@@ used in an SQL injection


What is he trying to do here?

[06/Aug/2020:11:44:39 +0000] "GET /index.php HTTP/1.1" 200 8271 "@@e0EEY" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36" [06/Aug/2020:11:45:12 +0000] "GET /index.php HTTP/1.1" 200 8271 "https://www.google.com/search?hl=en&q=testing" "@@IvWD9" [06/Aug/2020:12:03:37 +0000] "GET / HTTP/1.1" 200 8269 "@@C42ei" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36" [06/Aug/2020:12:03:44 +0000] "GET / HTTP/1.1" 200 8269 "@@JgSGH" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36" [06/Aug/2020:12:24:07 +0000] "GET /catalog HTTP/1.1" 200 8253 "https://www.google.com/search?hl=en&q=testing" "@@wgWnB" [06/Aug/2020:12:25:52 +0000] "GET /@@pDxCh/uploads/css/styles.css HTTP/1.1" 404 3785 "https://example.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36" 

I understand these must be some kind of (undefined?) SQL variables. All I could find was mostly @@version, but no arbitrary variables. Is he trying to provoke the error message output?

Is it safe for me to block all requests containing @@ on the web server level? (I can’t foresee 99% of legit users having it in the request, cookies or headers, but I may be wrong.)