Somebody is creating some strange log activity and I'm having trouble figuring out why. 216.40.34.229 www.bkweddings.com - [01/Sep/2005:23:25:47 -0700] "HEAD /wedding-s ongs/index.xml HTTP/1.1" 200 - "-" "-" "-" [php] I'm seeing groups of 6 HEAD requests followed by 2 GET requests for the same file - all with the same timestamp except for the second GET request which occurs one second later. It's hapenning very frequently - and intermittently. It'll happen every 6 or so minutes for a period, then it will hold off for a few hours, then it comes back again. It's happening on several files - but all of them are rss feeds. I don't want to ban an aggregator like syndic8 or feedster, and HEAD requests are pretty light anyways, but this level of activity is strangley high and all coming from the same IP. It doesn't identify itself as a spider and magpie type aggregators usually identify themselves. Why take 6 HEAD requests anyways? It just doesn't make sense. The IP resolves to TUCOWS.COM, but they do virtual hosting so it could be anyone. PHP:
How did you determine the ip resolves to tuwcows.com? I see this: host 216.40.34.229 229.34.40.216.in-addr.arpa domain name pointer fc-e1.feedcache.net.
d'oh! Lack of sleep. I did a whois lookup on the IP rather than a reverse dns lookup. I decided to ban the IP since their activity doesn't make any sense, they don't have a web site, and they visit way too frequently for a bot.