afaik if it's a IE, NT 4.0 didn't give a version number, so it looks like a legitimate browser.

BUT...why would it go for the trap? I assume it's a (for a human visitor) invisible link or something like that. The only way a IE would do that it when a user activates the "make available offline" option in his favorites. Then again, IE would add a

MSIECrawler

to the UA-string (as mentioned in thread 2432 [webmasterworld.com]).

May be a spoofed UA...

IE 5.0 and above always gives a version number under Windows NT such as

Mozilla/4.0 (compatible; MSIE 5.0; Windows NT 4.0)

My logs are full of them.

I had quite some w/o version number having a typical bot behavior:

216.185.57.94 - - [01/Nov/2003:[b]04:29:53[/b] +0100] "GET / HTTP/1.1" 403 390 www.-.net "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT)" "-"
216.185.57.94 - - [01/Nov/2003:[b]04:29:53[/b] +0100] "GET /a/b/verydeepfile.htm HTTP/1.1" 403 390 www.-.net "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT)" "-"

but fortunately I already fed it with 403.

IE 5.0 and above always gives a version number under Windows NT such as

Sorry bull, but you're wrong:

2002-02-13 01:32:00 130.60.28.29 - xxx.xx.xx.xxx 80 GET /index.html - 200 Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT)

or

2002-09-12 11:30:51 193.5.173.162 - xxx.xx.xx.xxx GET /dir/page.asp - 200 Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+NT) 

just to give two examples from a time where NT was more widely used. They're both (just a bit) above 5.0 and both don't give a version number.

I agree though that this looks very fishy (as explained in my first post) and I'd ban em too.

How can one explain the appearance of both flavours with or w/o NT version number? Of course both appear, but only one if MSIE or MSIE is shizophrene.
Or, more likely, NT w/o version is some proxy software or similar? Anyone?

[edited by: bull at 5:10 pm (utc) on Nov. 3, 2003]

IE 5.0 and above always gives a version number under Windows NT such as

I checked my logs again, and what you said applies to IE 5.5 and above...or so it seems.

2002-09-12 05:59:51 198.240.212.29 - xxx.xx.xx.xxx 80 GET /otherdir/somepage.asp - 200 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+NT+4.0)

and sorry if my previous post seemed rude.

MSIE is shizophrene.

would'nt surprise me, I've seen other M$ products with stranger behavior ;)

Nice last line, WebJoe :) But we need to get this fixed now.

193.136.33.205 - - [27/Oct/2003:16:20:44 +0100] "GET /robots.txt HTTP/1.0" 200 880 www.-.net "-" "-" "-"
193.136.33.205 - - [27/Oct/2003:16:20:49 +0100] "GET /deep/ HTTP/1.0" 200 2109 www.-.net "http*//somelink" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT 4.0)" "-"

crawlerlike behavior.

217.6.249.138 - - [20/Oct/2003:10:51:25 +0200] "GET /deep.htm HTTP/1.0" 200 4215 www.-.net "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; QXW0330d)" "-"
217.6.249.138 - - [20/Oct/2003:10:51:25 +0200] "GET /my.css HTTP/1.0" 200 2702 www.-.net "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; QXW0330d)" "-"

perfectly legit.
Currently I', thinking the other way round. MSIE 5.0 does not display a NT version number. MSIE 5.01 is the first to display a NT version number. Anyone wants to check their logs too?

Is anyone human still using MSIE 5? Okay, maybe some who are still stuck on Windows 95, but NT should be able to handle later versions. So, I think those showing MSIE 5 and NT are probably bots.

Good point BlueSky, probably depends on your target crowd. I banned UAs with IE < 5.01 and NT with version number...bulls log-extract does look like a bot, and I couldn't find any log entries for my sites with IE 5.01 and smaller for NT 4.0 (just NT)