Referrer Botnet | 2017 Feb 25

This botnet’s purpose is to add referrer links to your Google Analytics, in the hopes that the webmaster or site owner will click on the link. They will then be exposed to an internet virus. Please do not click on any referrer spam link, as it is dangerous. I always copy the link and paste it into Google search first, to see if the site is dangerous.

Important is the fact that all these requests do not care about what information is returned from your site. All they care about is logging the referrer info, which has nothing to do with the originating IP. Therefore the originating IP can be spoofed. Note that Microsoft’s IP is included in this list. These botnets can really burn up your server bandwidth, as they do return, so banning them is crucial.

That being said, more than half of this list I had already banned. Overall they represent a bad group of host providers, harbouring scraper bots and worse, so there’s no harm in banning the whole shebang.

They all have a common user agent:
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36

104.160.11.205 CachedNet
104.160.11.209
104.160.11.213
104.160.9.155 CachedNet
107.150.64.211 CachedNet
107.150.64.245
138.128.109.174 CachedNet
138.128.109.176
162.212.168.14 CachedNet
162.212.168.18
162.212.168.226
162.212.168.245
162.212.168.64

154.16.27.201 Digital Energy Za
154.16.27.233
154.16.27.250
181.215.143.108 Digital Energy Za
181.215.143.67
181.215.151.99
191.96.24.94 Digital Energy Za
191.96.24.98

155.94.217.137 QUADRANET
155.94.217.162
155.94.217.239
155.94.218.133
155.94.218.139
155.94.218.188
173.254.226.166 QUADRANET

158.222.6.65 NETIRONS
158.222.6.72

170.130.162.104 EONIX
170.130.162.21
170.130.162.68
170.130.179.58

172.245.33.96 Colocrossing

184.175.215.223 Nodes Direct
184.175.215.56
184.175.215.57
184.175.215.62
184.175.215.74

198.52.180.152 Microsoft