Welcome to WebmasterWorld Guest from 54.198.55.167

Forum Moderators: Ocean10000 & keyplyr

Message Too Old, No Replies

Initial double-quote symbol

     
4:13 pm on Dec 16, 2017 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:May 14, 2008
posts:3201
votes: 16


UA (including intial and terminating quotes):
"Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1"

Don't know about others here but for years I've been blocking UAs with an initial quote. Suddenly a number of iPhone urls come along with it and get blocked. (The OS version seen has been 10 and 11.)

Is this some misguided recent update or are there really stupid bots hitting from a variety of broadband IPs? I opt for the former explanation.
7:19 pm on Dec 16, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15173
votes: 679


Do you have any evidence that the "visitor" is in fact human? In my case, blocked humans go on to request: two stylesheets, navigation image, favicon and piwik. Blocked robots--who, of course, represent at least 99% of all 403s--don't. And then I can take a closer look at headers to determine if they were unintentionally blocked. (Most turn out to have commmitted some other offense, such as being from the wrong country.)

I have a more comprehensive
BrowserMatch ^\W bad_agent
as part of a long bad_agent list that ends up getting blocked along with all the other environmental variables.
7:47 am on Dec 18, 2017 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12765
votes: 873


That UA is one of the most faked. I see it sometimes, with but mostly without, quotes usually from AWS.

I have not seen what I believe is the authentic (human) UA with quotes from ISPs (yet.)
12:03 pm on Dec 18, 2017 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:May 14, 2008
posts:3201
votes: 16


The IPs are broadband/cable/mobile. I've only had time to look at two cases in any detail but it looks as though icon-fetching is ok but a page fetch is sometimes incorrect. There would be no css because the page is blocked before that could happen. The trap does not mitigate against icons.

In some cases I notice, from my "trap" logs, that there is sometimes one incorrect hit only, sometimes more than one incorrect and sometimes an incorrect one followed by a correct one. This suggests either someone is fixing the problem (although the timing on that is suspect) or that it is auto-correcting - which suggests a bot but the other behaviour is against that hypothesis.

The following took place in about 15 seconds (log lines abbreviated for clarity):

/apple-touch-icon-precomposed.png 62.232.xx.xxx Safari/13604.4.7.1.3+CFNetwork
/apple-touch-icon.png 62.232.xx.xxx Safari/13604.4.7.1.3+CFNetwork
/favicon.ico 62.232.xx.xxx Safari/13604.4.7.1.3+CFNetwork
/ 62.232.xx.xxx "Mozilla/5.0+(iPhone;
/apple-touch-icon-precomposed.png 62.232.xx.xxx Safari/13604.4.7.1.3+CFNetwork
/apple-touch-icon.png 62.232.xx.xxx Safari/13604.4.7.1.3+CFNetwork
/favicon.ico 62.232.xx.xxx Safari/13604.4.7.1.3+CFNetwork
/apple-touch-icon-precomposed.png 62.232.xx.xxx Safari/13604.4.7.1.3+CFNetwork
/apple-touch-icon.png 62.232.xx.xxx Safari/13604.4.7.1.3+CFNetwork
/favicon.ico 62.232.xx.xxx Safari/13604.4.7.1.3+CFNetwork

The following took place in about 4 seconds. Note that the first few times a page has a correct UA (so is served but no css so probably not loaded by the device). In reality it was blocked due to an earlier attempt, which suggest the quote is a default UA:

/list.asp 95.90.xxx.xx Mozilla/5.0+(Macintosh;
/apple-touch-icon-precomposed.png 95.90.xxx.xx Safari/13604.4.7.1.3+CFNetwork
/ 95.90.xxx.xx Safari/13604.4.7.1.3+CFNetwork
/apple-touch-icon.png 95.90.xxx.xx Safari/13604.4.7.1.3+CFNetwork
/ 95.90.xxx.xx Safari/13604.4.7.1.3+CFNetwork
/favicon.ico 95.90.xxx.xx Safari/13604.4.7.1.3+CFNetwork
/apple-touch-icon-precomposed.png 95.90.xxx.xx Safari/13604.4.7.1.3+CFNetwork
/ 95.90.xxx.xx Safari/13604.4.7.1.3+CFNetwork
/ 95.90.xxx.xx Safari/13604.4.7.1.3+CFNetwork
/favicon.ico 95.90.xxx.xx Safari/13604.4.7.1.3+CFNetwork
/list.asp 95.90.xxx.xx "Mozilla/5.0+(iPhone;
/ 95.90.xxx.xx Safari/13604.4.7.1.3+CFNetwork
/ 95.90.xxx.xx Safari/13604.4.7.1.3+CFNetwork
/favicon.ico 95.90.xxx.xx Safari/13604.4.7.1.3+CFNetwork
/ 95.90.xxx.xx Safari/13604.4.7.1.3+CFNetwork
/ 95.90.xxx.xx Safari/13604.4.7.1.3+CFNetwork
/favicon.ico 95.90.xxx.xx Safari/13604.4.7.1.3+CFNetwork
3:21 pm on Jan 16, 2018 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:May 14, 2008
posts:3201
votes: 16


I'm still getting a lot of these hits. It has occurred to me the cause may be a dumb bookmark app.

I'm fairly certain it's human and it only seems to be from iphones.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members