As i see this it was clear to me that this was going to be a referer spam spider run (to promote [example.com...] . So I decided first to block all requests with this string in referer.
Some minutes later i realized hits from IP 18.104.22.168 - this time with realistic looking referer but still the same broken user-agent string (closing bracket is left). So i decided to block this too to get rid of these idiots:
snipped from .htaccess:
SetEnvIf Remote_Addr ^211\.99\.21[0-7]\. client_is_bad SetEnvIf User-Agent "^Mozilla/4\.0\ \(compatible;\ MSIE\ 5\.00;\ Windows\ 98$" client_is_badOrder Allow,Deny Deny from env=client_is_bad Allow from all
Since my websites doesn't address to asian people i simply block the whole SHANGHAINET.
Perhaps it's useful to you too.
[edited by: Woz at 11:43 pm (utc) on Jan. 21, 2004] [edit reason] No URLs please [/edit]
yes, I have also seen this one, on 2003-12-01 coming from the same SHANGHAI address 22.214.171.124, using fake referers and the same bogus UA string you observed with the unmatched right bracket, which makes it easy to identify though. The bot's purpose is unknown to me, and it got my attention by running straight into a bot trap for ignoring the /robots.txt ...