cluXwruwswhootim nteb XrmuXuwuidag y

Forum Moderators: DixonJones

Message Too Old, No Replies

cluXwruwswhootim nteb XrmuXuwuidag y

bizarre user agent, any guesses?

aeve

12:54 am on Jun 3, 2004 (gmt 0)

I saw this guy in my logs today:

69.110.221.*** - - [02/Jun/2004:07:28:26 -0600] "GET /calendar.htm HTTP/1.1" 200 75173 "-" "cluXwruwswhootim nteb XrmuXuwuidag y"

and was wondering if anybody had any idea? It only took one page (a big one), no images or css.

dcrombie

9:52 am on Jun 3, 2004 (gmt 0)

This has been discussed at least twice here. I think the consensus was that it's a 'compromised' Windoze machine that's being used as a zombie to harvest email addresses.

The UA is made up of random characters and spaces so it's difficult to block.

Leosghost

10:01 am on Jun 3, 2004 (gmt 0)

'compromised' Windoze

Is this the formal term for what I'd call "smooched" n "sent for groceries"...? :)
cos they all come out of Redmond "compromised" ...

dcrombie

10:31 am on Jun 3, 2004 (gmt 0)

I think the process is similar to hypnotizing a chicken - all you need is a piece of chalk, and sometimes not even that ;)

DanA

12:12 pm on Jun 3, 2004 (gmt 0)

I have a lot of UA like this one from Brazil, Nigeria, Israel, The US and Canada, all interested in pages about email...

aeve

2:08 pm on Jun 3, 2004 (gmt 0)

Thanks for the info, I guess the random user agent string makes it impossible to find in a site search as well. Has anyone found any way to stop it?

The page it took is an event calendar and has email addresses of the artists (100+) in charge of individual events. It's a pretty sweet cherry to pick, but my client wants them to be functional...

What methods do you use to have functional email addresses that won't get harvested? I'd hate to get blamed/be responsible for all these people getting spammed.

Thanks,
Adam

DanA

5:18 pm on Jun 3, 2004 (gmt 0)

A lot of javascript routines are available at this site, mostly javascript.
this forum may help you
[webmasterworld.com...]

bull

8:48 am on Jun 5, 2004 (gmt 0)

[webmasterworld.com...]

Be sure not to block msnbot though.

42ndSSD

7:49 pm on Jul 9, 2004 (gmt 0)

I've dug out a bit more information on these guys...

It looks like they're using Google searches (or another search engine that uses Google's database) to find pages that contain email addresses. And possibly web forums as well--I don't run any forums so I can't verify this... That's definitely how they're finding the page on my site that has email addresses, as the URLs they're using are ones that were originally grabbed by a Google crawler. (Ah, the joys of completely traceable URLs.)

Sometimes they use a User-Agent string of "

Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)

"; different versions of the same software, I'd guess. I also agree with the theories that it's related to the DSurf stuff. Lately I've seen many more instances of the Mozilla UA string--I've only had a couple of visits with the totally random UA string in the last two months, possibly because I've been completely blocking them.

They never use a valid

Referer:

and the rest of the typical headers are bogus or missing as well, so if you feel a need to filter them out it's still pretty easy to do. Though I'm sure eventually they'll get smart enough to do all this stuff correctly...