1

I keep seeing this HTTP header in the blocked HTTP requests on my web server for a lot of separate applications:

Conexão:fechada

Which is in Portuguese, and it means: Connection: closed

This header contains a an Illegal character by the RFC, this is why it is blocked.

All of these requests look the same:

GET /   HTTP/1.1
Accept: text/html 
Cache-Control: no-cache 
Proxy-Connection: Keep-Alive 
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT)                   
Pragma: no-cache 
Cache-Control: no-cache 
**Conexo: fechada**  
Host: xxxxxxxxxxxxxxxxxxxxxx

The thing these are coming from multiple source IPs, and coming to many non related web applications...

Korjavin Ivan
  • 2,250
  • 2
  • 26
  • 41
  • 2
    This is funny! Looks like someone went a bit too far with localizing strings in software :). What are the other associated headers? It would be easier to figure out which application it is if you posted all the headers in that request. – snap Aug 03 '11 at 09:17
  • 1
    My guess is that it is a spambot or similar... thus better to filter it than let it through. The User-Agent does not look like anyone friendly (not a genuine browser and not a friendly bot either). BTW, you probably should not post additional information as answers. When you need to add something, either put it in comments or edit the original question. – snap Aug 03 '11 at 09:51
  • Probably some kind of a bot, because I am not getting complains about from blocked users. Thanks for the tip. –  Aug 03 '11 at 10:01

0 Answers0