Author: G.Jennings (21 Apr 13 9:48am)
This is about a known bot that varies it's IP addresses but uses the same User Agent. Just thought I'd share.
I have a website with three things on it: 1) a static (HTML) main page; 2) a PHP blog (my own code); and 3) a PHP page that allows comments.
It looked like the spammer moved on, then, as the POSTs stopped. But no. The spammer invited "friends" to read that page. That page with the spammer's spam -- all porno links -- kept getting hundreds of reads for two days, that's how I discovered it.
(In an odd coincidence, the PHP mistake was made day one, the spammer detected it day two, and I detected them day four.)
I fixed the code. And I ban all reads by that User Agent.
It is now ten days later and that page it still getting reads by bots -- always with different IP addresses but with that same UA -- and they are all issued 404s, yet still they come!
In addition, my static HTML page, every once in a while, gets multiple reads with differing referrers, but with that same UA. (Nine within 3 seconds with 4 different referrers for example.)
(In a perhaps related thing is that my base site, '/', gets read, every once in a while, three times in a row with an odd referrer using an odd (uncommon and old) UA. Very strange and obviously looking for an exploit.)