Forum Moderators: DixonJones
I have found a visitor, coming from the range of
195.93.21.x
around 2000 visits/month on some of our main sites out of 20. This is happening on every single site. Same range of ips. Looking back it stretches months in past, december, november, these IPs go well over 6 months back.
Im a fool for not spotting it earlier, could it be a competitor clicking on our google ads? We pay heftily for these. Either this or some other spam entity perhaps?
Looking at raw logs this comes in every day, from around 9 until 12 in the evening, NO REFFERER, each time it comes in it goes down 2-3 levels deep, downloads graphics as well as pages.
#*$!?
AOL uses caching proxies that store local copies of our pages and images. The purpose is to reduce bandwidth through their network, and give the subscriber faster service.
Unfortunately, this caching method also 'hides' the real IP address of the visitor. In fact, you can't tell whether it is one visitor, or a hundred of them. You will sometimes find the caching proxy IP address and the real user address mixed together in your raw access log file. For example, you may see the real user IP fetch a page, and then the caching proxy IP fetching the images that appear on that page.
As a result, it is very hard to state, based on what you have posted here, whether this is a 'problem user' or just many visitors from AOL-Europe.
Only if you see them doing something wrong -- like repeatedly trying to guess passwords to log in to a private area or something, does it become obvious that they are troublemakers.
See [ripe.net...] for IP address lookup.
Jim
15000 out of 176,000 on a small site come from this ip range
25,000 out of 400,000 visits on a big site from this range
most visitors peak around 1-2 noon
this ip range peak around 8-9 evening
contains a range of browsers and OS's thats logged
could be just home users on aol, but there is never any refferer info?
We are using a little redirect page for our google campaigns which allows us to track sponsored google visits for all sites - i cannot find these ips in there at all.
Caching proxies typically don't provide a referer. That's part of how they work.
The user requests a page.
The proxy checks to see if it has a recent copy in cache.
If so, the proxy serves the cached copy.
If not, it fetches a fresh copy from your server You will see the proxy's IP as the requestor, not the user(s), and no referrer.
The above includes pages, images, etc., all of which may expire at different times.
The end-result is a confusing mix of requests -- pages fetched without images, images without pages, etc.
So, it is very hard to tell if these are legitimate requests or not. And I mean even if I were you, looking at your stats and logs, it would still be difficult to tell. So, don't take what I've posted as saying that these are or are not legitimate requests -- all I can really provide is some background info.
You could try capturing the proxy-related HTTP headers if you want to make a project of this. Headers like HTTP_X_FORWARDED_FOR and HTTP_VIA can sometimes be helpful, but I'm not sure if AOL's caching proxies send these headers. But you could capture them with a script or turn on custom logging to log them if so, and then see if the additional data helps you figure this out.
Jim
Would you see the original IPs then?
cheers.
