They're playing with us...

Found this from the Bulgarians in my log file:

1. 200.196.101.98 - - [11/Jul/2005:01:09:22 -0400] "GET /r/blog/198 HTTP/1.1" 404 24 "http://www.available-credit.com/mortgage-loans.html" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)"
2. 200.196.101.98 - - [11/Jul/2005:01:09:26 -0400] "GET /r/blog/198 HTTP/1.1" 404 24 "http://www.available-credit.com/mortgage-loans.html" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)"
3. 69.10.151.18 - - [11/Jul/2005:01:09:46 -0400] "GET /r/blog/198 HTTP/1.0" 200 4641 "-" "-"
4. 200.196.101.98 - - [11/Jul/2005:01:10:22 -0400] "POST /r/blog/rdpress/198.comment HTTP/1.1" 404 24 "http://rdmsoft.com/r/blog/198" "Mozilla/4.0 (compatible; MSIE 5.0; Windows ME) Opera 5.11 [en]"
5. 200.196.101.98 - - [11/Jul/2005:01:16:05 -0400] "POST /r/blog/rdpress/198.comment HTTP/1.1" 404 1856 "http://rdmsoft.com/r/blog/198" "Mozilla/4.0 (compatible; MSIE 5.0; Windows ME) Opera 5.11 [en]"
6. 204.83.150.116 - - [11/Jul/2005:01:16:11 -0400] "POST /r/blog/rdpress/198.comment HTTP/1.0" 404 234 "http://rdmsoft.com/r/blog/198" "Mozilla/4.0 (compatible; MSIE 5.0; Windows ME) Opera 5.11 [en]"

The first two requests got caught by my check for the X-AAAAAAAAAAAA header. These spammers have been sending distinctive headers like this for a while, and nobody really knows why. It makes them easy to filter, until they suddenly change.

However, the other hits didn't have this header. Okay, so my other filters still blocked them, but it's a bit disconcerting to see that they're actually surveying my blocking skills...

Tags: spam / Posted on 11 Jul 2005 at 11:59