From: "Steven Levine" Received: from [192.168.100.201] (HELO mail.2rosenthals.com) by 2rosenthals.com (CommuniGate Pro SMTP 5.4.10) with ESMTPS id 1821466 for ecs-isp@2rosenthals.com; Mon, 19 Apr 2021 11:53:21 -0400 Received: from secmgr-va.2rosenthals.com ([50.73.8.217]:45365 helo=mail2.2rosenthals.com) by mail.2rosenthals.com with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.82_1-5b7a7c0-XX) (envelope-from ) id 1lYWD1-00069x-0T for ecs-isp@2rosenthals.com; Mon, 19 Apr 2021 11:53:11 -0400 Received: from elasmtp-galgo.atl.sa.earthlink.net ([209.86.89.61]:55858) by mail2.2rosenthals.com with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.82_1-5b7a7c0-XX) (envelope-from ) id 1lYWCy-00078t-16 for ecs-isp@2rosenthals.com; Mon, 19 Apr 2021 11:53:08 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=earthlink.net; s=dk12062016; t=1618847588; bh=BYz5k7jj7ErIY7mSfb8pJnBVqLp0fhpkkAAP PB3uN9g=; h=Received:From:Date:To:In-Reply-To:Subject:X-Mailer: Message-ID:X-ELNK-Trace:X-Originating-IP; b=MdZjT4toZ0as4Iq3yyDcZA Sn1Hl7Sx5t7rIPqBjd+yPuJXjOXB8iosHV1RDk86V9+eju+DTcjpuk4D00jBJLloTAl lSvxJuz6O/6uHw+aBnlTactmJ9s+25ENjTHqs+qfBMSrsO66xYe1o476qSFhh45QG2a 0Zp9ea4D5nRGfkJpC35cDbYCVWZeclWv9Kx01UTcUuH69dOngCW0Lp/i6RAKMZS/aZb rfDjcjTZb9iJzJDJkMWQdCw+5QtmGfLlyRVFC9VlL7WZphTJOColPCvlZMbA6/8ryAb ASB8yJhStDAdOnwoWmd5LTVMmsu0MDzukM30wwNRrxmNALw5moEQ== DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk12062016; d=earthlink.net; b=rRQLVueE9qrXg5mIdTMB4AZlF8esNt0yT9KFEP5gaMTz9XjfG6T0z3ThSsr+D+bYQKfo6w/Bvd7BqjKlE2oh8TstQGCcP6Bxo/cz5mql/HmStPvgYCgnoBw7rOkyap7+L5M3NiuWeZzrXKyb0W09vQoTi33h//QGcGkPdwXj8wBlQR+YHrIz+LmZhi42GFPsZ+Tv1fCvZVHJPF1jT7urrjMxea6Lu4BYzlx+lgyrvDtfCLA4C1jXtNGDWDl7NAG9/w7icJ6AGX/3lNgY2g3I8ZcEsX1oVjrzyU5UVhPMhIbydhFKisP0XY9VEfn0zaOizAtNojFMdFTAd9Wbpyhpxw==; h=Received:From:Date:To:In-Reply-To:Subject:X-Mailer:Message-ID:X-ELNK-Trace:X-Originating-IP; Received: from [108.193.254.32] (helo=slamain) by elasmtp-galgo.atl.sa.earthlink.net with esmtpa (Exim 4) (envelope-from ) id 1lYWCx-000DO7-Gy for ecs-isp@2rosenthals.com; Mon, 19 Apr 2021 11:53:07 -0400 Date: Mon, 19 Apr 2021 07:58:08 -0700 To: "eCS ISP Mailing List" In-Reply-To: Subject: Re: [eCS-ISP] unwanted bots X-Mailer: MR/2 Internet Cruiser Edition for OS/2 v3.00.11.21 BETA/60 Message-ID: X-ELNK-Trace: a1109158fca87577d780f4a490ca6956df8303b86ceddf5573c5332f451058e5739f382c4dc34de8350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c X-Originating-IP: 108.193.254.32 In , on 04/19/21 at 11:18 AM, "Massimo S." said: Hi Massimo, >thanks, but it seems is not working Why would you expect it to? Ian, FWIW, Massimo is trying to do URL matching, whic does allow wildcards. Massimo, that said, you are trying to match a URL to a User-Agent name which is almost never going to work. What you need to do is match on the bot name in the User-Agent header. I recommend you start with a logging rule so you can see what the packet actually contains. Baring typos, you want: Log-mj12_2-URLs Comment = "Log HTTP requests for MJ bot", Destination-Port = "80 443", Log-Control = Enabled, Log-Mask = "date time severity message rule source resolved_source prot packet_data", Log-Severity = Major, Hex-String = "12bot", Depth = 200 Rule-Action = Log, Direction = Incoming Once you understand the packet you want to match on, you can convert this into a Deny Rule-Action, tuning the Depth and Log-Mask to optimized the filter performance. FWIW, if this were my problem, I would use an observe rule to blacklist the source. Massimo, is the really the logged URL: /referenze.html/.../referenze.html/ It does not look valid to me. If you edited it, don't do that in the future. I am only willing to try so hard to help you. Steven -- ---------------------------------------------------------------------- "Steven Levine" Warp/DIY/BlueLion etc. www.scoug.com www.arcanoae.com www.warpcave.com ----------------------------------------------------------------------