Nasty guestbook harvesting bot

Forum Moderators: DixonJones

Message Too Old, No Replies

Nasty guestbook harvesting bot

... using foolish "." PTR name

Romeo

7:23 pm on Feb 7, 2004 (gmt 0)

since a few days, I see a nasty bot repeatedly crawling thru the entire guestbook several times a day, eating lot of traffic bandwidth:
IP addresses 66.90.67.11, 12, 13.

Interestingly, reverse nslookups show just a "." (dot):
1x.67.90.66.in-addr.arpa name = .

So if you have set your apache logging to log resolved names instead of IP addresses, you will only see a "." as the requestor's ID in the log. Very funny.

Since I have seen this trick to try to hide behind a foolish PTR entry "." on reverse lookups several times now, I will put this in my .htaccess and hope they will go away then:

# disallow all those rude guys "." who try to hide
SetEnvIf Remote_Host "^\.$" bad_one
#
SetEnvIf Request_URI "^/403\.html$" allowit
Deny from env=bad_one
Allow from env=allowit

Regards,
R.

dcrombie

9:35 pm on Feb 7, 2004 (gmt 0)

The same bot's been trying to GET /guestbook.html from one of our sites for a while now. They've been chewing on 403's since the first visit (referrer and user agent are blank) but that hasn't stopped them:

29 Jan: 1 hit
30 Jan: 7 hits
and so on: 3, 3, 17, 17, 17, 21, 10, 5, 5 hits yesterday so they're slowing down

They really need to get a clue - the page they're after doesn't even have email addresses ;)

bull

8:08 pm on Feb 8, 2004 (gmt 0)

If you have access to raw log files, please post the user agent. thanks in advance

coyote

12:42 am on Feb 9, 2004 (gmt 0)

Along similar lines, I've noticed "." as a user agent in my logs the past couple days. Only hits guestbook pages and completely slips past my .htaccess ban for "-" and blank UAs.