Multiple IPs from one bot fishing for a vulnerable page

  • I seemed to have picked up a bot looking for vulnerable pages. Not unusual in itself, and I’ve tightened the Wordfence limits and blocked many over the years.

    However, this one appears to be using over 44 different IPs, in 3 ranges. After blocking the first dozen, they kept coming, so I had to block ranges, which likely includes many other possible IPs which I’d rather not block. These all come up as from Dublin, Ireland, with whois showing a direct allocation from Microsoft for those ranges.

    Tried reporting to Microsoft, but they said my cases couldn’t be validated, and rejected them.

Viewing 3 replies - 1 through 3 (of 3 total)

  • Is there a question here?

    Bots and bad actors generally are part of the web. Nothing you can do about that, other than to secure your site to ensure their attacks are not successful — which you seem to be doing pretty well.

    Thread Starter gerryg001

    (@gerryg001)

    One question is if there’s anything else I can do.

    Another is if there’s any way to get Microsoft to look into this? Anybody with experience with that?

    As he’s expecting a response these wouldn’t be spoofed IPs, but a number of machines he’s routing through or controlling. As they are all under Microsoft, there’s likely some reason for that.

    Overall, just fishing for any thoughts or ideas. He’s started repeated IPs now, so I’ll soon try narrowing my blocking IP ranges to see what happens.

    It seems the issue is not fully resolved yet, as the user is still asking for additional steps and suggestions on blocking the bot’s IPs and reaching out to Microsoft. Here’s a response offering some extra tips:

    It sounds like you’ve already taken solid steps with Wordfence and IP range blocking. For further action:

    1. Rate Limiting: You can implement stricter rate limiting on your server to slow down or stop the bot if they’re sending frequent requests.
    2. CAPTCHA: Add CAPTCHA for specific pages or after several failed attempts to verify human visitors.
    3. IP Reputation Services: You could use an IP reputation service (like Spamhaus or Project Honey Pot) to dynamically block known bad IP addresses without manually maintaining your own block list.

    Regarding Microsoft, it’s tricky, but you can escalate the case by documenting everything and reaching out via security-specific contacts at Microsoft, like their Abuse team or through their Security Response Center.

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.