Could Just be a web browser :) did ya notice in yer logs they were leeching your whole site?

<snip>were leeching your whole site?>

I've turned into a very suspcious creature :-(
Attempting in the process to make corrections before 400 pages are traveled.

These two conseutive visits were seconds apart:

63.249.27.138 - - [06/Jul/2002:14:38:07 -0700] "HEAD / HTTP/1.1" 200 0 "http://www.stumbleupon.com/refer.html" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"

64.156.198.75 - - [06/Jul/2002:14:39:10 -0700] "GET / HTTP/1.1" 200 14146 "-" "Mozilla/5.0 (X11; Linux i686; en-US; rv:1.0rc5; OBJR)"
64.156.198.75 - - [06/Jul/2002:14:39:10 -0700] "GET /PARTICULAR.htm HTTP/1.1" 200 16504 "-" "Mozilla/5.0 (X11; Linux i686; en-US; rv:1.0rc5; OBJR)"

This particular page has been getting spammed plenty and I've even had a company from Costa Rica calling (via land line) offering opportunity.

I spent a few hours figuring out Stumbleupon last month. It's a random-surfing service: install toolbar, pick topics of interest, hit the button, and it sends you to a random site from one of those topics. Available for IE and Mozilla.

Your page has apparently be added to the site pool Stumbleupon uses. The HEAD request is link checking (done semi-regularly by a spider, and everytime the toolbar sends a user to your site). I nagged Stumbleupon's owner about it sending too many HEAD requests, and it looks like he's reined it in. I get about 5 pageviews a month through Stumbleupon.

As for the Mozilla agent, I'm with EliteWeb in thinking it's just another browser, i.e., "Mozilla for X11 (an Un*x windowing system) running under Linux, i686 processor, U.S.-language Release Canidate 5 of Version 1.0". I don't know what the OBJR is for, but it probably identifies a plugin or programming library.

When viewing my logs "HEAD requests" are like bombs going off :-)
Especially from NON SE's.

Normally I would not even be bothere about 64.156.198.74. However the IP is returning perhaps ½ dozen times dialy to a 403. It also raises a flag because it comes from Level3.
Some visitors just refuse to believe that a 403 is possible ;-)

This is a snoop bot, it combs IPs, also it combs from other IPs from within the class C. Sometimes it IDs itself as MSIE.

As far as I know there where only Release Candidates 1 to 3 for the 1.0 Version of Mozilla.

Normal Mozilla Browser-id's look like:
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0rc1) Gecko/20020417

explanation under:
[mozilla.org...]

In the bots fake mozilla-id the security field is missing.

That thing visits me since June, more than 45 times in irregular intervalls (beween 15 mins and 2 days) and only downloads /

Weesnich

Reviewed my logs and found that one of the very first requests with this UA was resolved als sluggo3.websense.com

WEBSENSE is a Internet filtering supplier and claims to have "272 of the Fortune 500 as customers".

IP range seen in action: 64.156.198.74-77

Weesnich

I've had this guy in my logs for several months loading /, and attempting to load two other files
which have been 404 and gone for a long time. It ignores the 404, and comes back again (as Weesnich
stated, at irregular intervals) to try to load them again.

I got tired of wasting log space on this one, and as of yesterday, it gets a 403. I'll have to
see if it comes back, although wilderness' report sounds like it won't take the hint.

BTW, I had initially tried to block it by REMOTE_HOST but apparently "unknown.Level3.net" is not
a "real" REMOTE_HOST string, so that didn't work. Thanks for the IP range, Weesnich - I'd only had
visits from .74 and .75 so far.

If it won't take the 403, maybe a well-coordinated volley of e-mail to Level3 will help?

Jim

I've also resolved these ips to websense. Been seeing hundreds of visits for months and finally blocked it.

My ips are: 64.156.198.74-78 and 64.156.198.80

Also, I've been visited by websense with this:

63.212.171.161

Sqworm/2.9.85-BETA (beta_release; 20011115-775; i686-pc-linux-gnu)

resolves to:

ws-ip161.websense.com

<snip>although wilderness' report sounds like it won't take the hint>

This thread started on July 12 and this visitor continues daily visits accumulating 403's.

wilderness,

This thread started on July 12 and this visitor continues daily visits accumulating 403's.

Ugh,
I wish HTTP/1.1 had a "remote-detonate" request!

fiestagirl,
Thanks for the additional IPs!

Jim

64.156.198.74
64.156.198.75
64.156.198.80
Useragent: "Mozilla/5.0 (X11; Linux i686; en-US; rv:1.0rc5; OBJR)"

This bot has been trying to snoop around my site but thanks to wilderness's observations the bot was banned.

Notice the multiple IP addresses used.

Could the OBJR stand for "Object Retrieval" ? Justy a thought

I'm curious as to how you are resolving these ip's to websense.

I just tried 3 of them with *.74, *.77 *.80, and all I get is unknown.Level3.net

(that is the 64.156.198 ones)

kneelsit,

Most likely a OBJect Runtime library. These are 'canned' routines that ship with, for example, a
"C" compiler, and can be accessed as a dynamically-linked 'object' at runtime. Windows' .dll files
are a similar thing. So, this is somebody using a canned routine to access URLs on the web.

Jim

Well it appears they are back in a different mode.

nslookup 63.212.171.161
Canonical name: ws-ip161.websense.com

63.212.171.161 - - [27/Aug/2002:18:46:05 -0400] "GET /xxx.html HTTP/1.0" 302 294 "-" "Sqworm/2.9.85-BETA (beta_release; 20011115-775; i686-pc-linux-gnu)"

> I'm curious as to how you are resolving these ip's to websense.
As far as I'm concernd: my ISP's Server tries automaticlly to resolve IP's, but fails more often than not. Now I simply sorted my logs by useragent and looked for that strange rc5-Mozilla-fake.

It turned out that the server some time ago (about 2 months) was able to resolve a request with this UA to the said domain. It may be possible, that different services use this UA, but as strange as it is I think it is unlikely. Sorry, if I wasn't clear enough with the explanation the first time.

I compared the traceroutes between www.websense.com and 64.156.198.74, I think they are at least very close together - but someone with more knowledge may research this.

That SQWORM I saw from 63.212.171.161-163, but last sighting was Febuary this year.