Coleman Kane wrote: > Arc Riley wrote: > >> Hey guys >> >> Do yourselves a favor and search your logs for connections from >> 131.107.* 65.52.* 65.53.* 65.54.* and 65.55.* >> >> I found a good % of traffic we got, not reported to Google Analytics >> so I didn't see it sooner, was referred from http://search.live.com/ >> for search queries involving pornography, cars, drugs, and random >> gibberish. The landing pages from these searches were subversion >> changesets, source code in the Trac browser, and other places those >> search queries certainly don't exist in. >> >> All of it, well 97.2%, from the above two subnets, belonging to >> Microsoft. It'd be humorous if I didn't just purchase a new colo >> server to handle the large volume of traffic pysoy.org >> <http://pysoy.org> gets. I can't tell if MS is trying to skew the >> statistics in favor of MSIE/Live/etc or if it's conducting a denial of >> service attack against free software project sites, perhaps both (two >> birds with one stone?). >> >> If you see the similar childish behavior in your logs, please join me >> in blocking them and being very vocal as to why. >> >> > An interesting find. I just checked my sites and I see the same thing, > however most of the search queries seem to be pretty pertinent to the > content of the pages that they reference. It is almost like theres some > script running on a farm of windows computers that just performs > single-word searches on their Windows LiveSearch database, and visits > the results (posting, of course, the LiveSearch referral in the request). > > Here's my distribution: > > cat apachelogs/* | grep live.com | cut -d\ -f1 | cut -d. -f1,2 | sort > | uniq -c | sort -rn > > 308 65.55 > 10 131.107 > 4 85.159 > 3 142.161 > 2 71.164 > 2 68.95 > 2 4.246 > 2 207.224 > 1 86.144 > 1 84.202 > > There are many, many more with single visits, but I left them off the > list because they probably represent normal livesearch users. > > -- > Coleman Kane > Went a little further and found that all my 65.55 traffic comes from the 65.55.165 class C. I decided to pass all the visitors to the host program and found that all of the visitors have PTR records like this: livebot-65-55-165-87.search.live.com. The 131.107 traffic was all from two machines: tide525.microsoft.com and tide526.microsoft.com
Maybe some others could look at their logs and pull information on the other subnets? -- Coleman Kane _______________________________________________ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/