12.163.72.13/Fetch API
Several of us got lines in our logs, with that IP number as the referrer. No website, just that IP number dressed up as a site address.
It’s similar to the Bulgarian spammer machine, and uses proxies.
So I did some googling, and this one has posted comments a few months ago. With that referrer.
I couldn’t understand what the point was, because there was no site to be accessed.
But then I remembered the nonsense trackbacks prior to Alexander’s massive trackback spam run.
What if this is a test to see how many blogs are still blocking 12.163.72.13? And I’m not talking about blocking it from the referrer log, but blocking someone posting with that referrer.
————-
While researching the above issue, I came on Will’s post about 12.163.72.13. He included a section on the theory set forth by Candy that the user agent Fetch API Request was used to harvest comment link URL’s.
So I grepped my files for that, and found that one person has been pulling ONE post over and over, with that string appended to the usual UA. Occasionally he’ll ask for the whole blog. This might well be one to be banned from access altogether.
I looked at the post being pulled, and my guess is that the reason for that one being chosen, is because it’s linked from the Movable Type blog.
So far I haven’t been able to figure out exactly what this thing is. If you know, please comment.
January 28th, 2005 at 3:05 am
I have this blocked for some reason… I often get these types of bots that access one page over and over for a period of time. No referrer at all. My latest one was at address 195.229.185.188. Just keeps hitting the same article.
If your are curious… Here is my block list:
deny from 12.119.251.194
deny from 12.163.72.13
deny from 64.42.84.222
deny from 64.40.102.41
deny from 64.234.220.141
deny from 65.75.134.180
deny from 65.110.62.100
deny from 65.16.29.72
deny from 66.154.52.84
deny from 66.154.7.47
deny from 66.230.165.43
deny from 67.18.52.66
deny from 67.19.111.242
deny from 69.50.163.50
deny from 69.50.160.0/19
deny from 69.50.166.18
deny from 69.50.170.122
deny from 69.50.191.27
deny from 69.93.255.211
deny from 80.58.2.235
deny from 80.202.225.70
deny from 80.202.228.62
deny from 80.203.53.240
deny from 80.202.225.5
deny from 80.202.227.69
deny from 81.31.38.25
deny from 81.38.38.4
deny from 82.194.62.16
deny from 82.194.62.17
deny from 82.201.187.136
deny from 148.223.48.226
deny from 161.58.59.8
deny from 195.229.185.188
deny from 205.209.177.70
deny from 208.53.138.124
deny from 208.63.116.194
deny from 213.172.36.62
deny from 213.10.206.246
deny from 216.185.111.40
deny from 217.57.78.70
deny from 217.160.161.6
deny from 219.150.118.16
January 28th, 2005 at 3:07 am
That one address I spoke of points back to:
inetnum: 195.229.185.160 - 195.229.185.191
netname: DUBAL-EMIRNET
descr: Dubal Aluminium Compnay
descr: P.O. Box 3627, Dubai, UAE
country: AE
January 28th, 2005 at 5:06 am
I’ll email you some more info on the spammer.
January 28th, 2005 at 5:16 am
Ann, although they did start to disappear after awhile, I noticed that immediately after my block, they were still requesting for pages on my blog as though nothing at all was wrong. Though server keeps responding to their request with either a page not found, or a forbidden status code (404 or 403).
After that, I had one more instance of comment spam on my blog and it all came from a user who had a UserAgent which contained the word: PCUser
Also, with regards to the 12.163.72.13 address as a referrer. I’ve started to notice that there are IP addresses who have come sometimes from that address, and sometimes off another URL, which always contains the words “tecrep-inc.net”.
Or rather, they are using subdomains off that tecrep-inc.net domain. (eg: something.tecrep-inc.net)
This proves that they are probably starting to evolve right now.
January 28th, 2005 at 12:23 pm
Will: Until I have seen examples of comments left with that referrer, I’m not willing to concede that this spammer is the same as theone leaving those tecrep spams. That’s the Bulgarian spamming outfit.
What I’ve found, is that normally, those are the most prolific, while the other spammers (on my blog) are less insistent.
February 2nd, 2005 at 11:27 am
Hi Ann,
I have added the following code to my .htaccess file:
RewriteCond %{REMOTE_ADDR} ^12\.163\.72\.13$
RewriteRule .* - [F,L]
and it appears to have killed off accesses from this ip address.
Hope this helps,
Tom
March 11th, 2005 at 10:11 am
I just came across this post while searching for that particular IP address. It’s started appearing a lot on my logs, and it’s bothering me as the address goes nowhere.
Interesting to find someone else who mentions it as until now, I’d been at a loss about it. Spam and referrers are getting totally out of hand on my weblog.
March 15th, 2005 at 12:05 am
Hey thanks for looking this up. I’ve been getting hit from 12.163.72.13 as well. I’d like to think it is because I have such a lot of traffic (12 readers!) but it might just be that my blog was listed on a few other blogs with much higher traffic rates.
I went to ARIN to see if there was any name associated with this number it just said it was an AT&T net account.
AT&T WorldNet Services ATTSVCM-12-163-72-0 (NET-12-163-72-0-1)
12.163.72.0 - 12.163.79.255