Firewall false positive for Alibaba bot?

The last couple of days I’m seeing regular blocks for browser integrity check on a few of my sites for what looks like a legitimate search bot.

I’ve checked as best I can and AS45102 CNNIC-ALIBABA-US-NET-AP Alibaba US Technology Co., Ltd, seems to be a legitimate search bot.

Is anyone else seeing regular blocks for this bot?

I’m wondering if it might be a false-positive result.

I don’t see Alibaba on the Known Bots list:
https://developers.cloudflare.com/firewall/known-issues-and-faq#bots-currently-detected

And I can’t find a way to look up their legitimate bot addresses. It’s certainly possible it’s a cloud user of theirs poking around. Have you tried a lookup of that IP address at whois.com?

Yes, I checked with whois and iplookup. It’s using a lot of IP addresses, but mostly stating with 47. 47.88.18.197, 47.254.42.253, 47.254.43.137 for example.

When I check, they all look legitimate with this heading:

OrgName: Alibaba.com LLC
OrgId: AL-3
Address: 400 S El Camino Real, Suite 400
City: San Mateo
StateProv: CA
PostalCode: 94402
Country: US

I haven’t seen these IPs listed on any IP spam score sites.

On all my sites the bot’s path is /wp-content/uploads/. So it’s looking for images.

It only started about 36 hours ago. But it’s hitting in batches of four every five minutes or so. That’s probably a bit too frequent for a search bot.

I’m not convinced. And a reverse IP lookup returns nothing. Better legitimate bots will reverse resolve to something that hints at its legitimacy.

Well, I guess from what you have noted is that this is a legitimate block that is working as intended.

Thanks for going to the effort to check.

All I can hope is that it slows down, or gives up.

It’s a bit insane though. Every day I’m getting more and more notifications on Cloudflare and Wordfence for attempts by hackers or spammers.

Luckily, however, both together work pretty well at blocking most, if not all of them.

So I guess, I’ll just let this one run its course.

1 Like

This bot is still running every 5-10 minutes on 3 of my sites.


It’s annoying, but I can only hope that the Cloudflare firewall block is doing its job.

It certainly looks like it’s doing its job. I find that Browser Integrity Check does a pretty good job of stopping the obviously bad bots.

Well, it’s definitely a persistent one. But I can see from Wordfence that it’s not making it through to my server. So Cloudflare seems to be doing the job.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.