spiritualseo - 9:46 am on Dec 18, 2011 (gmt 0)
I have currently blocked blank referral requests originating from Trident and Funwebproducts UA as suggested by Wilderness earlier, which seems to have hugely reduced the attacks while also being search engine friendly. Planning to block MSIE6 as well.
One issue I found is that the server returns a 500 server error instead of a 403 page for the blocked requests. Not sure why. But I am guessing that's not much of a problem.
I did spend time on the log files and accumulated over 60,000 IPs with 'blank referrals' that requested data in less that 15 hours. Eliminating legit IPs like ones from Google, and deleting duplicates left me with 5000 unique IPs. But I could not find many redundant Class Bs or even Class Cs (except a few) for that matter in this list of 5000 Ips. So the IPs follow a wide range making it impossible to block ranges.
A look at the user agents reveals that 95% are legit UAs having Trident and MSIE6 and 7. But mostly from Trident. Trident I guess represents IE8 and 9. So I am guessing these are from infected windows machines. Thanks for all your help!