False Positives

  • Resolved buckyreal

    (@buckyreal)


    1 year, 1 month ago

    I had to disable the plugin as people using iPhones were getting the banned message from bad bots, vs the site. I tested this by visiting with my phone and visiting the site, my ip address doesn’t appear in the log. I run chrome on my phone, I didn’t test with safari

    I notice that most banned in the log are attributed to iPhone agents… example… Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1

    The page I need help with: [log in to see the link]

Viewing 15 replies - 1 through 15 (of 15 total)
  • Plugin Author Jeff Starr

    (@specialk)

    1 year, 1 month ago

    Glad to help.

    I’m not sure how this might happen, unless there is any sort of page caching happening on site. Do you happen to know if that is the case?

    Also note that the plugin works by adding a hidden link to your pages. So regular visitors, especially those visiting via mobile device, never will see the link.

    Thread Starter buckyreal

    (@buckyreal)

    1 year, 1 month ago

    The link sure isn’t visible. We don’t have any caching plugins installed, is there a way to test this? I will review the plugins… but I don’t think so.

    The client emailed me and said that some visitors were complaining that they got the “Banned” message instead of the website, the site has been running the plugin for weeks, and I’m pretty sure I tested it on my iPhone…

    • This reply was modified 1 year, 1 month ago by buckyreal.
    Plugin Author Jeff Starr

    (@specialk)

    1 year, 1 month ago

    Yeah it sounds like more info would help to explain what might be happening. Here are some things to find out for sure:

    • Any caching happening on site or server
    • What is the specific error/banned message that was displayed
    • Is the user’s IP address listed in the Bad Bot Log
    • Is it possible to recreate the issue in any way

    Those are the big things to check, let me know if any questions. Glad to help anytime.

    Thread Starter buckyreal

    (@buckyreal)

    1 year, 1 month ago

    I never got the deluge of ban notices I would expect given the amount of AI bot traffic we are getting, to the tune of gigabytes a day…. I didn’t see our IP address among the banned ones, but it’s possible my phone was on a cell network and not our wifi..

    Plugin Author Jeff Starr

    (@specialk)

    1 year, 1 month ago

    The plugin only blocks bots that disobey your site’s robots and nofollow rules. So if most AI bots aren’t doing that, then they won’t fall into the trap and thus the plugin will not block them. That probably is why you aren’t getting a “deluge of ban notices”. This plugin focuses on blocking “bad” bots, not bots in general.

    Thread Starter buckyreal

    (@buckyreal)

    1 year ago

    This problem came back for another client’s website visiting /wp-admin/ on an iphone results in a “you have been banned” error when using an iPhone running Chrome, I didn’t try safari, but I assume that’s what the customer was using. once I get the error again I can test safari.

    Resetting the log allows access again to /wp-admin/

    These are the lines in the log that point at that user-agent being the problem, it doesn’t seem to be a problem with an IP address, or a web-browser digging into the invisible honeytrap… like you said, that isn’t happening with a normal web browser. What is happening is a browser that hasn’t been banned, from an IP address that hasn’t been banned cannot access the back end of a website using an iPhone…

    Below is the user agent reported by a “whatismyuseragent” website : I am using wifi (I didn’t check with cellular data turned on and verify that that IP address also doesn’t appear.

    Mozilla/5.0 (iPhone; CPU iPhone OS 18_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/135.0.7049.83 Mobile/15E148 Safari/604.1

    In the log many of them report very similar agents blocked… the ip address of my phon

    here is the log file…

    2024/07/04 @ 12:00:00 am - 173.203.204.123 - HTTP/1.1 - Cygnus X-1 (Space Invaders) User Agent (Atari 2600)
    [x] 2025/03/21 @ 10:45:32 am - 47.242.167.47 - HTTP/1.1 - Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
    [x] 2025/03/21 @ 10:47:39 am - 8.218.91.49 - HTTP/1.1 - Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
    [x] 2025/03/22 @ 10:48:15 am - 47.243.79.195 - HTTP/1.1 - Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
    [x] 2025/03/23 @ 10:57:15 am - 47.76.209.138 - HTTP/1.1 - Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
    [x] 2025/03/23 @ 08:27:02 pm - 47.243.75.156 - HTTP/1.1 - Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
    [x] 2025/03/24 @ 11:06:14 am - 47.243.105.139 - HTTP/1.1 - Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
    [x] 2025/03/25 @ 04:42:36 am - 8.210.164.94 - HTTP/1.1 - Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
    [x] 2025/03/25 @ 11:10:50 am - 8.210.147.121 - HTTP/1.1 - Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
    [x] 2025/03/25 @ 11:11:02 am - 47.242.222.214 - HTTP/1.1 - Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
    [x] 2025/03/28 @ 11:22:38 am - 47.242.217.111 - HTTP/1.1 - Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
    [x] 2025/03/28 @ 11:47:29 pm - 8.210.66.89 - HTTP/1.1 - Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
    [x] 2025/03/29 @ 09:53:21 am - 35.205.64.31 - HTTP/1.1 - Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0
    [x] 2025/03/29 @ 03:07:52 pm - 47.242.209.147 - HTTP/1.1 - Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
    [x] 2025/03/30 @ 11:32:06 am - 8.210.86.148 - HTTP/1.1 - Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
    [x] 2025/04/03 @ 06:57:43 pm - 162.62.213.165 - HTTP/1.1 - Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1
    [x] 2025/04/03 @ 08:44:28 pm - 170.106.110.146 - HTTP/1.1 - Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1
    [x] 2025/04/04 @ 03:52:50 pm - 43.157.156.190 - HTTP/1.1 - Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1
    [x] 2025/04/05 @ 02:44:14 am - 43.166.244.192 - HTTP/1.1 - Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1
    [x] 2025/04/05 @ 08:53:42 am - 170.106.107.87 - HTTP/1.1 - Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1
    [x] 2025/04/06 @ 07:37:15 pm - 170.106.197.109 - HTTP/1.1 - Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1
    [x] 2025/04/07 @ 12:11:40 pm - 47.243.234.164 - HTTP/1.1 - Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
    [x] 2025/04/08 @ 08:54:54 am - 43.135.185.59 - HTTP/1.1 - Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1
    [x] 2025/04/10 @ 06:43:46 am - 43.157.179.227 - HTTP/1.1 - Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1
    [x] 2025/04/12 @ 12:28:14 am - 43.165.65.180 - HTTP/1.1 - Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1
    [x] 2025/04/12 @ 10:54:13 am - 43.159.143.187 - HTTP/1.1 - Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1
    [x] 2025/04/14 @ 12:33:08 am - 43.130.139.136 - HTTP/1.1 - Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1
    [x] 2025/04/14 @ 05:50:34 pm - 43.153.15.51 - HTTP/1.1 - Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1
    [x] 2025/04/15 @ 05:56:08 am - 43.153.74.75 - HTTP/1.1 - Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1
    [x] 2025/04/15 @ 11:26:31 am - 43.153.67.21 - HTTP/1.1 - Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1
    [x] 2025/04/16 @ 04:47:11 pm - 43.157.38.228 - HTTP/1.1 - Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1
    [x] 2025/04/16 @ 11:36:44 pm - 43.157.172.39 - HTTP/1.1 - Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1
    [x] 2025/04/17 @ 12:17:05 am - 47.76.220.119 - HTTP/1.1 - Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
    [x] 2025/04/17 @ 08:03:40 am - 49.51.196.42 - HTTP/1.1 - Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1
    [x] 2025/04/19 @ 12:26:47 am - 170.106.163.84 - HTTP/1.1 - Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1
    [x] 2025/04/19 @ 08:07:31 am - 43.156.109.53 - HTTP/1.1 - Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1
    [x] 2025/04/20 @ 07:41:17 am - 49.51.183.84 - HTTP/1.1 - Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1
    [x] 2025/04/20 @ 06:17:43 pm - 170.106.193.108 - HTTP/1.1 - Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1
    [x] 2025/04/21 @ 05:04:54 am - 43.135.145.117 - HTTP/1.1 - Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1
    [x] 2025/04/21 @ 01:09:56 pm - 8.210.187.5 - HTTP/1.1 - Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
    [x] 2025/04/23 @ 02:52:38 pm - 20.171.207.208 - HTTP/1.1 - Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; GPTBot/1.2; +https://openai.com/gptbot)
    [x] 2025/04/23 @ 06:48:05 pm - 43.133.69.37 - HTTP/1.1 - Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1
    [x] 2025/04/24 @ 09:14:57 pm - 43.159.152.184 - HTTP/1.1 - Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1
    [x] 2025/04/25 @ 08:54:43 am - 162.62.132.25 - HTTP/1.1 - Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1
    [x] 2025/04/26 @ 01:42:51 am - 20.171.207.109 - HTTP/1.1 - Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; GPTBot/1.2; +https://openai.com/gptbot)
    [x] 2025/04/26 @ 08:33:06 am - 170.106.181.163 - HTTP/1.1 - Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1
    [x] 2025/04/27 @ 11:21:47 am - 43.153.96.79 - HTTP/1.1 - Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1
    [x] 2025/04/28 @ 12:08:53 am - 49.51.183.220 - HTTP/1.1 - Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1
    [x] 2025/04/28 @ 09:35:25 am - 20.171.207.115 - HTTP/1.1 - Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; GPTBot/1.2; +https://openai.com/gptbot)
    [x] 2025/04/30 @ 02:25:31 pm - 72.34.63.72 - HTTP/1.1 - Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0

    • This reply was modified 1 year ago by buckyreal.
    Plugin Author Jeff Starr

    (@specialk)

    1 year ago

    Again just fyi: this plugin does not take user agent into consideration when blocking. Only the IP address is used. The only thing user agent is used for is the “whitelist bots” setting. So if the iPhone’s user agent is included in that setting, then it never will be blocked.

    For this, I am trying to understand your meaning:

    “What is happening is a browser than hasn’t been banned cannot access the back end of a website using an iPhone…”

    First, understand the point made above, the browser/user-agent is not considered ever when banning/blocking. Only the IP address is taken into consideration for blocking. Then also, when you say “..than hasn’t been banned cannot access..” do you mean *has* been banned..? I am confused by this statement.

    Then you mention this:

    “In the log many of them report very similar agents blocked..”

    Please understand that the plugin does not block based on user agent or browser. It only blocks based on IP address. It’s a core concept to understand, so I hope this is clear.

    I hope this helps, let me know if I can provide any further information.

    Thread Starter buckyreal

    (@buckyreal)

    1 year ago

    Jeff… I’m so glad you are online…

    Do you have access to an iPhone? try artstart.org … notice your ip is not in the list of bad bots…

    If it works, then try artstart.org/wp-admin/

    Then write me back and I will reset the log and you will have access…

    You seem to be saying that the plug in is not enforcing a ban on iPhones… but it really seems to be doing so… based on something in the log, resetting the log allows access… Im assuming until the problematic bot gets logged again…

    Thread Starter buckyreal

    (@buckyreal)

    1 year ago

    I don’t have an iPad to test, but I wonder… I’ll boot up my mac and see what happens…

    Thread Starter buckyreal

    (@buckyreal)

    1 year ago

    Crap, I have to reset the log and try again… I just tested with a Mac and Safari and the whole site is inaccessible

    Thread Starter buckyreal

    (@buckyreal)

    1 year ago

    Ok, testing it on a Macintosh and running safari with Black Hole for Bad Bots enabled showed me the You Have been Banned” message, ” screen or the site’s homepage. Clearing the Bad Bot allowed the site to come up. I can’t risk blocking access to this URL, I have installed it on a less important and less used site, one of mine… I have seen excessive crawls so it should get the triggering ban that seems to blokc

    Bot’s that dont’ respect the robots.txt are almost completly bad actors… so they are not going to respond with an actual

    If it’s not the IP address or the User Agent causing the ban… what is banning access to my site… disabling blackhole for bad bots fixes the error and resetting the bad bot log fixes the error…

    here is the user agent of the browser on my mac…

    our IP address 207.153.7.xxx never appears in the log

    Our customers who can’t or hear from a user that they get a banned message when they visit the site… I’m 99.9% sure they haven’t done anything to fall afoul of ignoring robots.txt or somehow accessing a hidden link of the footer of the website and they and their IP address don’t seem to appear in the log of bad bots.

    I also don’t know why only our server seems to be blocking visitors.

    I’m very certain caching isn’t being used by the site, how can I verify this… would caching cause this problem?

    Blocked Mac’s User Agent… I know the plugin doesn’t ban on user agent, but that’s the only common thing in the log and with the browsers being shown the “you have been banned” screen… I haven’t seen this error on my PC running Ubuntu linux…

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.2 Safari/605.1.15

    Thread Starter buckyreal

    (@buckyreal)

    1 year ago

    We had a problem with Wordfence (site blocking all visitors) at the same time this problem (site blocking users in iPhones if the site is using bad bots and not wordfence) .

    The hosting company said they had implemented nginx reverse proxy, to battle the ai powered ddos attack that our sites are apparently under..

    Does this proxy/firewall look like caching to Blackhole for bad bots?

    • This reply was modified 1 year ago by buckyreal.
    • This reply was modified 1 year ago by buckyreal.
    Plugin Author Jeff Starr

    (@specialk)

    1 year ago

    Yes any type of proxy is going to cause problems with this plugin. Just everything you are describing indicates that there are issues running the plugin on your setup. Normally the plugin just works, set it and forget it type thing. So best advice for this particular site is to uninstall the plugin and reset/clear any cache that you are using, to make sure a fresh set of pages or whatever is generated.

    Thread Starter buckyreal

    (@buckyreal)

    1 year ago

    Interesting! I know the nginx thing is new and it wreaked havoc with WordPress, which is more troubling 🙂

    Plugin Author Jeff Starr

    (@specialk)

    1 year ago

    Yes indeed. So I’m going to go ahead and mark this thread as resolved, as it appears to be a caching-related issue and recommended to just remove the plugin to resolve. Let me know if I can provide any further information, glad to help anytime 🙂

Viewing 15 replies - 1 through 15 (of 15 total)

The topic ‘False Positives’ is closed to new replies.