Hi Suzie, welcome to WebmasterWorld.

Do you have your own domain?

If so, you should email your host ISP and have them set up daily ACCESS_LOG files
somewhere so you can download them. That will give you the IP number for any odd 'visitors'.
I download mine daily, or they get so large I can't do much with them.

Given the IP #, you can at least see what ISP they are using, and maybe some info where they are from.

If you are on a shared domain or subdomain, this will likely be impossible. -Larry

Hi,

Most of us are seeing user agents that send no referrer information all the time. Referrals can be hidden by security programs or sometimes by the browser itself. Not IE though, as far as I know.

If your stats program is triggered by a piece of Javascript on your pages you can be 99.9% sure it's a normal user. Bots don't read Javascript.

If you want to block this visitor, don't block the host name, but do a reverse DNS lookup first at dnsstuff.com or a similar site. That will give you an IP address (According to the forum rules I'm not allowed to post it). This one is in Charleston, South Carolina.

A lookup of that IP in Google didn't match anything so if it is a bot it must be someone who just started using it.

Hey guys, thanks for responding while I was sleepin!

I download my stats using Nettracker and there is always a referral from page to page - this visitor looks like they have typed each page into the address bar.

I will take steps to block knowing that the IP originates from South Carolina, my site is local to my area (and it's not in SC) and is pretty much seasonal with traffic being very slow this time of year.

I'll try to block with an htaccess but I have one question.

Will I be able to test the block somehow?

Yah you can test it - you have to test everything, especially .htaccess changes.. try it first with your own IP..

Remember to flush your browser cache first.

Susie,

Recent 'improvements' in Norton Security automatically block referer information for some (all?) Windows browsers, so you might not want to react too zealously.

Refer to Symantec's web site for a bit of information: [service1.symantec.com...]

Larry

I agree with Larry, that is a normal track and I can see it is coming from South Carolina, all the information is here:

pcp992430pcs.goosck01.sc.comcast.net:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)

It says:
South Carolina Comcast Cablemodem subscriber, (see the sc.comcast.net), using Windows XP and Microsoft Internet 6.0

the pcp###pcs.goosck01 stuff has to do with the socks connection, I think.
It is totally normal, I use a Comcast cablemodem myself and my track looks similar... Matter of fact mine says:

pcp0010770534pcs.cnorth01.va.comcast.net(Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7)

See, I am from virginia :)

...
It has been my experience it is usually the malicious robots/spiders who leave the most innocent-looking tracks as they are designed to mask themselves, if that helps.

Don't scare off your first human visitor, even if he/she is out of state :)

Well, I blocked that IP address this morning and "it's" back. Hit 700 pages in less than 20 minutes.

At first, I was a bit worried about blocking a real visitor, but whatever this one is up just isn't normal for my visitors. Any visitor that is trying to access forbidden files is up to something. Trying to access my htaccess files on a daily basis is someone up to no good.

I blocked the full address that I got from the reverse dns lookup and that did not keep them out. I'll try to drop the last numbers and see if that works.

Thanks for the heads up about Norton blocking referrals. I wasn't aware of that part.

Something else I want to verify....

If I have an htaccess file in another directory, like phpbb, do I need to add a block to that file too or is one in the root enough?

700 pages in less than 20 minutes. That is definitely not human.
Did you test your IP ban with your own IP? Could be difficult, since you're on a dial-up connection.
You could try to block both IP and host string to see if that works. Blocking hosts in your .htaccess means your server has to do a reverse dns lookup, which takes time, so it's better to only ban IP numbers or blocks.
And yes, blocking someone in your root .htaccess is enough.

order deny,allow
deny from 111.111.111.111
deny from pcp992430pcs.goosck01.sc.comcast.net
allow from all

Yes, I tested with my IP address and it worked like a charm.

If things go as they have been, it will be back first thing in the morning. Been hittin me twice a day since around Thanksgiving.

If the partial IP address doesn't work, I'll try adding the host name.

It's ticking me off coz I don't feel like I'm in control of my own site.

While I'm thinking about it, could the IP address showing on the reverse dsn not be the correct one?

Hmm.. it should be the right IP. Just send you a sticky to make sure we are talking about the same address.

Nettracker seems to use server logs to analyse server traffic. So maybe it is possible to download a recent access log?