Security Incidents mailing list archives
Rapid Web page harvesting, probably by marketing firm
From: brett () LARIAT ORG (Brett Glass)
Date: Tue, 18 Apr 2000 08:20:59 -0600
We saw the following in our logs last night: 207.79.74.222 - - [18/Apr/2000:02:52:53 -0600] "GET /victimpage1.html HTTP/1.1" 200 14449 "-" "Microsoft URL Control - 6.00.8169" 207.79.74.222 - - [18/Apr/2000:02:52:57 -0600] "GET /victimpage2.html HTTP/1.1" 200 3389 "-" "Microsoft URL Control - 6.00.8169" 207.79.74.222 - - [18/Apr/2000:02:52:57 -0600] "GET /victimpage3.html HTTP/1.1" 200 5931 "-" "Microsoft URL Control - 6.00.8169" 207.79.74.222 - - [18/Apr/2000:02:52:58 -0600] "GET /victimpage4.html HTTP/1.1" 200 5475 "-" "Microsoft URL Control - 6.00.8169" 207.79.74.222 - - [18/Apr/2000:02:52:58 -0600] "GET /victimpage5.html HTTP/1.1" 200 5434 "-" "Microsoft URL Control - 6.00.8169" 207.79.74.222 - - [18/Apr/2000:02:52:59 -0600] "GET /victimpage6.html HTTP/1.1" 200 5289 "-" "Microsoft URL Control - 6.00.8169" 207.79.74.222 - - [18/Apr/2000:02:53:00 -0600] "GET /victimpage7.html HTTP/1.1" 200 5761 "-" "Microsoft URL Control - 6.00.8169" Note that this appears to be an ill-behavied robot which is congesting Web servers by making requests at an unacceptably fast rate. The "Microsoft URL Control" agent field indicates that the hits are coming from a program built around a Microsoft OCX -- in short, a custom "harvesting" program. What is of greater concern, however, is that the IP address from which the scan originated belongs to R.R. Donnelly (http://www.donnelleymarketing.com/), the infamous seller of mailing lists and personal information. They're partners with DoubleClick (presumably, they help to correllate the information that DoubleClick gleans from tracking Web users with other information about them) and are well known for their sales of lists of phone numbers to telemarketers. Could it be that this company is now compiling lists of e-mail addresses for use by spammers? Or harvesting phone numbers from Web pages? Or both? --Brett Glass
Current thread:
- CGI scans from Strauss.udel.edu -- They're back Jose Nazario (Apr 14)
- Re: CGI scans from Strauss.udel.edu -- They're back Tom Perrine (Apr 15)
- Re: CGI scans from Strauss.udel.edu -- They're back Matthew S. Hallacy (Apr 16)
- Re: CGI scans from Strauss.udel.edu -- They're back Omachonu Ogali (Apr 18)
- Rapid Web page harvesting, probably by marketing firm Brett Glass (Apr 18)
- Frontpage Exploits Keith McCammon (Apr 19)
- Re: CGI scans from Strauss.udel.edu -- They're back Elliot L. Tobin (Apr 17)
- Re: CGI scans from Strauss.udel.edu -- They're back Dragos Ruiu (Apr 17)
- Re: CGI scans from Strauss.udel.edu -- They're back Ryan Russell (Apr 18)
- Re: CGI scans from Strauss.udel.edu -- They're back Bryan Seitz (Apr 19)
- Re: CGI scans from Strauss.udel.edu -- They're back Marcelo Magnasco (Apr 18)
- Rooted through in.identd on Red Hat 6.0 Del Elson (Apr 18)
- Re: Rooted through in.identd on Red Hat 6.0 Sebastian (Apr 20)
- Re: Rooted through in.identd on Red Hat 6.0 Dmitry Alyabyev (Apr 20)
- RH6.1/IPChains box hacked J. J. Horner (Apr 20)