Welcome to WebmasterWorld Guest from 54.226.67.166

Forum Moderators: Ocean10000 & incrediBILL

Message Too Old, No Replies

Timestamp in useragent string?

     

trintragula

8:18 am on Jan 27, 2014 (gmt 0)

Top Contributors Of The Month



Someone showed up on our forum recently with a time stamp in their useragent string, so every request has a different useragent.

I've not seen that before... Looks like a Chrome UA with perhaps an extension.

Anyone know what this is?

dstiles

8:13 pm on Jan 27, 2014 (gmt 0)

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member



Might help us to know what the UA is.

trintragula

9:10 pm on Jan 27, 2014 (gmt 0)

Top Contributors Of The Month



Here's an example:

Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.220 Safari/537.6 mpVrf2ZWrek6Mi9ZYzIwPJvc358= 2014-01-26T16:41:12


(it's possible a few chars have been clipped off the end here - I had to rescue the data when the log expired.)

lucy24

9:53 pm on Jan 27, 2014 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



I saw this once from a Polish robot. I think the idea is to bypass UA-based blocks by having a different UA string on each request. The one I met came with a further quirk: logs tell me the robot's clock was several seconds behind my server's.

:: detour to search ::

Here's [webmasterworld.com] the resulting discussion. More recent than I thought.

trintragula

11:00 pm on Jan 27, 2014 (gmt 0)

Top Contributors Of The Month



In this case I'm thinking it's some kind of website downloader browser plug-in/extension with a humanoid driver, mostly because they succeeded in signing up on the forum with it.
The IP is in Australia, which is plausibly okay on our forum.
(They also activated the account and logged in later with a mobile UA that has no timestamp.)
The timestamp format is different from the one Lucy saw, so this may not be the same animal.
I'll keep an eye on them.
I've not previously added a trap for rotating UAs, but I'm thinking about it.

A year is a long time on the web...

lucy24

1:33 am on Jan 28, 2014 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



The IP is in Australia, which is plausibly okay on our forum.

Come to think of it, I've never met an Australian robot. At least not to remember. And, when all is said and sifted, most robots infesting US-based sites ... come from US-based server farms.

For people who don't have time to pursue links: Mine, from just over a year ago, was a fully humanoid Firefox-based UA, apart from the appended timestamp. And then the discussion veered into incrediBill's header-checking routine. I knew I got it from him, but I would never have known that this was its home thread.

dstiles

9:55 pm on Jan 28, 2014 (gmt 0)

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member



I tried running mpVrf2ZWrek6Mi9ZYzIwPJvc358 through a base64 converter but it didn't make sense. It's possibly (probably?) and encrypted string saying something like "Date/Time". Not entirely a joke: I regularly get attempts to authenticate on my POP3 server using the string UGFzc3dvcmQ6 which is base64 for "Password".

The rest of the UA seems valid.

trintragula

11:19 pm on Jan 28, 2014 (gmt 0)

Top Contributors Of The Month



I'd wondered about Xing it out before posting it here in case it's a beacon of some kind - but maybe that's a little too paranoid. :D Probably the timestamp would be good enough for that anyway.
Perhaps it's an encrypted node id to avoid massively parallel scrapes from being stopped by counting UA coincidences.
Who knows...
 

Featured Threads

Hot Threads This Week

Hot Threads This Month