Forgot to say that the "Googlebot-Image/1.0" UA is spoofed. This hit also came from the same IP a millisecond later.
lucy24
2:50 am on Aug 29, 2015 (gmt 0)
the "Googlebot-Image/1.0" UA is spoofed
And that's all we need to know, isn't it? Sending a blatantly fake UA is a guaranteed way to draw closer attention to yourself ... and that attention is not likely to be favorable.
The 304 is a bit worrying, because it implies they've been there before. That is, it means "not modified since ..." something, and I really doubt your server interprets the "something" as "the last time the real imagebot, from a completely different IP, visited".
keyplyr
3:41 am on Aug 29, 2015 (gmt 0)
Your correct. This is from a new client's site & I'm in the midst of installing a comprehensive defense stratagem (I get paid more when stuff sounds high-tech.)
- - -
From a few minutes ago:"
"GET / HTTP/1.1" 403 1525 "-" "-"
Same IP address, but now that they've been blocked a few times, they've gone stealth. Also notice they hit the robots.txt with the 1.0 protocol but use 1.1 for other web documents. I think a lot of agents do that but I don't understand why.
lucy24
6:35 am on Aug 29, 2015 (gmt 0)
now that they've been blocked a few times, they've gone stealth
If they think that not sending a User-Agent header will increase their chances of getting through, you are probably not dealing with a robotic mastermind.
keyplyr
8:49 am on Aug 29, 2015 (gmt 0)
Maybe they should search monster.com for someone better?
