Herr Bischoff

Favicons vs. News Explorer

Some of the readers of this site use News Explorer to get the RSS feed. Recently I found this application to trigger certain intrusion detection methods and it tripped over Nginx request limits. The reason: excessive Favicon requests.

Here’s what a respective request from News Explorer looks like:

100.200.300.1 - - [27/Jul/2020:12:08:48 +0200] "GET /favicon.png HTTP/2.0" 404 107 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/605.1.15 (KHTML, like Gecko) News Explorer/1.9" "-"

As you can see, I have no Favicon for this site (yet). This request is repeated dozens of times per second, effectively behaving like a sloppily written application — or a brain-dead scanning script. Hence the triggering of Nginx request limits and intrusion detection. Despite returning 404 Not Found, News Explorer continues to try repeatedly.

I contacted its vendor Betamagic and they had this to say:

Yes, News Explorer is a bit persistent in retrying to get a favicon for a RSS feed, when a 404 is returned. This should indeed be improved in a future update.

After my insisting that this was a bug that needed immediate addressing, Ron from support added the following:

I have added it to the backlog

From my point of view: just add a favicon to your server. It will solve these spikes and it will make your RSS feed look much better in most modern RSS readers.

Well, I guess that’s something. While this behavior does not violate HTTP implementation standards per se, it is generally assumed that repeatedly triggering 404 is a reliable indicator of a brute-force scanning attempt.

For now, this is to let the users of News Explorer know about a likely reason for issues with this or other sites.