On 15/07/10 16:03, Vic wrote:
>
>> It could be the spammer has a malformed request.
>
> That might be so - but wouldn't[2] give rise to what you're seeing. HTTP
> goes over TCP, so Apache *must* have known the IP address it was talking
> to when the request was made. The fact that you're not seeing that IP
> address in the log file is worrying - and that is undoubtedly the bit that
> needs fixing first.
>
> Once you have the IP address(es), the rest is easy. I'd check your log
> format directives in the Apache config.
>
> Vic.
>
> [1] IPv6 addresses may omit many values, but ipv6 addresses use lots of
> colons, not dots.
>
> [2] Unless Apache has some serious bug of which I am unaware.
>
>
As the rest of the logs are fine my guess is the spammer is using some
control character sequence which is corrupting parsing of the logs for
IP address (I spent most of last year trawling though web access logs
and didn't see this type of log entry).
Did a bit of checking out anonymous/proxy site and eventually recreated
the log entry.
http://www.mywebtunnel.com/ uses different proxies at random, some you
can ban like
te01.techentrance.com - - [15/Jul/2010:22:22:22 -0600] "GET
/cgi-bin/forum.pl HTTP/1.0" 403 745 "
http://silverwing.org" "Mozilla/5.0
(X11; U; Linux i686; en-GB; rv:1.9.2.4) Gecko/20100622
Fedora/3.6.4-1.fc13 Firefox/3.6.4"
Others like this one have the "." shown and cannot be blocked using htaccess
http://www.8cap.info/browse.php?u=Oi8vc2lsdmVyd2luZy5vcmc%3D&b=3&f=norefer
. - - [15/Jul/2010:22:23:03 -0600] "GET / HTTP/1.1" 200 9032 "-"
"Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.2.4) Gecko/20100622
Fedora/3.6.4-1.fc13 Firefox/3.6.4"
Any ideas?
--
--------------------------------------------------------------
Discover Linux - Open Source Solutions to Business and Schools
http://discoverlinux.co.uk
--------------------------------------------------------------
