Do a search for it, there is a lot of speculation about this one in the archives.

Thanks littleman, I just did that and was about to modify my post to ask a more specific question.

Does anyone see recent activity from multiple domains leaving this sig?

The posts I just read didn't suggest the zombie angle. If this thing has been zombied, it may be in a position to DoS us and I have some coding to do.

I have been seeing it for 2 days. It hasn't been real heavy. I assumed it was a new spider.

<edit>Nevermind I found it</edit>

Everyman,

When they try to "visit" my site, they are using iaea.org as an {HTTP_REFERER}, not as a
{REMOTE_HOST}. The log entry shows that the request does not come from iaea.org, it was
refered by a link on iaea.org. So unless iaea.org is really linking to your site, this is likely just
a spamtool with a faked referer field to fool filters (like mine) that reject requests for certain
pages if they come in without a valid referer...

I haven't been visited by this agent in a long time, but a block on requests refered from iaea.org
is one of the very oldest entries in my "go away" list.

Jim

So unless iaea.org is really linking to your site, this is likely just a spamtool with a faked referer field to fool filters (like mine) that reject requests for certain pages if they come in without a valid referer...

Thanks, jdMorgan. Yes, I know it's coming in as a referrer, and I know that it had to be a faked referrer. What had me confused was why different, seemingly unrelated amateur crawlers were faking this same referrer. I though of zombies, but the notion of a spam tool never occurred to me. Your suggestion makes a lot more sense to me. It's probably not anything to worry about.

The fact that the history of this thing goes back a year or so is further evidence that it's most likely a spam tool rather than some sort of zombie threat.

Everyman,

Dang! Got carried away and forgot to answer your main question...

Yes, I had a visit last weekend. I'll have to check my logs this evening and see if it came from
multiple remote-hosts.

Just to be clear on this thread, how do you define "zombie" - a distibuted agent for launching DOS
attacks? - I are an engineer, and like to make sure I understand how the terms are being used. :)

Thanks,
Jim

"Does anyone see the referrer "http://www.iaea.org" in their logs? "

I see this a lot. It just looks like a user has clicked through froma link. Very strange.

I am getting very aggressive hits from it or them.

Recently I am getting quite weird HTTP_REFERER[s], including (seriously) BillGate and xxxxxx--------

The “BillGate” one seems to be interested in graphics the others does not really put an overload on my bandwidth, therefore I don’t take the time to block them.

www.iaea.org is still showing up on my logs on a daily basis. Since my site does not have anything to do with them, I have blocked it.

For a better Internet
hanuman

Unless you are getting genuine traffic from the site then I'd suggest that you are seeing a certain brand of spambot whose referrer is hard-coded to "http://www.iaea.org" (I can't remember which right now but if you really want to know drop me a sticky and I'll look it up later), I seem to remember that the same bot used fake user-agents which made the referrer kind of a finger-print for that particular bot.

This is also why "http://www.iaea.org" crops up in several of the .htaccess posts which relate to blocking spambots and other malicious bots. I'm sure a site search would throw up several examples of these scripts.

- Tony