Looks like I need to rewrite my "User Agent" rule yet another time :)

Is anything with "useragent" "user-agent" in the string worth spit?

Is anything with "useragent" "user-agent" in the string worth spit?

Well depending on your opinion of GTB or GoogleT5 (Google Tool Bar versions) or SV1 you might want to consider a whitelist with benefits.

Another quasi-oddity from Apple, by Hostname this time. Tripped into a trap:

a17-203-12-15*.apple.com
WebLoadPerf (unknown version) CFNetwork/493 Darwin/10.4.0 (i386) (MacPro4%2C1)

robots.txt? NO
favicon.ico? No

CFNetwork is a no-no in my book

I only allow it to retrieve favicon.ico because I get hundreds of hits every 24 hours to favicon.ico by Mac-based Safari users. (Bookmarked files? Apparently.) The UA is always a variation of CFNetwork, e.g.:

Safari/6533.17.8 CFNetwork/454.9.7 Darwin/10.4.0 (i386) (MacBookPro3%2C1)
Safari/6531.22.7 CFNetwork/454.9.4 Darwin/10.3.0 (i386) (iMac9%2C1)
Safari/6533.17.8 CFNetwork/454.9.7 Darwin/10.4.0 (i386) (iMac11%2C1)
Safari5533.17.8 CFNetwork/438.14 Darwin/9.8.0 (Power%20Macintosh) (PowerMac11%2C2)

Looks like either a UA spoof attempt or an attempted hack for programs that browse the server log and extract info.

@enigma: Which of the odd UAs I've reported do you think looks like a spoof, or a log hack?

"CustomUserAgent"="Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10 FOH:R247";"

[or]

WebLoadPerf (unknown version) CFNetwork/493 Darwin/10.4.0 (i386) (MacPro4%2C1)

Because actually, considering that both were used via Apple servers, I can't say that either looks like a spoof or a hack to me -- and even though the first one is a hot mess. Plus nothing about their actions suggested an exploit, let alone one having to do with logs(?).

I'm more inclined to think the site has multiple Apple employee fans (I know of two personally) and someone was testing or goofing around. Can't say as I appreciate anyone, even fans, doing that kind of stuff, so the UAs were 403'd from the get-go.

RE: CFNetwork

I also allow it to get favicon but block it otherwise since it can be used to scrape image files.

On the iPhone version of Safari, CFNetwork sometimes requests apple-touch-icon.png and apple-touch-icon-precomposed.png, which are 57x57 pixel image files used as bookmark icons... so I enlarged my favicon and created these files to be accommodating :)

If you check the line carefully is like a string assignment to a variable. It looks to me like it expects some code (a browsing tool perhaps) to do something with it.

"CustomUserAgent"="Mozilla/5.0 (M....";

Search the net for it there are some entries to read - Spoofing the User Agent with Safari and also how some verification tools interpret the variable CustomUserAgent

It just doesn't look like a regular string to me.

Agreed, it's definitely not a regular string although interestingly, it encapsulates a regular string:

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10

But that front end --

"CustomUserAgent"="

-- and back end --

FOH:R247";"

-- are certainly surprising.