Puzzled, I am, when Microsoft spams me, and they are pretty regular visitors. After all, Microsoft owns the Bing search engine, and I let Bing freely crawl my site. So why would they want to spam me, and do it so often, using multiple ways? inquiring minds want to know.
Usually I see Microsoft come in using a missing user agent, pretty stealthily, and as I want all visitors to be identifiable, I ban them. They change IPs and do this regularly. Then there are the tor exit servers owned by Microsoft. I suppose that having Tor exit servers is Ok, as they are used by everyone.
Today I was surprised to see that Microsoft used a sophisticated dual IP spammer technique to post spam me. This was the first time, so I thought I would publish the evidence and see if anyone out there can refute the fact that Microsoft is spamming me.
Here is the spam message in my WordPress comments area:
Microsoft dual ip spam. Here is the spam message in WordPress. Toronto, Canada.
Note that the IP address is 183.245.147.37, owned by China Mobile in Beijing.
Here is the raw access log entry:
Microsoft dual IP spam, raw access log entry for the spam comment. Toronto, Canada
Note that the IP just before the actual POST, 157.56.177.178, reads the same POSTed document, “user-agents-i-could-not-ban-with-htaccess/”. This IP is different from the POSTing IP, and is the clear indicator of the dual IP spammer method in use. As the second IP shows up in WordPress’ Akismet, it gets banned, but the real spammer, the originator, is the first IP, who, unbanned and undetected, can live on to spam yet another day. The second IP, China Unicom in this case, is not to blame.
I did a HOST 157.56.177.178 command and here are the results: host name is not found.
$ host 157.56.177.178
Host 178.177.56.157.in-addr.arpa. not found: 3(NXDOMAIN)
This is not surprising, as 30% of my host name lookups are not found. Many ISPs don’t bother with their host name. The China Unicom HOST 183.245.147.37 did fail, as often does with Chinese IP addresses.
$ host 183.245.147.37
Host 37.147.245.183.in-addr.arpa not found: 2(SERVFAIL)
So I did a whois query:
157.54.0.0 – 157.60.255.255
CIDR: 157.54.0.0/15, 157.56.0.0/14, 157.60.0.0/16
NetName: MSFT-GFS
NetHandle: NET-157-54-0-0-1
Parent: NET157 (NET-157-0-0-0-0)
NetType: Direct Assignment
OriginAS: AS8075
Organization: Microsoft Corporation (MSFT)
Lo and behold, Microsoft owns that IP range. Microsoft is usually pretty good at maintaining their host names, so I was surprised that they would be so stealthy.
For completeness the China Unicom IP 183.245.147.37 only visited me three times today, all documented in my log, one to do the POST and two queries immediately after the POST. The Microsoft IP 157.56.177.178 only visited me that single time today, just prior to the China unicom IP. I do get a huge number of visits from Microsoft’s Bing and others where the UA is “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; Trident/5.0)”, but when I do a whois they resolve to Microsoft.
I do not know why a reputable company like Microsoft would do this. Maybe they are doing research into the effectiveness of certain spamming techniques, I don’t know, but this is how they show up in my spam folder and logs.
