From: "Massimo S." Received: from [192.168.100.201] (HELO mail.2rosenthals.com) by 2rosenthals.com (CommuniGate Pro SMTP 5.4.10) with ESMTPS id 1821780 for ecs-isp@2rosenthals.com; Mon, 19 Apr 2021 15:39:44 -0400 Received: from [192.168.200.201] (port=52001 helo=mail2.2rosenthals.com) by mail.2rosenthals.com with esmtp (Exim 4.82_1-5b7a7c0-XX) (envelope-from ) id 1lYZkC-0002iz-0n for ecs-isp@2rosenthals.com; Mon, 19 Apr 2021 15:39:40 -0400 Received: from mail2.quasarbbs.net ([80.86.52.115]:10072) by mail2.2rosenthals.com with esmtp (Exim 4.82_1-5b7a7c0-XX) (envelope-from ) id 1lYZk8-0003Fv-0x for ecs-isp@2rosenthals.com; Mon, 19 Apr 2021 15:39:37 -0400 Received: from [192.168.10.199] (dtp [192.168.10.199]) by srv2 (Weasel v2.74) for ; 19 Apr 2021 21:39:47 X-CTCH-RefID: str=0001.0A742F15.607DDC7C.002B,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0 X-CTCH-RefID: str=0001.0A742F2A.607DDC79.0003,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0 Reply-To: ml@ecomstation.it Subject: Re: [eCS-ISP] unwanted bots To: eCS ISP Mailing List References: Organization: eComStation dot it Message-ID: Date: Mon, 19 Apr 2021 21:39:30 +0200 User-Agent: Mozilla/5.0 (OS/2; U; Warp 4.5; it-IT; rv:1.7.13) Gecko/20060424 Thunderbird/1.0.8 Mnenhy/0.7.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=iso-8859-15; format=flowed Content-Language: it-IT Content-Transfer-Encoding: 7bit Il 19/04/2021 16:58, Steven Levine ha scritto: > In , on 04/19/21 > at 11:18 AM, "Massimo S." said: > > Hi Massimo, > >> thanks, but it seems is not working > > Why would you expect it to? > > Ian, FWIW, Massimo is trying to do URL matching, whic does allow > wildcards. > > Massimo, that said, you are trying to match a URL to a User-Agent name > which is almost never going to work. > > What you need to do is match on the bot name in the User-Agent header. > > I recommend you start with a logging rule so you can see what the packet > actually contains. Baring typos, you want: > > Log-mj12_2-URLs > Comment = "Log HTTP requests for MJ bot", > Destination-Port = "80 443", > Log-Control = Enabled, > Log-Mask = "date time severity message rule source resolved_source prot > packet_data", > Log-Severity = Major, > Hex-String = "12bot", > Depth = 200 > Rule-Action = Log, > Direction = Incoming > > Once you understand the packet you want to match on, you can convert this > into a Deny Rule-Action, tuning the Depth and Log-Mask to optimized the > filter performance. > > FWIW, if this were my problem, I would use an observe rule to blacklist > the source. > > Massimo, is the really the logged URL: > > /referenze.html/.../referenze.html/ > > It does not look valid to me. If you edited it, don't do that in the > future. I am only willing to try so hard to help you. > > Steven yes, the string is much more long i've added the points too :) thanks massimo