So I’m looking through my http access log this evening (a log of all the computers that have visited my Web site), and I come across the following entry:

62.193.231.242|-|-|06/Aug/2005 20:48:51|GET /blog?p=26 HTTP/1.0|301|311|-|Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1)|pteranodon.local

For the uninitiated, this translates roughly as: “At 8:48pm on August the 6th, 2005, someone at the Internet address 62.193.231.242 visited your Web site (pteranodon is the name of the computer hosting my Web site), going directly to the address /blog?p=26.”

Thrilling, I know, but there’s a bit to be wierded out about here. First is the IP address of the visitor. I ARINed the address, and it belongs to a British Internet Service Provider called AMEN LTD. IP itself is from a network cloud in France.

Now, this by itself is not particularly startling. So someone in France made their way to Uncle Andrew Dot Net, so what? The wonders of the Information Age and all that. The conceptual stumbling blocks for me are 1) their final destination; and 2) the lack of a referrer.

This person came into my blog at a specific point, namely /blog?p=26, which happens to be a rant I wrote called “God Told Me That Men Don’t Wear Skirts“. They didn’t go to Uncle Andrew Dot Net and search for that article, just zeroed right in on it.

Furthermore, the lack of a referrer suggests that they didn’t get there by way of another Web site, search engine, etc. If they had, the site through which they had found me would show up in the log as a referrer.

And this isn’t some kind of attack or comment spam offensive, either. If it were a security hack of some sort, the log would reflect the offending computer’s requests for vulnerable scripts or DLLs in hard-to-find directories, or else page upon page of gibberish intended to result in a buffer overflow; it certainly wouldn’t make so inocuous a request as, “show me the blog entry at p=26, please!”

And if this were an attempt at comment spam, it would not contain a GET command, which only requests data, but would instead contain a POST command, which attempts to send data, in this case spurious blog comments regarding Herbal Viagra or Texas Hold ‘Em.

In other words, by all appearances, some anonymous person in France opened up their Web browser, typed or otherwise entered http://www.uncle-andrew.net/blog?p=26 into the address window, and let ‘er rip. Seems like a pretty strange thing to do.

This is the kind of thing that keeps geeks up nights.

UPDATE: Figured it out. Some folks had found an unsecured pingback-enabled blog entry they could use for the purposes of pingback spam; a scheme where the site in question establishes a false pingback link to thousands of unwitting blogs in order to increase their page ranking in search engines. Finally saw the light when I noticed some new direct visitors to that very same blog entry, only these fuckers were nice enough to leave referrers: Texas Hold’em and Party Poker, indeed. Bastards! Chicken diddlers!

So, off go the trackbacks again. Damn, and just when I thought I had this whole spam thing under control…..