Tag: bot

Being Human in an Internet Bot World

Humans are slow and somewhat unpredictable, at least compared to a bot scraping this web site. I actually like that. After all, my posts are meant to be read by humans and not bots. I welcome bots only if they provide a route for humans to my site, such as search engines. For all other bots, known and unknown intent, you will receive a 403 if I can help it.

This is a preview of Being Human in an Internet Bot World. Read the full post (411 words, 0 images, estimated 1:39 mins reading time)

Attempted Login Attack from Webmaster Agency Ltd REALTY.RU RU 434 times

194.190.169.83 24/Aug/2018:21:04:47 to 24/Aug/2018:21:21:05 You attempted 434 login attempts. I see you. I know when you visited and that you are trying to break into my site. You have been logged and sent packing with 403s. I have 2,425 of your header logs. Do not do this again.

194.190.169.0 – 194.190.169.255
org-name: Webmaster Agency Ltd
person: Dmitry V. Volkov
address: REALTY.RU LTD
address: 1, Kurchatov Sq.
address: 107005, Moscow
address: Russia
org-type: OTHER
phone: +74957724216

Request Header:

2018-08-24:21:04:47
URL: /wp-login.php
IP: 194.190.169.83
Content-Length: 22
Content-Type: application/x-www-form-urlencoded
Host: dontai.com

Permanent link to this post (89 words, 0 images, estimated 21 secs reading time)

Request Header-Based Logging for Apache

When someone, such as a person or a bot, the requester, requests a resource from your server, this request, for Apache, is logged in the raw access log. The requester also leaves some information about itself called http request headers. While not standard to log on Apache, with a little bit of php added to the html, this extra information can be logged and examined to help determine if the requester is a bot or human.

As an additional file will be created daily, I opted to put these files into a subdirectory. The headers, one per line, are being logged into a headers-yyyymmdd.log file, which seems free form. Different requesters leave different sets of headers.

This is a preview of Request Header-Based Logging for Apache. Read the full post (404 words, 0 images, estimated 1:37 mins reading time)

Content Spam: Human or Not? jijikserver Pinsupport

I received this message on my site which on the surface looked like a human. Though they had grammar errors there was enough there to pass. With further analysis I believe this to be a bot.

hey hai this is ashok , i have lg optimusp768 with rooted, unlocked bootloader and also cwm , but i cant find custom roms any wheere please prepare one custom rom , or atleast one stock rom with more features

Human Characteristics:
The comment was on topic. The English, which had grammar and spelling mistakes, was passable.

Bot Characteristics:

This is a preview of Content Spam: Human or Not? jijikserver Pinsupport. Read the full post (428 words, 0 images, estimated 1:43 mins reading time)

Feedly: Somewhat Schizophrenic so Please Settle Down

A dear friend uses Feedly to monitor my site. He complained that he was getting 403s Banned, and asked why. Well, I have found that Feedly usually only takes my RSS feed, but sometimes, not often, it scrapes me mercilessly. Once I see a bot start scraping, I ban it. I moved him over to the more well behaved Feedburner by Google.

Here are the Feedly user agents:

Feedly/1.0 (+http://www.feedly.com/fetcher.html; like FeedFetcher-Google)
FeedlyBot/1.0 (http://feedly.com)

The latter, FeedlyBot, runs off WZComm, and had previously scraped me, so I banned it. WZComm also runs the surdotly bot, which is also banned. The former, Feedly/1.0, runs off Level 3, and seems well behaved.

This is a preview of Feedly: Somewhat Schizophrenic so Please Settle Down. Read the full post (136 words, 0 images, estimated 33 secs reading time)

Nikto Web Server Scan: View from the Access Log

Playing, I am, with the Nikto web server scanning package. I scanned my own site, just for fun. While it does take some time, it did finish. I wondered how it would look from my site’s raw access log viewpoint. In summary, Nikto is not stealthy at all. It is also easily detected and banned mid-scan, as it takes a long time to complete.

Essentially you start a Terminal, and type “nikto -h “. There are lots of options, such as output to a log. The Nikto output highlights web site vulnerabilities and cross references these with a database of known hacks. Using this tool you can highlight the site’s weaknesses and then strengthen your site from hackers.

This is a preview of Nikto Web Server Scan: View from the Access Log. Read the full post (532 words, 0 images, estimated 2:08 mins reading time)

strider.delmarvagroup.com 173.49.213.106 really wants to contact me

173.49.213.106 strider.delmarvagroup.com, from the MCI Communications block, you really need to put some smarts into your bot. What are you thinking?

173.48.0.0 – 173.63.255.255 MCI Communications

I’m not sure why you are doing this, but please stop. I don’t have a contact form at that location.

This is a preview of strider.delmarvagroup.com 173.49.213.106 really wants to contact me. Read the full post (371 words, 0 images, estimated 1:29 mins reading time)

City of Toronto Internet Scraper Bot

City of Toronto internet scraper bot scrapes my site a couple of times per month. Why? Toronto, Canada

I live in the City of Toronto, and write about Toronto-related subjects. What is surprising is that the City of Toronto has an internet bot that randomly scrapes content from my site a couple of times each month. The bot started scraping me near the end of January 2017.

What is interesting was that I, concerned citizen, actually emailed them because I thought they had a Zombie PC taken over by a bot, or some other security issue. I sent the City a log of the relevant entries related to their IP address. Was I naive. Here is their reply (isg@toronto.ca):

This is a preview of City of Toronto Internet Scraper Bot. Read the full post (409 words, 1 image, estimated 1:38 mins reading time)

Bot Strategy: Fetch, Scrape, Change IP, repeat

Four IPs scraped my site in identical ways: Fetch the most recent document, then scrape parts of the rest of the site. The IP changes, and they repeat. They fetch the same identical document, but then scrape different parts of my site but only for images.

I’ll keep my eye on such activity and see if I further pin down something more definite.

UA: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727), which seems to be not unique

This is a preview of Bot Strategy: Fetch, Scrape, Change IP, repeat. Read the full post (178 words, 0 images, estimated 43 secs reading time)

Dual IP Comment Spammers with Canadian Content

We Canadians are always overshadowed by the 10 larger in population US. If at all possible I like to highlight our accomplishments, or in this case, sophisticated comment spamming from Canada. Bad, Canada.

Comment spammers on my site usually use a single IP to first read the post, determine if they can submit spam, then submit the spam comment. This shows up in my Akismet spam comments. They are simple to identify and ban.

This is a preview of Dual IP Comment Spammers with Canadian Content. Read the full post (244 words, 0 images, estimated 59 secs reading time)