checking out different messages and your "theplanet.com" caught my eye. Not sure who they are either, only that my firewall has blocked numerous attempts by "theplanet.com" from gaining access to my system. I'd also be interested in knowing who they are out of curiousity. In the meantime, I let the firewall do its' thing.

They are a hosting company. If you have a server with them and don't ask to have reverse DNS changed on your IP block(s), they would indeed show up that way in logs (if you were to run a bot or use a browser from such a machine).

As they are a hosting company, I tend to block 'heavy users' from their IP ranges as they are likely bots.

Thanks for the info - the problem is that they show up as "196.67-18-113.reverse.theplanet.com" in my automatic Webalizer report through my website's control panel, but when I look in the raw logs, there is no matching IP address, nor is there anything that resembles "reverse.theplanet" in any combination I can try. So I don't know what IP address to block - I've tried a Whois search and other lookups, but can't match the Webalizer line that shows them using bandwidth to an IP address in the raw logs.

I think the IP address you want to block is 67.18.113.196. If you do a reverse lookup, it resolves to 196.67-18-113.reverse.theplanet.com

Thanks - that is the answer I was looking for!

Update: I found over 23,000 line entries in my raw logs from that IP address for June so far, which is far larger than any other single IP. However, the Whois lookup on the "reversed" IP address shows that the main host, theplanet, is in So. California, and it could be that there are many people visiting my site from SoCal. The line in the raw logs looks strange though, it doesn't list a normal web browser, just this (copied exactly other than pathname):

67.18.113.196 - - [31/May/2005:00:09:58 -0400] "GET /folder1/filename.html HTTP/1.0" 200 12309 "-" "-"

where the "-" "-" marks show up at the end of the entry and there's no info about browsers or a 'bot name or such. Any idea what the two dashes mean? Why do they mask that info? Still not sure if I should block or not. There doesn't seem to be a pattern, could just be lots of visitors through their servers hitting my website...thanks.

The "-" "-" are written by the web server to indicate that it has got no other data to put in here.

What can be drawn from the facts:
-- It is a customer server hosted by theplanet.
-- Those many visits you see are from one server, not from many visitors. (Well, most likely. Could be an open private proxy, but most likely not).
-- There is no customized reverse PTR record pointing to a (valid!) domain name hosted on the server. Perhaps the server's owner is just clueless, or he has something to hide.
-- Something on that server is harvesting your pages, and this 'thing' is hiding behind an empty UA string.

A DROP rule in the firewall seems appropriate ...

Regards,
R.

Thanks very much, I appreciate all the help!