WebmasterWorld administrator tedster urges each and every webmaster to ensure that their 404 custom error page actually returns an appropriate 404 error code. He explains that he sees more 200 response codes than ever, lately, because custom 404 pages are often redirected using 302 to a page that then serves a 200 error.
What this means is that eventually all of these "bad" URLs pile up and you have a duplicate content issue on your hands.
The most vulnerable web servers to this type of activity is IIS/Microsoft. Ted explains that custom error messages are set up differently (versus Apache).
He explains what you should do if you use IIS:
For the IIS user, there is one other caution I should mention about 404 handling. If you are using .NET, then there are two levels of error handling: at the IIS level and at the .NET level. It is also common to find that only one of these two levels is set up correctly. So when you're checking your site, try a bad url with a .asp (.aspx) extension, and also try a bad url with a .htm extension.
And yes, Apache may not be as vulnerable, but it still is, especially if it serves JSP pages with Tomcat.
With all that said, everyone should take a moment and check their server headers of their custom 404 page as directed by Tedster.
Forum discussion continues at WebmasterWorld.
