Saturday, May 20, 2006

RED ALERT - Distributed IP Scraper Hosted on Vericenter

Here's a real sneaky scraper using distributed IPs that is using a bot that almost appears designed to fly under my bot blockers radar. No single IP address accessed enough pages or did anything obnoxious enough to set off any triggers but the collective accesses set off a proximity alarm and they got nailed anyway.

The scraper is pretending to be Firefox for Linux:

http://www.Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20060124 Firefox/
The range of IP's noticed in this scrape attack are as follows:
The host information is as follows:
OrgName: VeriCenter, Inc.
Address: 757 N Eldridge Parkway
City: Houston
StateProv: TX
PostalCode: 77079
Country: US
NetRange: -
Athough the attack seems to be centered on the block at the Houston datacenter of Vericenter, I think I'm going to completely block Vericenter as it doesn't appear to have any ISP facilities [ie. NO HUMANS] and see if anything else bounces off the bot blocker from their facilities.


Anonymous said...

That raises an interesting point Bill. If you blocked all the data centers, like rackspace, and so on, you might clean up a lot of stuff right there.

IncrediBILL said...

That's what I'm thinking too as I weed out dial-up, DSL and cable networks from my proximity alarms. There will obviously be one-off dial-ups in the backwoods here and there but the hosting farms are starting to be much easier to spot as I work through this.

Anonymous said...

Hi Bill,

I was reading your post about Vericenter. For several months I have been seeing vericenter ip's everyday several times a day, what I was worried about was someone stealing my designs, whoever this is at times stays for over 2 hours at a time, so I wrote to vericenter and no reply, I had traced the IP to spamcop which gave me a company and they told me the IP's belonged to vericenter. I tried various scripts to stop these ip's coming to my site but nothings working. My store is at Cafepress
Can you tell me of a way to block them please?

Sangrita said...

Sangrita's Designs

Anonymous said...

Wished I had read your article earlier. This scraper bot just popped up few minutes ago grabbing my feed for the first time. It looked suspicious to me because of both its hostname and its outdated firefox user agent spoof. But now the entire CIDR has landed an eternal honour rank on my shitlist ;-)