Damn Spam!
Search 

Topics

User Functions






    Lost your password?

User Agents

    
Monday, April 24 2006 @ 20:05 CEST
Contributed by: Dirk

I've noted a few odd requests today, all related to odd user agents.

The first sort of requests I noticed were all for the same forum thread, coming from IP addresses all over the world, and they were all coming with this same broken user agent string:

"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1"

Note that it's missing the closing bracket. Whatever that is, it's clearly a bot.

The next sort of requests I noticed were all with user agent strings that consisted of random letters. Now that is nothing new - those have been around for a while and they're difficult to block. But in this case, they all came from the same IP address, 69.15.29.18 (Cbeyond Communications, Atlanta, GA). There's an IIS running on that IP address, and since it tries to redirect me to a password-protected directory named "exchange", it may be running a Microsoft Exchange server.

Another thing I have been wondering about for a while now is the relatively high number of requests that include "Windows 98" in the user agent string (given the age of that Windows version). On closer inspections of today's batch, I noticed that many of those had either been blocked by Bad Behavior or came from IP addresses that we're already blocking. Specifically, all of the cases where the user agent string was "Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)" were of dubious origin. I'm not quite ready to block that user agent yet, but I'm keeping an eye on it ...

And finally, there was a sudden burst of requests (50 requests in 2 minutes) from 85.255.117.98. The odd thing about those was not the user agent string but the fact that most of the GET and POST requests from there included a :80 after the domain name and an extra question mark at the end of the URL, e.g. http://www.geeklog.net:80/docs/config.html?. That's a static HTML page, stupid, what do you think will happen when you attach a question mark to it?

Do I have to point out that the IP range from 85.255.112.0 - 85.255.127.255 belongs to Ukrainian hosting company Inhoster who are know as a source of quite a lot of spam and are unresponsive to complaints? And why haven't I blocked that entire IP range yet?

Filed under: Miscellaneous
()

View Printable Version

Trackback

Trackback URL for this entry: http://spam.tinyweb.net/trackback.php/user-agents

No trackback comments for this entry.
User Agents | 0 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.

Copyright © 2008 Damn Spam! Powered By Geeklog