(As always, make sure you are running the latest rules)
Nothing normal should trigger this rule. That rule looks for this:
User-Agent: whatever User-Agent something else
Real clients dont do that. They have a single header like this:
So if you see two in a row, its a fake UA.
Thank you Mike.
The problem that I have is that a lot of real customers are getting blocked by this rule. Even this morning I have a chat with a customer that couldn't enter into his own site because his Internet Explorer was triggering this rule.
I asked him to install FireFox and try it again and with FireFox everything worked fine. I asked him what IE was he using and it was IE 6, so, I asked him to upgrade to IE 8. For now he is using FireFox as he is not getting any errors at all.
He asked me how his IE is blocked if a few days ago it was working ok? I really don't know how or if it is a spyware or adware, but I told him that something inside his IE was wrong. He ran an AV and AntiSpyware and there was nothing inusual on his computer. So, what it could be the cause of IE triggering this rule?
My next question to you is, what happens if I suspend this rule in particular? I assume that all the other rules will be working and will be blocking any type of attack. Am I right?