I have a bunch of content spammers that are posting with a UA that is repeated. Instead of a single UA they simply add a comma and repeat it, possibly with slight variation.
178.57.68.89 Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/31.0.1650.63 Safari/537.36, Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36
178.159.100.247 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.22 (KHTML like Gecko) Chrome/25.0.1364.152 Safari/537.22, Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36
181.215.39.102 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/30.0.1599.69 Safari/537.36, Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36
185.252.219.97 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/29.0.1547.57 Safari/537.36, Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36
185.252.219.97 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/29.0.1547.57 Safari/537.36, Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36
These spammers seem to have some other tricks. The IP used does not GET before it PUTs, are unique for the day used, making verification of the IP problematic. They also somehow evade my header logging. Hmmm.
All UAs are unique, with small variations in each., but most are from QUALITY NETWORK CORP, RU
-178.57.68.0/24 QUALITY NETWORK CORP, RU
-178.159.100.0/24 QUALITY NETWORK CORP, RU
-181.215.39.102 QUALITY NETWORK CORP, RU
-181.215.39/24 Digital Energy Technologies Chile
-185.252.218.0 - 185.252.219.255 QualityNetwork Estonia
Has anyone else noticed these double UAs? Can you see a flaw in my Regex?
"Mozilla\/5\.0 \(Windows NT 6(.*?), Mozilla\/5\.0 \(Windows NT 6"
