Fake Slurp

Forum Moderators: open

Message Too Old, No Replies

Fake Slurp

but referring from Google?

Dijkgraaf

1:54 am on Aug 17, 2010 (gmt 0)

Came across this log entry today

198.134.135.nnn - - [16/Aug/2010:14:19:00 +1200] "GET /logo.gif HTTP/1.0" 200 1276 "http://www.google.com/" "Mozilla/5.0 (compatible; Yahoo! Slurp;

http://help.yahoo.com/help/us/ysearch/slurp

)"

1) Uses Yahoo's slurps UA.
2) Has the referrer as "http://www.google.com/. Which would imply a hot linked image from Google's home page (I think not).
3) IP seems to belong to ucsd.edu (UC San Diego)

From the same IP address range the previous day there was a valid entry in the log file for the same image, with a valid referrer (a page that does have that image hot linked which I allow), and a valid UA Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.9) Gecko/20100402 Ubuntu/9.10 (karmic) Firefox/3.5.9

keyplyr

2:49 pm on Aug 17, 2010 (gmt 0)

One word: whitelist

jdMorgan

3:12 pm on Aug 17, 2010 (gmt 0)

Referrals from Google's "home page" at www.google.com/ can also be a result of clicking the "I'm Feeling Lucky" link in the SERPs -- fairly-sloppy referral-generation by Google, but true.

But in this case, with the UA being Slurp, I concur with keyplr's assessment. :)

Jim

Pfui

6:08 pm on Aug 17, 2010 (gmt 0)

Um, my one word is "blacklist" because:

- methinks there's a greater likelihood of my getting hit by lightning than one of my sites' pages getting hit by Google's "Feeling Lucky" web-wide link-picker; and

- the "Feeling Lucky" button sends people to pages, not images [google.about.com...] ; and

- the 'bare' "http://www.google.com/" (ditto .ru and .kr) referers I see are typically troublemaker-related (bad UAs; bad Hosts/IPs; botnets); and

- .ucsd.edu users have a history of UA fakery... [webmasterworld.com...]

Imho.

keyplyr

6:24 pm on Aug 17, 2010 (gmt 0)

Pfui, an IP specific whitelist does blacklist all impostors.

And just a FYI, UCSD is where I work, although not in that dept :)

Pfui

8:01 pm on Aug 17, 2010 (gmt 0)

@keyplyr: At the risk of messing with whitelist-blacklist semantics* -- and/or disparaging further the alma mater of one of our own! -- would you allow the OP's IP given the highly likely fake UA and Ref?

Or, it could be I don't understand your comment.

: )

*I do Bill's UA whitelisting: All are blocked unless some are not. Thus the IP fails on the fake UA (aside from failing on the fake Ref).

keyplyr

8:32 pm on Aug 17, 2010 (gmt 0)

The OP's IP wouldn't clear my whitelist for SLURP.

Dijkgraaf

10:04 pm on Sep 28, 2010 (gmt 0)

A few more visits from this one from 137.110.222.nnn using the following UA's.
Mozilla/5.0 (compatible; Yahoo! Slurp;

http://help.yahoo.com/help/us/ysearch/slurp

)
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.3) Gecko/20100403 Firefox/3.6.3
Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

They have faked the referrer a bit better with

http://www.google.com/search?hl=en&source=hp&btnG=Google+Search&q=benelux next

and

http://www.google.com/search?hl=en&source=hp&btnG=Google+Search&q=benelux

But as Googlebot doesn't use referrer, Slurp only when requesting css files, and as already noted coming from the wrong IP addresses it still is easy to spot as fake.

Fake Slurp

but referring from Google?

Dijkgraaf

keyplyr

jdMorgan

Pfui

keyplyr

Pfui

keyplyr

Dijkgraaf

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week