Welcome to WebmasterWorld Guest from

Forum Moderators: Ocean10000 & incrediBILL

Message Too Old, No Replies

Mysterious User Agent is random string , AQJPTSIP, e.g.

Anybody know what kind of masking agent is being used and why?

8:01 pm on May 9, 2002 (gmt 0)

Junior Member

10+ Year Member

joined:Feb 4, 2002
votes: 0

In my logs there are a very small number of hits that record the UA as a random string of capital letters. UOPKUXXBTGH or KRCNONPATKW or something like that. Just 7 of these since 1/1/02, in fact.

The other strange thing is that except for two isolated requests of my default page, they are all hits for one particular page deep in my site; 5 times on separate days over a 12-day period. They didn't request any of the page's graphics. There is no referer.

The IPs are all from various ISPs in the US and Canada. The latest, which appeared once, is a Spanish telephone company

There's one IP with the the random string UA -- the last appearance, in fact, on April 17th -- that had appeared back in February using MSIE 5.01 and looking for our old publications page, and getting served instead our new one (which my server does automatically) -- yet again, they didn't request any of the page's graphics, yet did request the page's .js file.

Has anybody seen this and know what it is?

8:10 pm on May 9, 2002 (gmt 0)

Senior Member

WebmasterWorld Senior Member littleman is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:June 17, 2000
votes: 0

I'd start collecting the IPs and try to figure out the similarities. Odds are good that they are proxy servers, and that this in a single program hitting you via these proxies.
7:25 am on June 11, 2002 (gmt 0)

Full Member

10+ Year Member

joined:June 10, 2002
votes: 0

Quote from:

"Altavista and DIIbot use suspicious request methods to test 404 errors. These robots, and perhaps others, probably use this method in order to figure out what a server's 404 response is (a kind of "profile"), and assumes that it's the same for all 404 pages.

Altavista only started doing it this year (2002). They request the page: /kjhgdkjhf1goifj2lktjelj34knfhjguih8bbj/index.htm.

However, these requests are completely innocuous to Apache, and probably do not need to be blocked. "


6:05 pm on June 11, 2002 (gmt 0)

Junior Member

10+ Year Member

joined:Feb 4, 2002
votes: 0

Yes, I've seen those strange hits, too. I'd tracked them back to Altavista via the IP, and so I didn't worry about them -- plus therere are so few of them. Now I know what they are! Thanks!

As for the random user agent strings I first wrote of, my best guess is that it is either part of a research project or some kind of privacy software. It's not a bandwidth problem at all, just a curious phenomenon.


3:37 am on June 12, 2002 (gmt 0)

Inactive Member
Account Expired


I also got similar random named user agents (UZWIKKDJYZNQ, HQYLPTAQR etc). Had a closer look at my logs and saw that they were only accessing certain files on my site (maybe 3 pages out of 25). The following user agents were also accessing ONLY these pages.
DSurf15a 01
PSurf15a VA
DSurf15a 71
DBrowse 1.4b
EBrowse 1.4b
PBrowse 1.4b
DSurf15a 21
These user agents have been discussed previously in the following topic

The IP Address that this requests were coming from in my case
Jan 2002 - sympatico.ca - pacbell.net - pacbell.net
Feb 2002 pacbell.net
Mar - rr.com - rr.com - WIBAND.COM - rr.com -cox.net -pacbell.net
Apr2002 -cox.net -cox.net -cox.net
May -cox.net
Jun - Rogers.com Rogers.com - attbi.com - cox.net

They seem to be coming from different ISPíS. My opinion is that they are spambots, trying to get email addresses?
Iím almost positive that they are related to Dsurfx and the other user agents. Can anyone else spot a relation in their logs between these?


7:30 am on June 12, 2002 (gmt 0)

Inactive Member
Account Expired


I've had all these user agents coming from similar IP's, they only EVER visit default home pages and /guestbook/ default pages. Also recorded the random upper case agent coming from the same IP's after blocking *Surf* and *Browse* agents - definitely email harvesters IMHO, I have a trap out for them to try to verify.


1:55 pm on June 12, 2002 (gmt 0)

Inactive Member
Account Expired


Yeah ive noticed that they seem to add blank entries to guestbooks. I found an example on the web at [donotenter.com...]


2:04 pm on June 12, 2002 (gmt 0)

Inactive Member
Account Expired


Never added anything to mine like that - different field names at a guess?

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members