I made the following observation: Just after publishing a link on Twitter, there are several accesses from different IPv4 addresses on that URL. Since I published a link to one of my own servers, I saw these connections on the firewall as well as on the server itself. They all called the http website and stayed for 2-3 seconds on that page.
I would have expected a few search engine bots, but most of the reverse lookup resolutions led to unknown or meaningless names. Maybe someone out there made the same observation with more details on that? Who is accessing the links? Automated bots from Twitter itself? Search engines? Malware bots searching for new victims? ;) And over which function do these hosts know, that someone has published a new link?
I published the following tweet at 13.03.2014, 21:26 o’clock:
Update of my own Virtual Radar Server: Two receivers around Frankfurt and coloured trails: http://t.co/Y6yEDS6g6h @VRadarServer
— Johannes Weber 🎸 (@webernetz) March 13, 2014
Only a few seconds after that, the following connections were made to my server. (The screenshot shows the client log from the Virtual Radar Server):
With the following quick-and-dirty script, I looked up the reverse records one more time:
1 2 3 4 5 6 7 |
#!/bin/bash for ip in `cat TwitterIPs.txt`; do printf "$ip \t" host "$ip" | awk '{print $NF}' done |
And here are the results. Looks like a few dynamic IPs. Some don’t even have a PTR record. Only topsy.com seems to be a search engine. Maybe the yahoo.com one is a bot, too?
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
23.29.122.195 23-29-122-195-customer-incero.com. 23.227.176.35 23-227-176-35-customer-incero.com. 65.52.244.220 3(NXDOMAIN) 66.35.60.177 3(NXDOMAIN) 74.112.131.202 131-202.topsy.com. 74.112.131.242 cc002.topsy.com. 74.112.131.244 cc004.topsy.com. 78.46.38.135 static.135.38.46.78.clients.your-server.de. 98.137.206.62 h220.hlfs.bf1.yahoo.com. 134.225.2.2 diag-2-2.rdg.ac.uk. 141.223.91.115 tadpole.postech.ac.kr. 142.4.216.19 ns5000014.ip-142-4-216.net. 184.169.203.101 ec2-184-169-203-101.us-west-1.compute.amazonaws.com. 185.20.4.143 sft042.sysms.net. 192.99.16.179 sentiment1.production.bottlenose.com. 199.16.156.124 3(NXDOMAIN) 199.16.156.125 3(NXDOMAIN) 199.16.156.126 3(NXDOMAIN) |
I have not done any further analysis of those IPs (http access, Nmap, Google), because I was not interested that much in them. However, since I googled this behaviour a bit and found nothing about it, I at least wanted to post this investigation.
So, the final question is: Over which function do these hosts know, that I published a new link on Twitter? Since I have not that many followers, the URL must be automatically forwarded to some of these hosts by Twitter. Or it has something to do with the Twitter API? Is there a possibility to get informed over an interface via Twitter for every single new link inside a tweet? I don’t know…
Featured image: “Twitter” by Esther Vargas is licensed under CC BY-SA 2.0.