I use
RewriteCond %{HTTP_USER_AGENT} ^Web [NC,OR]

Well, yeah I'm blocking it (hense the 403) but I'd like to know something about it if possible. Guess there's a lot of renamed personal bots; hard to tell their purpose unless someone posts somewhere. Google isn't even returning log stats on it. Thanks Bull.

Have you looked at the ".com" by that name? If that's it, then there is a legit explanation.

Thanks Robert, for some reason I hadn't thought of that :)

I don't know about the reason being "legit" but it makes sense now. Either someone has played a stupid joke on me and signed me up to be monitored from these guys (every 15 minutes it seems), or as siteseer and other services, they hammer you unsolicited then use the stats in their campaign to convince you to sign-up. I emailed them and asked to be removed from their list.

Anyone figure out what the useragent is called? The company is from Russia and they have no telephone number.

I am getting sick of this mob too, they are on my site everyday and every single email contact on their site does not work. I've even tried denying their IP from my site but it's not working. Can these guys be reported to anyone, some sort of internet agency? I'm truly fed up.

I haven't seen them since I added them to the firewall <evil grin> Before that they were hitting approximately 20 of the 45 client domains we have on our server and sending emails claming their sites were offline for 303 hours or so, when, in fact, those very same clients were logged in and adding content to their "offline" sites during that time. Some people...

According to the logs, the spiders come from two IPs: 69.93.37.26 and 69.93.37.30. Further digging revealed that they have IPs 69.93.37.26-69.93.37.30 (try accessing those with a browser and you will be redirected to www.webrescuer.com, which is at another location). I added a rule to block all traffic from those IPs (plus sacrificed IP 69.93.37.25, since I was too lazy to make 5 different rules - that IP doesn't seem to be in use anyway, ATM)

/sbin/iptables -I INPUT -s 69.93.37.24/29 -j DROP

That took care of it - no more spidering. And for the emails: according to our Exim log they are sent from alert@mail1.webrescuer.com. IP is 69.93.193.2 and there seems to be other sites as well, so we cannot block that IP in the firewall. Few rows in Exim's system filter takes care of the problem:

if
 $message_headers contains "webrescuer.com"
then
 logfile /var/log/exim/webrescuer
 logwrite "$tod_log Subject: $h_Subject: \n \t From: $h_From: \n \t Sender: $sender_address \n \t T
o: $h_To: "
 save /var/mail/spam/webrescuer
endif

Those lines log the incoming message in /var/log/exim/webrescuer and then saves the email in /var/mail/spam/webrescuer mbox, in case you want to check that no legimate email gets filtered. Create both files with touch before making the filter rule, just to be sure...

Stuff above assuming, naturally, that you have root level access to the server. If not, get in touch with the person who does and suggest these vandals to be blocked. If you are on a shared server it's most likely that all other domains on that server get hit by these guys as well and blocking them will make everyone happy.

Their servers are at ThePlanet, so you could try contacting abuse@theplanet.com to see what the outcome is.

Thanks for that great info taivu, I have sent it to our host to hopefully block. I don't have that level of access unfortunately. Still, this sort of thing is part of a spam operation - haven't they got official laws in place yet for this? They ought to be reported.