Forum Moderators: open
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;)
Additionally, the Referer is always exactly my domain name.. i.e. [my_domain_name.com...]
It's definitely a bot of some type and has been going on for I don't know how long. I've only recently started investigating this, since bandwidth and machine usage has been through the roof.
I see this forged IE User-agent coming from multiple IP's, most of them in the 69.230.*.* range, which are SBC / Pacific Bell dial-up or DSL accounts. I've started banning these IP's as they come up, but this is hardly a solution as these people (or person?) can just reconnect to get a new IP.
Anyone else seeing this activity?
[edited by: volatilegx at 7:13 pm (utc) on Dec. 14, 2006]
[edit reason] fixed broken user agent [/edit]
> Does this tell you anything "imo-m28.mx.aol.com"That's an AOL Mexico hostname, mi amigo. I'm not familiar enough with the Mexican hostnames (or AOL's coverage in the country) to be able to peg it any better than that, but I can tell you that the prefix ("imo") does not (seem to) match any of the Mexican states.
Since that hostname is in AOL's 64.12.*.* block, I expect it's being forwarded. If it's being forwarded, and if it's true that AOL is now passing X-Forwarded-For, you could very well see a LACNIC IP in X-Forwarded-For.
quite difficult to log in from Mexico when your in
New Jersey :)
X-Forwarded-For is an eXtended HTTP header, which indicates the IP address that is requesting your pages through the proxy. Some proxies pass this information, and some don't. The ones that don't are called anonymous proxies, although it's the user who is anonymous, not the proxy itself.
X-Forwarded-For can be a (possibly empty) list of IP addresses, corresponding to "forwarding devices" that have decided to modify that field. As with other HTTP headers, it's easily forged.
AOL has their own server ranges, which are not explained anywhere in AOL's support and the customer is changed servers randomly as the need arises by the AOL router/server.
Supposedly, that's changed, but the only information I found was at the end of this Wiki entry [en.wikipedia.org] and the bottom of this discussion page [en.wikipedia.org]
