I check my IP logs in CPANEL by the hour with usually little to worry about, but today I noticed an unorthodox entry that had the following referrer:
http://us.mc1117.mail.yahoo.com/mc/showMessage?sMid=1&fid=Inbox&sort=date&order=down&startMid=0&filterBy=&.rand=1186017486&midIndex=1&mid=1_638867_AKMXw0MAAMawTaL2rAa2FCQNQgg&fromId=inquiries@examplewebsite.com
It appears that someone from Senegal (or nearby) used something either on or inside my website (examplewebsite.com) to distribute an application message to their Yahoo inbox (inquiries@examplewebsite.com; a standard auto reply I use to let people who use my “Contact Me” form know that I received their message). The recorded IP I had in my log(s) at the time of finding this entry was “196.207.250.57” and each request they made (I counted 2) came in the following form, again, inside CPANEL:
“/forum”
“/favicon.ico”
Depending on how familiar you are with CPANEL “last visit” logs, you probably already know that those 2 listings above can be hovered over with your mouse to see what the entire URL is down at the bottom in Firefox (standard info within the browser window). Well, I did this, and each link or URI leads back to my primary domain as if the forum and favicon were being requested from that primary domain (and not this one; examplewebsite.com).
In other words, the 2 above resource requests were being made for a forum and favicon over on website A, but these entries showed up in website B’s IP logs…
What gives?
Both requests received a 403, which isn’t surprising. The forums are on website B, but the hyperlink referrer structured the requests as if the person (or maybe, bot?) made the request in the form of “www.websiteA.com/forum” and “www.websiteA.com/favicon.ico”…
I could care less about those 2 specific requests. Those aren’t troubling. The thing that bothers me is the E-mail referrer that came from Yahoo. I’ve checked every log I have and I haven’t found anything in the form of “An e-mail was sent on such-and-such day…” or “Someone tried to register on such-and-such day…” A couple days ago, someone tried to register to the site, but never answered the CAPTCHA correctly. Their first answer attempt was just some blank space where the second one appeared to be some HEX code. I went around and eventually decoded it back into binary (and everything else I could think of) and it was nothing. Just gibberish. So in other words, it wasn’t HEX like I thought… It was just randomly entered text. Not even any special characters or other web code of any sort…