this one is driving me nuts - beavermails.com

[KirkColvin747]

HUGE server load, diff. IPs, all preceeded by google js (which is on our webpages), and then the GET entry of an ad from referrer beavermails.com.

Anyone seen this crap before? Is our server acting as proxy for them?

-Kirk

main site is www.snarfware.com

61.173.199.214 - - [22/Dec/2006:07:19:44 -0500] "GET http://www.google-analytics.com/urchin.js HTTP/1.0" 404 10844 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)"
61.173.199.214 - - [22/Dec/2006:07:21:24 -0500] "GET http://popunder.adsrevenue.net/link...s=I2&isframe=false&bk=1&serverfile=popnetwork HTTP/1.0" 301 742 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows 95)

 

[lostinspace]

HUGE server load, diff. IPs, all preceeded by google js (which is on our webpages), and then the GET entry of an ad from referrer beavermails.com.

Anyone seen this crap before? Is our server acting as proxy for them?

-Kirk

main site is www.snarfware.com

61.173.199.214 - - [22/Dec/2006:07:19:44 -0500] "GET http://www.google-analytics.com/urchin.js HTTP/1.0" 404 10844 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)"
61.173.199.214 - - [22/Dec/2006:07:21:24 -0500] "GET http://popunder.adsrevenue.net/link...s=I2&isframe=false&bk=1&serverfile=popnetwork HTTP/1.0" 301 742 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows 95)

Personally, I'd ban the subnet. Unless you'll miss hits from China?

Also, are the loads caused from numerous connections? If so, there's some nice FW's that will temp ban IPs based on connections (Chirpy's CSF/LFD combo for example).