I currently cannot tell without making a little configuration change, because as soon as an IP address is logged as having visited the trap URL (honeypot, or zipbomb or whatever), a log monitoring script bans that client.

Secondly, I know that most of these bots do not come back. The attacks do not reuse addresses against the same server in order to evade almost any conceivable filter rule that is predicated on a prior visit.

I may be asking a really silly question here, but

> as soon as an IP address is logged as having visited the trap URL (honeypot, or zipbomb or whatever), a log monitoring script bans that client.

Is this not why they aren’t getting the full file?

I believe Apache is logging complete requests. For instance, in the case of clients sent to a honeypot, I see a log entry appear when I pick a honeypot script from the process listing and kill it. That could be hours after the client connected. The timestamps logged are connection time not completion time. E.g. here is a pair of consecutive logs:

  124.243.178.242 - - [29/Apr/2025:00:16:52 -0700] "GET /cgit/[...]
  94.74.94.113 - - [29/Apr/2025:00:07:01 -0700] "GET /honeypot/[...]

Notice the second timestamp is almost ten minutes earlier.