A very large but sneakily slow bot-net?

Anyone who runs a server is used to it to being attacked by compromised machines which target their SSH services, their web services and their email services.

The attack on the email services takes two forms : either trying to relay email through the SMTP server or trying to break into the POP3 server using a list of known logons and a password list in a classic brute force attack. I use Fail2ban to control access to the SMTP and POP3/IMAP services and they’re pretty good at identifying rogues and firewalling them, but I still do manual checks from time to time.

The other day I noticed something … I was getting POP3/IMAP attempts at a very low rate, so slow in fact that Fail2ban didn’t notice them:

May  4 00:47:41 Debussy dovecot: imap-login: Disconnected (auth failed,
1 attempts in 8 secs): user=<colin@a.domain.here>, method=PLAIN,
rip=94.137.142.49, lip=192.168.0.1, session=
May  4 21:49:14 Debussy dovecot: imap-login: Disconnected (auth failed,
1 attempts in 7 secs): user=, method=PLAIN, rip=94.137.142.49,
lip=192.168.0.1, session=
May  5 08:38:48 Debussy dovecot: imap-login: Disconnected (auth failed,
1 attempts in 7 secs): user=<michael@a.domain.here>, method=PLAIN,
rip=94.137.142.49, lip=192.168.0.1, session=
May  5 14:00:00 Debussy dovecot: imap-login: Disconnected (auth failed,
1 attempts in 7 secs): user=<paul@a.domain.here>, method=PLAIN,
rip=94.137.142.49, lip=192.168.0.1, session=
May  5 23:39:19 Debussy dovecot: imap-login: Disconnected (auth failed,
1 attempts in 7 secs): user=, method=PLAIN, rip=94.137.142.49,
lip=192.168.0.1, session=
May  6 03:27:11 Debussy dovecot: imap-login: Disconnected (auth failed,
1 attempts in 7 secs): user=<doug@a.domain.here>, method=PLAIN,
rip=94.137.142.49, lip=192.168.0.1, session=
May  6 13:11:27 Debussy dovecot: imap-login: Disconnected (auth failed,
1 attempts in 7 secs): user=<paul@a.domain.here>, method=PLAIN,
rip=94.137.142.49, lip=192.168.0.1, session=
May  7 00:41:22 Debussy dovecot: imap-login: Disconnected (auth failed,
1 attempts in 7 secs): user=, method=PLAIN,
rip=94.137.142.49, lip=192.168.0.1, session=<5Y+2iuNOpgBeiY4x>
May  7 14:42:16 Debussy dovecot: imap-login: Disconnected (auth failed,
1 attempts in 7 secs): user=<doug@a.domain.here>, method=PLAIN,
rip=94.137.142.49, lip=192.168.0.1, session=

But, I hear you say, why do I think there is a bot-net… it’s just one machine doing infrequent tests against the server…. and yes that’s what I though until I started grepping through the mail logs which produced this (the timestamps covered about 40 minutes). This output has not been sorted….

user=<richard@a.domain.here>, method=PLAIN, rip=60.170.102.230,
user=<richard@a.domain.here>, method=PLAIN, rip=61.157.248.26,
user=<richard>, method=PLAIN, rip=216.248.98.187,
user=<postmaster@a.domain.here>, method=PLAIN, rip=218.77.80.51,
user=<postmaster>, method=PLAIN, rip=117.245.10.224,
user=<steve@a.domain.here>, method=PLAIN, rip=124.237.78.194,
user=<steve>, method=PLAIN, rip=61.153.45.118,
user=<drtone@a.domain.here>, method=PLAIN, rip=116.193.216.45,
user=<drtone>, method=PLAIN, rip=61.190.99.62,
user=<michael@a.domain.here>, method=PLAIN, rip=61.161.149.50,
user=<michael>, method=PLAIN, rip=58.17.124.27,
user=<paul@a.domain.here>, method=PLAIN, rip=58.17.221.4,
user=<paul>, method=PLAIN, rip=221.176.112.45,
user=<richard_s@a.domain.here>, method=PLAIN, rip=90.182.190.75,
user=<richard_s>, method=PLAIN, rip=117.255.213.103,
user=<richard@a.domain.here>, method=PLAIN, rip=125.74.189.200,
user=<richard>, method=PLAIN, rip=223.244.233.13,
user=<simon@a.domain.here>, method=PLAIN, rip=43.249.226.77,
user=<simon>, method=PLAIN, rip=187.210.15.121,
user=<colin@a.domain.here>, method=PLAIN, rip=218.106.153.152,
user=<colin>, method=PLAIN, rip=193.150.73.22,
user=<drtone@a.domain.here>, method=PLAIN, rip=193.164.95.16,
user=<drtone>, method=PLAIN, rip=213.208.177.228,
user=<doug@a.domain.here>, method=PLAIN, rip=218.22.96.76,
user=<doug>, method=PLAIN, rip=221.212.18.14

So what we have here is multiple IP addresses all attacking my email server using addresses which are not being tried at random. So username@a.domain.here is always tried before username … even though the attempts come from different IP addresses. So something must be controlling these attempts

I put in a newfail2ban rule to trap dovecot Disconnect auth failed message like:

imap-login: Disconnected (auth failed, 1 attempts in 9 secs):

When I put this jail in the ban emails came flowing in… primarily from China, but some from OVH and some from GoDaddy.

As at 19:30 on May 8th 653 IP addresses have been added to the firewall since I put the rule in just before Lunch on Sunday May 7th

Semalt – the SEO company who lie to you.

On January 24th Andrew Timchenko from Semalt sent me a Private message on Facebook:

Dear Stephen
From now on your websites:
tty.org.uk
Canalplan.org.UK
Canalplan.EU
Canalplan.co.UK
Pubnight.org.uk
won’t be visited by our robots.
I would like to bring apology on the behalf of our company if our service caused you some troubles.

I’d told him that I wanted all subdomains on those domains removing from their systems and I was stupid enough to believe him although for a while their annoying bots stopped visiting.

But they came back – not as stupidly fast as before but doing exactly the same call to the home page, over and over again.

So if you’ve had promises from Semalt to take your domains out of their system.. double check and make sure that you’ve got a rule in your .htaccess rule to ban them

Semalt really don’t get it

I posted on Semalt’s facebook and they deleted my posts. I made another post suggesting that deleting my posts simply confirmed that they were a rogue element.

Then they tried to friend me… I have a rule on Facebook : If I don’t know you and I’ve not met you or had a drink or three with you then don’t expect me to friend you.

So then they sent me a message:

I would like to bring apology on the behalf of our company if our service caused you some troubles.

Our bots have accidently visited your site, as well as the sites of other webmasters. These bots harvest statistics for our service and cause no harm. I don’t think this can be an issue, since nobody complains on bots that belong to Google, Bing and other search engines. There are so many services on the web that are believed to mess up the webmaster’s statistics.

This shows that they have no clue.

I have no problems with Google, Bing and other search engines running over my sites as they help bring traffic to me. Also they obey robots.txt and crawl at a sensible speed and don’t just sit there hammering the home page. Also they clearly identify themselves and come from recognised blocks of IP addresses.

Semalt do NONE of these – they use random IP addresses from all over the world, they don’t obey robots.txt. They don’t clearly idenfify that they are a bot. They don’t crawl my site and they don’t access it at a sensible request rate. On top of all of that they offer me NOTHING of any use – all they do is suck bandwith and give me nothing in return.

I had added a rule to my .htaccess rule to ban them (and I’ve left it in there because I don’t trust them) – but they did accept a list of domains from me and have removed them from their rogue bot.

Semalt.com – Rogue element? Or just scum?

So Google is full of sites posting about the above company … they would seem to be trying to do some sort of SE ranking or are they just complete arses?

This is an example from one of my site logs … there is NO reason for this behaviour but their repeated use of IP addresses in various countries suggests that they’re either paying people to do this shit or they’ve paid for time on a bot-net.

Ask yourself…would you really trust a company who resort to these sort of tactics as a business model?

189.78.19.14 - - [16/Jan/2014:20:29:43 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:43 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:43 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:43 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:43 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:43 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:43 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:43 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:43 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:43 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:43 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:43 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:44 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:44 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:44 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:44 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:44 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:44 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:44 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:44 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:44 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:44 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:44 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:45 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:45 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:45 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:45 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:45 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:46 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:46 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:46 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:46 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:46 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:46 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:46 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:46 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:46 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:46 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:46 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:46 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:46 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:46 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:47 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:47 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:48 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:48 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:48 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:48 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:48 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:48 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:58 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:58 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:58 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:58 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:58 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:58 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:59 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:59 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:29:59 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:30:00 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:30:00 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here
189.78.19.14 - - [16/Jan/2014:20:30:00 +0000] "GET / HTTP/1.1" 200 5720 "http://their url removed?u=http://my website here" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" my website here