Can someone explain in words of two syllables exactly what this UA does, and why it’s doing it? I have met it before, but never to such egregious lengths. The one thing I’m tolerably sure of is that there is no malign intent; the human may not even know what his computer is doing. (“Never attribute to malice that which can be adequately explained by stupidity.”)

This week’s adventure happened to involve a rarely-visited page, making it relatively easy to check. It starts with an ordinary human from an ordinary human ISP using MSIE 11, visiting

/ebooks/title/chapter.html

No referer; cursory research suggests that he’d bookmarked the page after an earlier visit that also involved /ebooks/title/ but nothing outside this directory.

But then, beginning about a minute after the human visit, I start seeing this 9-request pattern from the same IP:

24.36.aa.bb - - [05/Feb/2017:16:48:52 -0800] "OPTIONS / HTTP/1.1" 403 3545 "-" "Microsoft Office Protocol Discovery" 
24.36.aa.bb - - [05/Feb/2017:16:48:52 -0800] "OPTIONS / HTTP/1.1" 403 3546 "-" "Microsoft Office Protocol Discovery" 
24.36.aa.bb - - [05/Feb/2017:16:48:52 -0800] "GET /sharedstyles.css HTTP/1.1" 304 261 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; ARM; Trident/7.0; .NET4.0E; .NET4.0C; Tablet PC 2.0; ms-office; MSOffice 15)" 
24.36.aa.bb - - [05/Feb/2017:16:48:52 -0800] "OPTIONS /ebooks/ HTTP/1.1" 403 3545 "-" "Microsoft Office Protocol Discovery" 
24.36.aa.bb - - [05/Feb/2017:16:48:52 -0800] "OPTIONS /ebooks/ HTTP/1.1" 403 3546 "-" "Microsoft Office Protocol Discovery" 
24.36.aa.bb - - [05/Feb/2017:16:48:52 -0800] "GET /ebooks/ebookstyles.css HTTP/1.1" 304 261 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; ARM; Trident/7.0; .NET4.0E; .NET4.0C; Tablet PC 2.0; ms-office; MSOffice 15)" 
24.36.aa.bb - - [05/Feb/2017:16:48:52 -0800] "OPTIONS /ebooks/title/ HTTP/1.1" 403 3545 "-" "Microsoft Office Protocol Discovery" 
24.36.aa.bb - - [05/Feb/2017:16:48:52 -0800] "OPTIONS /ebooks/title/ HTTP/1.1" 403 3546 "-" "Microsoft Office Protocol Discovery" 
24.36.aa.bb - - [05/Feb/2017:16:48:52 -0800] "GET /ebooks/title/titlestyles.css HTTP/1.1" 304 261 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; ARM; Trident/7.0; .NET4.0E; .NET4.0C; Tablet PC 2.0; ms-office; MSOffice 15)" 

Always this set of exactly nine requests in the same order. (I picked one at random for posting. The very first set got 200 responses for the stylesheets; from then on it was the predictable 304.)

OPTIONS /
OPTIONS /
GET /sharedstyles.css
OPTIONS /ebooks/
OPTIONS /ebooks/
GET /ebooks/ebookstyles.css
OPTIONS /ebooks/title/
OPTIONS /ebooks/title/
GET /ebooks/title/titlestyles.css

The OPTIONS requests were blocked due to severely deficient headers, with the addition of a consistent

X-Idcrl-Accepted: t

(wtf? Is that the actual header, or did the machine break?) I don't know about the stylesheets, because those generally get a free pass anyway.

Multiply this by 106.

The next morning, our human apparently went to work; in the course of an hour and a half early in the day*, there were 120 further nine-request packages from a respectable university’s IP. And then he went home early, leading to a final 102 packages from the original IP.

I make this out to be 2952** requests, which is at least 2943 too many.


* I looked it up. The university is in the Eastern time zone, so it wasn’t as outrageously early as it looked in logs.
** 9 x (106 + 120 + 102 = 328)