12 Jan

Why User-Agent Blocking Doesn’t Work: We Caught One IP Pretending to Be 4 Different Bots

by Thomas J. Raef
in Recent hacking news
Comments

Why User-Agent Blocking Doesn’t Work: We Caught One IP Pretending to Be 4 Different Bots

January 2026
 

We recently caught a single IP address pretending to be four different legitimate bots—all in the same week. Here’s how we identified the fraud and why blocking bots by user-agent alone leaves your site wide open.
 
 

The Discovery

 
While analyzing traffic patterns across our network of 2+ million WordPress sites, we noticed something odd about an IP address. It was claiming to be multiple well-known bots:
 

  • AhrefsBot – 1,038 requests
  • MajesticBot – 292 requests
  • PerplexityBot – 72 requests
  • CCBot (Common Crawl) – 14 requests
  • Generic bot traffic – 22,548 requests

 
Nearly 24,000 requests, all from one IP, all targeting a single website, all pretending to be someone else.
 
 

How We Verified They Were Fake

 
Legitimate bots can be verified through two methods: IP range validation and reverse DNS lookup. Let’s walk through how we confirmed these were imposters.
 

Step 1: Reverse DNS Lookup

Every legitimate crawler operates from infrastructure with proper reverse DNS records. When we looked up our suspicious IP:

$ host xx.xx.xxx.xxx

The IP resolves to gtranslate.net—a website translation service. That’s definitely not Ahrefs, Majestic, Perplexity, or Common Crawl.
 

Step 2: IP Range Validation

Major bot operators publish their IP ranges so site owners can verify legitimate traffic. For example, Ahrefs publishes their bot IPs in a JSON file.

We checked xx.xx.xxx.xxx against Ahrefs’ published ranges—it wasn’t there. For comparison, here’s what a legitimate Ahrefs IP looks like:

$ host 5.39.1.232
232.1.39.5.in-addr.arpa domain name pointer proxy-fr005-san232.ahrefs.net.

See the difference? The real AhrefsBot resolves to ahrefs.net or ahrefs.com. The fake one resolves to gtranslate.net.
 
 

Why This Matters

 
If you’re blocking bots by user-agent string alone, you’re doing it backwards:
 

  • You’re blocking legitimate crawlers – Bad for SEO, bad for site visibility
  • You’re NOT blocking the fakes – They just rotate to a different user-agent
  • Attackers know this – User-agent spoofing is trivial; it’s one line of code

 
In fact, we observed this single IP cycling through different bot identities—likely to evade per-bot rate limits. When your “AhrefsBot” block kicked in, it just switched to “MajesticBot.”
 
 

The Bigger Picture

 
This isn’t an isolated case. In our 90-day analysis of this provider’s network traffic alone, we identified over 600,000 requests from fake Majestic bots and tens of thousands of requests from fake Googlebots. User-agent spoofing is widespread because it works—most sites don’t verify beyond the user-agent string.
 
 

How to Properly Verify Bots

 
Here’s the two-step process every site should implement:
 

1. Reverse DNS Lookup

 
When you see a request claiming to be from a known bot, look up the IP:

$ host [IP_ADDRESS]

The result should match the bot’s domain:

  • Googlebot: *.googlebot.com or *.google.com
  • Bingbot: *.search.msn.com
  • AhrefsBot: *.ahrefs.com or *.ahrefs.net
  • MajesticBot: *.majestic.com

 

2. Forward DNS Confirmation

 
To prevent rDNS spoofing, confirm the hostname resolves back to the same IP:

$ host [HOSTNAME_FROM_STEP_1]

If both match, it’s legitimate. If either fails, it’s fake.
 
 

The Bottom Line

 

User-agent strings are self-reported—any bot can claim to be anything. It’s like asking someone for ID and accepting whatever name they tell you without looking at the card.
 
Proper bot verification requires checking the infrastructure behind the request. The IP doesn’t lie—but the user-agent definitely does.

At We Watch Your Website, we verify bot traffic as part of our comprehensive WordPress security monitoring. Our threat intelligence network analyzes millions of requests daily to identify malicious actors—whether they’re hiding behind fake bot identities or attacking directly.