FWIW, MSIE should be followed by a blank space before the Version # and that should be enough to kick the user.

Blocking by IP address is likely to prove futile as these compromised ISP accounts are often used for a few days then discarded for new ones.

Are they sending any GET requests or just HEAD?

MSIE should be followed by a blank space before the Version #

Hey, Don, long time no see :)

Cursory log search, past year only, turns up a fair number of MSIE\d hits--every last one* with a gratifying 403 response--notably this version, which would probably trigger at least four separate alarms on your site (where “you” = wilderness, not OP or keyplyr):

Mozilla/5.0(compatible;MSIE9.0;WindowsNT6.1;Trident/5.0)

On my site most of them use auto-referers rather than referer spam, though.

I don't think I've met a Mozilla>6 yet. I do categorically block Mozilla/[0-36] but that's just belt-and-suspenders, since they are not likely to pass header tests.

:: further log check ::

Oh, looky here, I found a few "Mozilla/8,0" --that's the full UA string--with a comma, suggesting that they haven't got the hang of their Decimal Separator function (came from an ARIN range, I think a Romanian server farm).


* I re-checked and found ONE 200 response. That was a request for robots.txt--with auto-referer--and nothing else.

[edited by: lucy24 at 11:56 pm (utc) on Jan 15, 2018]

Yeah, blocking by IP would be more trouble than it's worth. I'm blocking by UA and hoping they go away and stop filling my logs with trash.

I've seen only HEAD requests in the last 15 days. If they tried something else I missed it because I've not been following it closely and the older logs are gone.

older logs are gone

Get in the habit of downloading them regularly so you can keep them forever. My server keeps them for 15 days, and that's only because I've changed it from the default 3 days. I park them on my HD and zip them after a year or so but keep them in the same place; that way I can tell the text editor to do either a comprehensive search, or just the not-compressed ones.

...so you can keep them forever

Say what now?

Don't you keep your raw access logs somewhere? I thought for sure you would. And that “somewhere” certainly isn’t on a shared-hosting server.

Nope... I keep my raw logs for a few days, then delete them.

I do keep notes. I also keep my custom Analog history ( now 20 years, 2 weeks.)

I know, I should give the logs a little more attention. The affected domain is a low key portfolio, it seldom sees attacks so I'm just not in the habit of keeping up with the logs or backing them up. I only looked at them trying to figure out pinterestbot's obsession with a long gone page and caught the russian spammer bot by accident.

The good news is that this bot seems to be doing fewer requests since I blocked it and might be moving on. Given that badly conceived UA I didn't have high hopes, but reasoned that maybe, just maybe they'd be clever enough to give up after enough 403s because hey, if the target knows what they're up to the target won't click any links, therefore any resources spent on it are completely wasted. There's a lot of other low hanging fruits out there.

Let's not delve too deeply into the fact that someone who is tech-savvy enough to check logs usually knows better than visit a bulk of suspicious-looking referrer sites so this type of spam is incredibly inefficient anyway...