I love irony!
It turns out that some of the suspensions my account had been getting were kinda valid. I was suspended the last two nights so I checked my access logs (again) and found something fun:
208.80.195.121 - - [24/Aug/2009:00:18:15 -0500] "GET /boejekwaejoqgr.html?bffqg HTTP/1.0" 404 19961 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts; Assiniboine Community College; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
208.80.195.121 - - [24/Aug/2009:00:18:14 -0500] "GET /boejekwaejoqgr.html?xcrger HTTP/1.0" 404 19961 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; YComp 5.0.0.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)"
208.80.195.121 - - [24/Aug/2009:00:18:15 -0500] "GET /boejekwaejoqgr.html?xazpc HTTP/1.0" 404 19961 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Avant Browser; Avant Browser; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)"
208.80.195.121 - - [24/Aug/2009:00:18:14 -0500] "GET /boejekwaejoqgr.html?seoibbaqm HTTP/1.0" 404 19961 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Ringo)"
208.80.195.121 - - [24/Aug/2009:00:18:14 -0500] "GET /boejekwaejoqgr.html?symaor HTTP/1.0" 404 19961 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts; YPC 3.2.0; .NET CLR 1.1.4322; IEMB3; yplus 5.1.04b)"
There are a few hundred entries like that. It seems that a bot somewhere has been running so many requests against my host that it triggered the CPU limit for my host. The irony comes in if you run WHOIS on the IP address, it goes back to Websense. That gave me a good laugh this morning.
I don’t get the irony. Is Websense your internet provider? Is it DOS’ing itself?
Damn… I must just do funny wrong… you’re the second person I’ve had to explain this to. Websense is a network security and content filtering company. It is ironic, and funny, that they would have a bot on their network spamming external websites. Even more so if you know the history.
The file that the host is trying to access is an html file that was injected into my website a few months ago that contained a java script that sent spam through smtp. Websense also has an email filtering solution.