Websense and how to Block Web Sense’s Constant Abuse

Posted 2008-08-26 in Spam by Johann.

Websense, Inc. is one of the busiest net abusers. Their stealth scanning never stops.

208.80.193.26 … "GET / HTTP/1.0" 403 4232 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; 3304; SV1; .NET CLR 1.1.4322)" "-"
208.80.193.37 … "GET /blog/music/ HTTP/1.0" 403 4232 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Dealio Toolbar 3.1.1; Zango 10.0.370.0)" "-"

If you go through your own log files, you’ll notice that Websense never uses the same user agent twice (simply to never show up in statistics). Here’s how aggressive Websense is:

$ nice gunzip -c <five weeks of log files> | egrep -c '^208.80.19'
414

Over 400 requests in over a month make Websense a lot more aggressive than vulnerability scanners and forum scanners.

Primarily, the abuse is coming from 208.80.193.0/24.

$ nice gunzip -c <five weeks of log files> | egrep '^208.80.19' | awk '{print($1)}' | sort | uniq -c | sort -r -n
     35 208.80.193.31
     34 208.80.193.44
     33 208.80.193.33
     30 208.80.193.27
     25 208.80.193.37
     25 208.80.193.32
     22 208.80.193.46
     22 208.80.193.30
     21 208.80.193.35
     20 208.80.193.42
     19 208.80.193.45
     18 208.80.193.29
     16 208.80.193.39
     15 208.80.193.40
     14 208.80.193.48
     14 208.80.193.34
     12 208.80.193.47
     11 208.80.193.36
      6 208.80.193.41
      6 208.80.193.38
      5 208.80.193.26
      4 208.80.193.59
      4 208.80.193.50
      2 208.80.193.54
      1 208.80.193.43

Block Websense

Here are Web sense’s netblocks. Block all of them.

  • 66.194.6.0/24
  • 67.117.201.128
  • 91.194.158.0/23
  • 192.132.210.0/24
  • 204.15.64.0/21
  • 208.80.192.0/21

9 comments

#1 2009-03-18 by restaurant fan


You must know that this company filters web surfing for a lot of organizations around the world, and their filtering policies are... weird.
Company websites get categorized as 'advocacy groups', IT news sites get become 'entertainment', etc. Their filter is dumb and inefficient.

Good news we can prevent their bandwidth sucking, at least.

#2 2009-03-18 by Johann

I wonder what happens once you block their stealth crawling? Do they put you in the bad guys bin like Secure Computing?

If you are... affected by WebSense, is my website blocked?

#3 2009-03-18 by restaurant fan


It seems that your technique is efficient to prevent blocking.

Let's see now if it can allow some blocked sites to live again.

#4 2009-03-18 by Johann

In other words, if you distribute malware, blocking WebSense, MessageLabs and the others would help not getting blacklisted. But the Russians distribute their software through other means anyways ;-)

#5 2009-03-18 by evilghost

There are a few others that need to be blocked as well based on AS13448. I used robtex to get a fairly exhaustive list.

http://www.robtex.com/as/as13448.html

They are:
66.194.6.0/24
67.117.201.128/28
91.194.158.0/23
204.15.64.0/21
192.132.210.0/24
207.114.184.0/24
208.80.192.0/21

Thank you.

#6 2009-03-18 by Johann

evilghost,

I'm not sure about the 207.114.184.0/24. Thanks for the other ones.

#7 2009-05-27 by stratus5

Websense I've been blocking them for some time now. My website consists solely of the "Apache 2 Test Page". I blocked them because of their bandwidth usage. Websense will not quit! Check the logwatch for today. 81 hits over the last 24 hours!

Dropped 81 packets on interface eth0
From 208.80.195.26 - 81 packets to udp(53)

Man do I hate these bandwidth suckers. I'm thinking about contacting them and asking them to go get a life somewhere else.

Fortunately as a consultant I've hopefully stopped some of their sales. So turn about is fair play!

#8 2009-05-27 by Johann

stratus5,

congratulations. Now all you need to do is to get rid of the other netblocks. :-)

#9 2009-11-26 by Jeff

I don't mind WebSense per-se, but I agree with others that they are a bandwidth sucker and they do not follow (or even look for) robots.text It's one thing to bot your site once a month, it is another to do it once or twice a day. The other concern I have about WebSense, is that they have contracts with the U.S. Department of Homeland Security, and as such are banned from my site. If the U.S. government wants to mine "open source" information, let them go for it in the open.

WebSense also violates my registered copyright in that they are hitting my site and using my bandwidth for personal/private gain; this is a specific violation of copyright and their use of any of my material for monetary gain would result in a lawsuit against WebSense in U.S. District Court.

Other things you need to block are SBC coming from San Diego too, as they use that, as well as some 38. servers.

I have both trapdoors and osme other things to nail U.S. government bots like the WebSense website abuse bot.

Subscribe

RSS 2.0, Atom or subscribe by Email.

Top Posts

  1. DynaCloud - a dynamic JavaScript tag/keyword cloud with jQuery
  2. 6 fast jQuery Tips: More basic Snippets
  3. xslt.js version 3.2 released
  4. xslt.js version 3.0 released XML XSLT now with jQuery plugin
  5. Forum Scanners - prevent forum abuse
  6. Automate JavaScript compression with YUI Compressor and /packer/

Categories

Navigation