It looks like someone is using a Windows script to access your pages and has accidentally included a linefeed in his or her program. \r, in the Unix world at least, is a linefeed, while \n is a carriage return. Unix uses just a single \n to indicate a "return" while windows uses a \r\n (linefeed + carriage return) to indicate "return". I don't think it's anything particularly nefarious, unless you consider a person accessing your pages with a script to be bad.

Could be a miscoded link from a referring site. On various platforms you'd use \r\n to send a carriage return and line feed to the output stream, but they might have mistakenly sent a literal "\r" instead.

VectorJ & Choster,

Thanks for the quick reply. I'm just happy that they find it interesting enough to use a script.

I'm not sure how an escaped version of the character ended up in an HTTP request, but \r is the carriage return character and \n is a linefeed.

Most internet-based application protocols (like HTTP, SMTP, etc) are text-based. They use what's called "Net ASCII" as their character set, and Net ASCII ends each line with a carriage return followed by a linefeed (\r\n). Windows follows the same convention, while UNIX uses a linefeed only (\n), and many other operating systems (including MacOS) have historically used a carriage return only (\r).

My first suspicion would be a UNIX program attempting to process Net ASCII text and failing to treat the \r as special, causing it to be passed on as part of the HTTP request, but lots of things could have happened. What was the user agent on that request?

It could also be someone that is using PHP on their site, links to you, but have miscoded their script. Have a look at the referrer, and visit that site.