today's head-scratcher

Forum Moderators: open

Message Too Old, No Replies

today's head-scratcher

lucy24

6:10 am on Sep 24, 2011 (gmt 0)

85.234.142.nnn - - ...32:09 -0700] "HEAD /games/ HTTP/1.0" 200 266 "-" "WordPress/3.2.1; http://vintagedesignerhandbagsonline.com/blog" 
85.234.142.nnn - - ...32:09 -0700] "GET /games/ HTTP/1.0" 200 11077 "-" "WordPress/3.2.1; http://vintagedesignerhandbagsonline.com/blog" 
85.234.142.nnn - - ...32:38 -0700] "HEAD /games/ HTTP/1.0" 200 266 "-" "WordPress/3.2.1; http://vintagedesignerhandbagsonline.com/blog"

If the free lookup can be believed, the IP really belongs to the site named in the UA slot. And it appears to be a perfectly legitimate site. Assuming for the sake of discussion that charging Ł1000+ for a handbag is legitimate.

Best guess so far: One of the people running the site has a teenaged offspring who has been playing with robots on their server.

incrediBILL

2:23 pm on Sep 24, 2011 (gmt 0)

... or it's one of those stupid URL promo bots that runs around spamming referrer strings as a promotional method

Got you to the site didn't it?

dstiles

4:43 pm on Sep 24, 2011 (gmt 0)

85.234.128.0/19 banned as server farm so deserves a 403.

lucy24

9:04 pm on Sep 24, 2011 (gmt 0)

or it's one of those stupid URL promo bots that runs around spamming referrer strings as a promotional method

That's the part that intrigued me :) The name wasn't in the referer slot-- you'll notice it's blank-- but in the UA slot. So anyone with two brain cells to rub together can tell upfront it's a robot.

By now most of my fake referers fall into two groups: Random sites in eastern europe made up by my Ukrainian pals, and monster pages buit with WYSIWYG editors consisting entirely of hotlinked images. When I have a few minutes to spare I will sometimes glance at the latter and scroll down until I see my distinctive "NO HOTLINKS" png. Heh, heh.

incrediBILL

9:56 pm on Sep 24, 2011 (gmt 0)

"NO HOTLINKS" png.

I'll raise you one - I serve a nasty hotlink image in that violates the AdSense T&Cs so anyone attempting to hotlink me using AdSense gets reported for the violation :)

g1smd

10:14 pm on Sep 24, 2011 (gmt 0)

"NO HOTLINKS" png

There's also a range of 4xx and 5xx HTTP status codes you can use to great effect.

keyplyr

10:56 pm on Sep 24, 2011 (gmt 0)

I see it all the time. I believe the UA is the user control panel for their WordPress utility and either validating the page to be scraped or link validating a reference in their blog.

I block all UA beginning with "Word" and as a beenie filter MS Word as well. This has not stopped traffic from legit links to my sites at someone's WordPress page.

lucy24

2:05 am on Sep 25, 2011 (gmt 0)

There's also a range of 4xx and 5xx HTTP status codes you can use to great effect.

Anything other than 403 would involve :: cough, cough :: lying to the computer, wouldn't it? I mean, their request for an unauthorized image didn't really make my server explode.

I serve a nasty hotlink image in that violates the AdSense T&Cs so anyone attempting to hotlink me using AdSense gets reported for the violation

I don't think my hotlinkers have ads. It would be fun if I could replace the facebookexternalhotlink image with something really loathsome, but it would involve a little work. You'd have to let the original request from facebook IPs pick up the real thing, so users don't suspect, and only put in the disgusting image for other IPs.

(Sure, it is nice when people recommend sites, even if it is usually Perez the Mouse which is a public-domain e-book available all over the place anyway. But why the ### do they have to do it with hotlinks? Can't FB afford the space to host their own copy of the image?)

And sadly htaccess won't let me replace an image with a sound file. I found a great MP3 of a siren that would just hit the spot.