen-size scripts?

I get a lot of hits (requests) directly for PDF files on my server. I take it that there's really no way to incorporate a screen-size script as part of the response?

Beyond having the remote browser execute a script that tells you the remote user's screen resolution, can you do anything else, like get the client's current-time or time-zone?

Is it a given that any given browser will execute these screen-size scripts?

Short of requiring javascript for access to your site--which would enrage certain WebmasterWorld regulars one could name--there's no way to force execution of a script. That's why analytics comes with a noscript option (“Suchandsuch IP requested suchandsuch page at suchandsuch time, and that’s all the information we are prepared to divulge”).

In the case of requests for pdf files, another option--no scripting involved--is to require a referer, preferably the page that links to the pdfs. Just remember to poke holes for any authorized search engines, if appropriate.