MARTINI - sysadmin@looksmart.net - Crawler, Spider, and User Agent ID forum at WebmasterWorld

Forum Moderators: open

Message Too Old, No Replies

MARTINI - sysadmin@looksmart.net

Is this a new L$ robot or just someone who likes their liquor?

Dreamquick

7:49 pm on Sep 17, 2002 (gmt 0)

IP: 64.241.242.178
Date: 17.09.2002 16:26:42

User-Agent: MARTINI

The "from" http request header contained "sysadmin@looksmart.net" and that address block is associated with looksmart so I'd say it was a safe bet this is actually a looksmart UA.

Unfortunately I cannot get to raw logs at the moment so I don't know exactly how much it requested or whether it was just a brief visit - really I was just wondering if this was a new UA (I've never see it before) or an old one re-appearing.

- Tony

martinibuster

7:56 pm on Sep 17, 2002 (gmt 0)

Um... If anybody's wondering, it's not me.

andreasfriedrich

7:58 pm on Sep 17, 2002 (gmt 0)

The "from" http request header contained "sysadmin@looksmart.net" and that address block is associated with looksmart so I'd say it was a safe bet this is actually a looksmart UA.

Anybody can set the From header field:

[af@server Ecotur]$ telnet www.webmasterworld.com 80
Trying 64.33.51.156...
Connected to www.webmasterworld.com.
Escape character is '^]'.
HEAD / HTTP/1.1
Host: www.webmasterworld.com
User-agent: Aa......
From: aa@aa.com
Connection: close
HTTP/1.1 200 OK
Date: Tue, 17 Sep 2002 19:56:32 GMT
Server: Apache/1.3.26 (Unix) FrontPage/5.0.2.2510
Cache-Control: max-age=0
X-Powered-By: BestBBS v3.043
Connection: close
Content-Type: text/html
Connection closed by foreign host.

Dreamquick

8:21 pm on Sep 17, 2002 (gmt 0)

andreasfriedrich,

I appreciate the insecurities of the http protocol but you must admit that it's a little bit of a co-incidence that;

1) the "from" header contains an admin-type looksmart email address.

2) the owner of the IP address 64.241.242.0 - 64.241.243.255 is listed as "Looksmart, LTD" and "www.looksmart.com" is 64.241.242.202 therefore "Looksmart Ltd" and LookSmart are the same people.

Headers are hard to fake, source IP addresses are a little more problematic (if you excluding proxies, wingates etc) and it seems a little odd to go to all the trouble of getting access through a looksmart machine just to start pretending to be one of their bots...

It may well be an intruder who has gained access to an internal looksmart machine but I'd say its more likely that a company that runs a web directory is checking/spidering sites which appear in that directory with 'bot of some description.

- Tony

volatilegx

7:10 pm on Sep 18, 2002 (gmt 0)

I shot an email to sysadmin@looksmart.net. We'll see what happens.

fiestagirl

6:45 pm on Sep 24, 2002 (gmt 0)

Any word from Looksmart?

my visit.
resolves to: sv-fs1.looksmart.com
64.241.242.34
ua: MARTINI
referrer: none

Looks like there are some wisenut ip's in there.
64.241.242.161-175

Dreamquick

7:46 am on Sep 25, 2002 (gmt 0)

fiesta,

No I tried dropping the address an email and although it appears to be a real person she is away from the office until the 30th Sept...

- Tony

stechert

7:03 am on Oct 4, 2002 (gmt 0)

That is indeed a Looksmart spider...there are 3 - Martini (basic page analysis for sites in the directory), Zealbot (verifies that sites in the directory are not dead links), and Zyborg (Wisenut).

Dreamquick

7:37 am on Oct 4, 2002 (gmt 0)

stechert,

Thanks for clearing that up.... just out of curiousity how did you find out about the three bots and their relationship?

- Tony

stechert

7:58 am on Oct 4, 2002 (gmt 0)

I'm a technical employee at Looksmart. I was stopping by briefly (on my personal time).

Cheers...

p.s. The company has official channels for communication that I would just muck up if I did anything more than address the one or two minor technical points that I did. I doubt I'll post anymore but will try to stop by now and again to see what's up.