Forum Moderators: phranque
(An almost identical thread was started a while back on this topic, but was not resolved satisactorily.)
Our site (and none of our hosted clients) is being continuously visited every few minutes, from different IPs (occasionally a common block), many hosts (although sympatico.ca is very common), and every time using Win98 and MSIE 5.5. They grab the index page (about 10K) and leave, and are consuming a noticeable amount of bandwidth. I
I originally added a few lines of PHP on our index page to boot out the Win98/MSIE combination, wasting a few hundred bytes in the process, but this seems clunky and potentially limiting to potential (legitimate) visitors, so I removed the PHP to avoid any awkwardness.
1. Are these visitations suspicious? Zombies? Packet switchers?
2. Is there a way to block them further upstream?
Thanks in advance
Glen MacPherson
[edited by: engine at 8:22 pm (utc) on Nov. 18, 2003]
[edit reason] No sigs, thanks. See TOS [webmasterworld.com] [/edit]
>1. Are these visitations suspicious?
They could well be, I'd prefer to think someone is flidding around with a robot, and theyre testing on your page, or perhaps someone's set their home page as yours. There could be a number of reasons....really depends on what you want to classify as suspicious.
>Ways to block
If you are on Apache, mod_rewrite is the favourite solutions for alot of the people round here, there are a few threads of that if you're interested and run apache, try using "site:webmasterworld.com mod_rewrite" on google for threads on that. That's one way to catch those hits further "upstream". There's also an apache forum in the safe hands of jdmorgan, well worth checking out ;)
//added
feel free to post a snippet of what youre seeing in your logs.
I would continue to match the user agent in PHP, but rather than booting them out, direct them to a very small page. On that page you could try out some redirection techniques, from meta refresh to Javascript, and see if the intruder follows it. Once redirected, you can filter the user by the referring webpage.
Hopefully the intruder is just mimicking the UA string for IE, and doesn't actually process the page in the same way as a browser. If they do, however, I can't see you can do much except request the user to click a link. You could also set a cookie when they follow the link to prevent them seeing that page again -- something a zombie is unlikely to handle without manual intervention on each machine.
Just some ideas -- hopefully someone can tell you what the real problem is.
Glen MacPherson
[edited by: engine at 8:23 pm (utc) on Nov. 18, 2003]
[edit reason] No sigs, thanks. See TOS [webmasterworld.com] [/edit]
Have you taken a look to see if there are any referers? Are they always just straight in, hit the main page and leave?
You actually from Tofino? I'm from Van myself. :)
These visitors show no referrer, and I suspect that the IPs are spoofed, among other variables. I suspect that they are using Win98/MSIE5.5 because it is the most common config on the internet (or nearly).
Cheers.
Glen
