httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Hartill <>
Subject Re: Log Ignore Hosts patch uploaded
Date Mon, 26 Feb 1996 16:53:13 GMT
> I would really prefer to approach this problem in a manner that doesn't 
> conjure up images of "warfare" (maybe I shouldn't have forwarded those 
> messages!).  

Our server gets trashed by dumb robots every week. It is a war for
some of us.

> When HotWired launched in 1994 the early versions of Netscape didn't 
> handle authentication quite right - some would send an incorrect 
> password, the 401 response would come back, it would resend the bogus 
> password, etc., creating a feedback loop.  After launch I would literally 
> sit there watching a tail of the logs and editing a .htaccess file in the 
> root level of the site everytime I saw an authspam happening.  That was 
> fun!

That bug still exists. I've mailed in bug reports to Netscape but
have never had a reply. There's a simple solution (which they've ignored)
which is to never send the same rejected name/password combination.
They're trying to do something more sophisticated but it sends servers
into logfile overflow as a result. I've never been able to find a test
case to demonstrate the problem, but if you use password auth a lot
(and maybe switch username/password at the same site a bit) then the
bug shows up randomly.


View raw message