Musta double posted. Sorry.

[edited by: pendanticist at 8:56 pm (utc) on Nov. 3, 2003]

Ban it! Belongs to bad guys. Don't know who, nor do I care. It raped my site some time back and has been banned by IP Number. In fact, trim it back to 57 as I've had to do.

Pendanticist.

Thanks for the quick reply, Pendanticist. But tell me, what do you mean when you say it "raped" your site? Or more to the point, on what basis have you concluded that it's "the bad guys"?

Raped, scarfed, scraped, harvested, pilfered, crawled with a vengance, stole...

:)

Can't find the precise entries made by this IP Number, but it was banned verbatim until just a few weeks ago when another user (just a very couple of numbers in the last block) came along and did the same thing.

It was then that I trimmed back the block to include both numbers.

As I recall both offenders were taking multiple files (ten or more) per second.

Pendanticist.

Thanks for the additional details, P. For what it's worth, here are the IPs I've detected over the past couple of days:

216.185.57.94
216.185.57.98
216.185.57.102
216.185.57.106
216.185.57.110
216.185.57.134
216.185.57.138
216.185.57.142
216.185.57.146
216.185.57.150

So far, each has only visited about 175 pages, but perhaps this is just the warmup for the onslaught you experienced? For now, I'm continuing to allow access, but I'm keeping a close eye on things...

UB

Definitely bad guys.

But the load on my server is very light: First they take 2 pages - a random page and the index page - and 20 seconds later they come back for my contact page.

The block is owned by an 'AO Technologies', which seems to be some kind of ISP or colo facility. The address in the whois information is listed on Google for one acaza.com, some kind of music site. host -l aotech.net shows a variety of different hosts, including what appear to be several DSL clients, some colo locations, a world gym, a chiropractor, and maybe even a REMAX branch (or something). None of these are in the .57 block though.

A reverse listing of the .57 block (if they've got forward DNS wide open, I bet that rear would be too, and so it was) shows nothing registered above 216.185.57.70, which points to lists.buzzplant.com, a host for a christian music promotion company. A few other hosts that seem to be web/email boxes are also on this chunk of address.

Whoever is hitting you doesn't seem to be running a legitimate operation, since they have no hosts listed.

Thanks for the background information, drbrain. :)

I suppose there is a slim chance that whatever these folks are working on has been altered (after having sprung a bunch of traps, or met the wrath of one who loves paying bandwidth fees....for people). But, I don't think so.

These folks came back several times after their initial ban was in place. They got the hint eventually.

"An ounce of prevention, is worth a pound of cure."

:)

Pendanticist.

This is beyond what I do, but I'd like to know more about what it is you're talking about. What are these 'bad guys' after, and what can they do with it? And what is the minimum that I should know?

What are these 'bad guys' after, and what can they do with it?

It seems our experiences are a bit different, but I have had about 10 visits from this range where they:

1. Ask for a page (www.mysite.com/name.htm)
   
2. At the exact same time ask for my index page (www.mysite.com)
   
3. 20-30 seconds later ask for my contact page (www.mysite.com/Dcontact.htm)
   

So in my experience they are email-harvesters

I'll echo Pedanticist here and say thanks a bunch, Dr. Brain, for the information. I'm not sure how you tracked it down -- my searches came up empty handed -- but it's great to know to know it's the forces of evil I'll be banning from my site.

In response to your question, D_Blackwell, the problem is that there are many bots crawling the web for purposes many of us wouldn't endorse (i.e., gathering email addresses for spamming purposes). Thus, none of us want to facilitate this, let alone pay for the bandwidth it requires, particularly people like myself who have literally millions of pages that could be crawled -- in vain, I might add -- in pursuit of email addresses.

uber_boy: I started with a whois on the IP, which gave an "AO Technologies" as the owner of the netblock. I pasted this into Google, but got nowhere.

Then I pasted in the address given in the whois info, and found an acaza.com at the same address. A whois on acaza.com showed four name servers that were on the aotech.net domain.

Still no good info on aotech or aotech.net on Google, so I tried a to get a listing of the aotech.net domain (these is usually denied, it is a potential security breach) using host -l aotech.net. This yielded a large list of domains indicating that aotech.net was a hosting company.

Having no forward domains matching, I tried a reverse lookup: host -l 57.185.216.in-addr.arpa, which showed no reverse addresses for the chunk of addresses you want.

Oh, and the same range of addresses is now showing on google in somebody's open web stats, and they've done 310 hits in just one day's worth of traffic spread across 3 domains.

Hmm.. had a quick look out of interest and discovered that AO technologies (their website is down BTW) has a certain John as CTO, with their technical contact being SSM data communications INC, in Columbus, OH (their website has vanished altogether). John is also CEO of acaza, and tech contact of SSM data tech.

The ARIN data for SSM DC inc has been reported to be invalid. Both companies are in Ohio.

John also did a number of postings on the COBALT site, where he spoke of some ISP billing software and some technical problems with running the COBALT servers.

So, it looks like they're either running something on the side, or they've been duped.

Ah well.

I've been scratching this particular itch for a couple of weeks now.

The 216.18

I've been scratching this particular itch for a couple of weeks now.

The 216.18

(Try that again.)
I've been scratching this particular itch for a couple of weeks now.
The 216.185.57.* series arrived playing leapfrog with a 38.112.195.* series, the last digits being 5, 9, 28, 45.
Since mine is an Israeli site my suspicions immediately fell in a certain direction.
No smoking gun but the 38.112.195.* series is part of the 38.0.0.0 - 38.255.255.255 block owned by Performance Systems International Inc. IPs 38.114.4.62 and 38.114.4.62 are operated by the Hezbollah terrorist organization.
This proximity proves nothing except paranoia has its uses.
My response up to now has been to notify the various abuse addresses. What has happened is that when one or two violating IPs cease, new ones take their place.
These include 66.36.242.25, 66.232.21.* (last digits 14,17,19), 216.119.173.251, 220.188.37. 45 and the long-running 24.153.166.189. This lasted some two weeks because the provider Road Runner took their good sweet time to respond. (The list may not be complete.)
IP 24.153.166.189 ceased yesterday and immediately 216.185.57.* and 38.112.195.* returned for an encore. I've asked my provider to ban 216.185.57.* and go on from there.
If anyone has any more information as to what's going on, I'd appreciate it.

I can confirm that 38.112.195.0/24 and 216.185.32.0/19
belong to the same culprit

I've just setup a spamtrapping system and crawlers from both IP zones added unique trap addressess for same ( PUMP and DUMP scam) spam mailing list. Ofcourse totally avoiding reading robots.txt at all.

The first is already listed as a spammer:

[spamhaus.org...]

And the second seems a stolen netblock. The sightings of "real" aotech are from 1999, to later become zooga.net. It appears to been a ISP that provided content filtered dialup access. (I wonder why they went titsup..)

change the last number to .255 and you'll ban their entire range. Address belongs to AOTECH of Cleveland. They run from 216.185.32.0-216.185.63.255.

How exactly do you ban the IP address?

Thanks.

AOTECH.net was an ISP called Zooga.net they sold filtered dialup and dsl services.

They went belly up and now went back to AOtech located in Westerville Ohio.

not sure whats up with them now but they may have held on to a few clients and are not very well supported. acaza.com is run by the same people.

...have a few customers that got burned by them.

Thanxs for the tip, I've added 216.185.57.

to my deny from list in my root .htaccess file.

I have a related question though:

I've blocked a particularly bothersome bot using their IP block in this format:

NB. These numbers are examples;

deny from 123.456.

But I've just received an Email via our contact page, (proving they accessed our site) from the IP. 123.456.78.90

How come?
I thought 123.456.

Would block all IP's beneath the 456. bit?
The Apache docs say that the final full stop (period) SHOULD be included.

Any ideas how they got through to our site?
Colin

When in boubt about an IP start here -> www.dnsstuff.com I use it all the time...

For example:

[dnsstuff.com...]