Hi Dan,

First of all I would make sure there isn't something you're missing, before being too sure that it's spoofing. That seems very unlikely under these particular circumstances. Much more likely is some automated process that has been overlooked, or similar. What kind of sessions are you seeing from these visits? Are pages and all supporting resources being downloaded (images etc) or just pages being visited without the resources they include? Is it a single page access, the same page each time? Or are a number of pages being visited each time? I suggest extracting all the entries from the logs and seeing if they give a clearer picture of what is going on.

It's just looking at a few of my pages that I advertise to my community as entry points to my website, and a few random pages from deeper in. Would look like perfectly normal accesses from my community, if it weren't coming from, er, me. I certainly have no such automated process that it driving this. I guess what is slightly perturbing about this is that if this spoofer wanted to do mischief, there is no way I could deny access without denying myself as well.

Lots of things can be spoofed/forged--UA and referer are obviously the most popular--but an IP isn't one of them. Think of it as the Final Frontier, the one thing you can rely on. So this requires more investigation. For example: If you put in a line
Deny from 11.22.33.44 (that is, your exact IP)
and leave it a few days, what happens? Are your own visits now blocked, and what happens to the illicit visits in logs? Do they disappear altogether, or merely change from 200 to 403?

Reiterating Sheffield's question: Do the log entries reflect apparent human visits, with the usual supporting files, analytics (if any), human headers (if you log them) and so on? Come to think of it, what UA is associated with the suspect requests? Do they come in at particular times of day?

Who is responsible for logging? That is, who has access to the config file-- you, a shared host, or something else again?

Thank you. I'm continuing some detective work. One important thing is that the user agent on these mysterious requests is different than that on my home machine that I use for most of my browsing, on my home IP that is the one being spoofed/forged. So that machine appears secure. One puzzle is that the mysterious request user agent is identical to that on two other home machines that I have, that I rarely use, and no one else does. I have changed the user agent on those other machines slightly, so they are more recognizable. I will see when the next forge/spoof comes in if it is actually coming from them on my own network (at least on the only browser I ever use on those machines). If so, that would suggest that some malware has taken over one of them. I'll try that before denying my own IP. These requests happen only once or twice a day, so I have no idea when the next one will come in.

There are several flavors of requests. One includes a Twitter referer URL that points to one of my pages. Um, I don't even have a Twitter account. I didn't even know about that Twitter URL until I saw it here.

I have access to EVERYTHING. Logs, .htaccess, config files on the remote server. No one else even has an account on that machine. That machine is pretty much a dedicated server, on an entirely different IP, at the office. The IP that is being spoofed/forged is my home IP, where I do most of my server supervision.

I should add ... I did quickly try the test that Lucy24 suggested. I denied my home IP (which is the one being spoofed/forged), and I am then solidly 403'd whenever I try to access the site from my home IP. That works like it should.

Are you updating pages, content or css on your desktop and viewing the changes before uploading? You need to check each line in your logs that show your IP to see what files are being requested and see if those files might be included as part of a page you've viewed on your computer for editing. If you are using complete URLs (rather than relative URLs) for images and css those files would come from your website, not your computer.

If the logs show your IP requesting supporting files (.png, .jpg, .css for example) but not the page itself, that could be normal during editing - more so if it is WordPress because that's you on your IP editing it.

Whoa, whoa, whoa! Just before I did that latter test on one of the other machines, I got a spoofed/forged request with my modified user agent. It's that machine! That request has the funny Twitter referer. I NEVER MADE THAT REQUEST. That machine is doing it all by itself. That action seems to be prompted by activity I'm doing on that machine.

OK, that machine is a MacBook 4.1 running 10.6.8 and Firefox 48.0.2. How in the world do I chase down an application like that which seems to have developed a mind of it's own? This was a machine I inherited a number of years ago. The installed extensions and plugins appear to be from reputable sources. But it is making requests on my website that I never commanded, in one case using a referer I never even knew about.

I guess I need to at least clean out Firefox on that machine and reinstall. Hope it isn't something more OS-specific.

I guess I am relieved that someone isn't spoofing or forging my IP, except that maybe they're doing it through one of my own machines.

If you have that machine or its browser set to sync, it may be hitting the last page it was on. You could re-set the sync settings, turn that machine off or just ignore it.

What does "re-set the sync settings" mean? But yes, I will try rebooting.

Try disabling third party cookies and js ... FF has a tendency to "help" too much. Also remove any plug-ins or add on extensions. Disable network.prefetch in about:config

What does "re-set the sync settings" mean?

Both Windows & Mac will sync (if you allow it) to online files or resources (example: iTunes.) Sometimes this is the last page your browser visited.

Ah yes. No, I haven't set up my browser to do that. But I did at least delete the cache. Rebooting doesn't do that. I have never been aware that a browser could do this kind of crap before. It can't be malware being controlled from outside, because I have pretty strong firewalls. But that Firefox does seem to have a mind of its own. I have no third party cookies, and my applications and plug-ins are all from reputable sources (Cisco, Apache, Google, etc.)

Oh, wait, wait. Does your browser have a default new window that shows thumbnails of your most recently visited pages? (Firefox occasionally pulls this on me, although not very often because I've set everything possible to Blank Page.) A reasonable person would assume those are taken from the browser's cache, but in fact they tend to be fresh requests made every time the screen is displayed. So they'll show up in logs exactly like a human visit.

When I do a "New Tab" on my Firefox, it indeed comes up with thumbnails of recently visited pages. I should say that I deleted the cache, and these odd requests stopped. Then I looked at a page on my site with this machine and, a few hours later, that page was polled from my site. So it's grabbing stuff in my cache and reloading it. But I hardly ever do "New Tab", so that isn't what is driving it. Oddly, it's just from this particular machine, running Firefox 48. The machine I use for more routine and regular browsing isn't doing this. So it's something funny about the way Firefox is set up on this one machine.

My apologies, as this evidently isn't an Apache or even a webserver issue. But the information given to me here has been very useful, especially that IPs are not easily spoofed.