Microsoft flooding sites with fake traffic

[Coleman Kane]

Arc Riley wrote:
> Hey guys
>
> Do yourselves a favor and search your logs for connections from
> 131.107.* 65.52.* 65.53.* 65.54.* and 65.55.*
>
> I found a good % of traffic we got, not reported to Google Analytics
> so I didn't see it sooner, was referred from http://search.live.com/
> for search queries involving pornography, cars, drugs, and random
> gibberish.  The landing pages from these searches were subversion
> changesets, source code in the Trac browser, and other places those
> search queries certainly don't exist in.
>
> All of it, well 97.2%, from the above two subnets, belonging to
> Microsoft.  It'd be humorous if I didn't just purchase a new colo
> server to handle the large volume of traffic pysoy.org
> <http://pysoy.org> gets.  I can't tell if MS is trying to skew the
> statistics in favor of MSIE/Live/etc or if it's conducting a denial of
> service attack against free software project sites, perhaps both (two
> birds with one stone?).
>
> If you see the similar childish behavior in your logs, please join me
> in blocking them and being very vocal as to why.
>
An interesting find. I just checked my sites and I see the same thing,
however most of the search queries seem to be pretty pertinent to the
content of the pages that they reference. It is almost like theres some
script running on a farm of windows computers that just performs
single-word searches on their Windows LiveSearch database, and visits
the results (posting, of course, the LiveSearch referral in the request).

Here's my distribution:

cat apachelogs/*  | grep live.com  | cut -d\  -f1 | cut -d. -f1,2 | sort
| uniq -c | sort -rn

    308 65.55
     10 131.107
      4 85.159
      3 142.161
      2 71.164
      2 68.95
      2 4.246
      2 207.224
      1 86.144
      1 84.202

There are many, many more with single visits, but I left them off the
list because they probably represent normal livesearch users.

--
Coleman Kane