Forum Moderators: open
robopsychology
Do these hits have any referers? What about the accept-language string - anything common about that? For the UA's that are chrome, are you seeing chrome version numbers that are not current? Current right now is 144. I treat anything under 142 as a bot. I see a lot of really old chrome versions, but the really hard ones to deal with right now are 143 and 144.Generally no referer, but sometimes google (I assume for verisimilitude, as I've always seen this in some robots).
Accept-Language: en-US,en;q=0.9which unfortunately isn't robot-diagnostic. Same goes for things like headers in the Sec-Ch group: they all tend to be the same ... but so are plenty of legitimate humans. They're not infected machines. Lots of proxy's offer credits or even cash for using your residential IP.File under: Today I Learned ... and very much wish I hadn't. There are hundreds of them, probably thousands by now. f'rinstance, in the last few days of January I had from 73 alone (officially the whole /8 is comcast):
changed one of the octets (usually the last) by a single number and queried it, they all came back as negative.Meaning that in each case it's a specific /32 that's misbehaving, while the other 255 tenants of the /24 will be perfectly legitimate and law-abiding?
you'll never get a second hit from any of these IP'sYou would think so, but when I re-check after three months, up to half of the offenders have visited again, sometimes repeatedly. I mean, of course, the ones from human broadband ranges; the colos/server farms are permanently blocked and I never think of them again.
do they have the same UA? Or maybe the same except for a chrome version that has inched up over that time?Meh. Never bothered to check. But Chrome does seem to be the current favorite.
where there is no referer AND the UA includes Chrome/144Yup. I've blocked some exceedingly recent Chrome versions if they have neither a referer nor a piwik cookie. And I must say, Chrome isn't helping with their current gimmick of only giving version numbers in the form 144.0.0.0, which just screams out fake. (Firefox seems to have picked up the habit too, at least starting from “141.0” which might be 141.anything.)
iPhone OS 13_2_3Thirteen?! Aren't they somewhere in the twenties by now?
For the UA's that are chrome, are you seeing chrome version numbers that are not current? Current right now is 144. I treat anything under 142 as a bot. I see a lot of really old chrome versions, but the really hard ones to deal with right now are 143 and 144.
Normal Chrome sends "priority" header
Priority: (u=[0-7], )?i“u=\d” by itself (without i) exists, but is exceedingly rare; I see it only in requests from, trala, bad_range (i.e. blocked anyway). u=3 is supposed to be the default, but is very rare, as are the other odd numbers. Note: Servers are expected to ignore directives on this header that they do not understand.Seems eminently reasonable--not just here but for all headers--though I reserve the right to simply block nonsense headers. In fact I have a bot_header environmental variable for this very reason.