Rapid Web page harvesting, probably by marketing firm

[brett () LARIAT ORG (Brett Glass)]

We saw the following in our logs last night:

207.79.74.222 - - [18/Apr/2000:02:52:53 -0600] "GET /victimpage1.html
HTTP/1.1" 200 14449 "-" "Microsoft URL Control - 6.00.8169"
207.79.74.222 - - [18/Apr/2000:02:52:57 -0600] "GET /victimpage2.html
HTTP/1.1" 200 3389 "-" "Microsoft URL Control - 6.00.8169"
207.79.74.222 - - [18/Apr/2000:02:52:57 -0600] "GET /victimpage3.html
HTTP/1.1" 200 5931 "-" "Microsoft URL Control - 6.00.8169"
207.79.74.222 - - [18/Apr/2000:02:52:58 -0600] "GET /victimpage4.html
HTTP/1.1" 200 5475 "-" "Microsoft URL Control - 6.00.8169"
207.79.74.222 - - [18/Apr/2000:02:52:58 -0600] "GET /victimpage5.html
HTTP/1.1" 200 5434 "-" "Microsoft URL Control - 6.00.8169"
207.79.74.222 - - [18/Apr/2000:02:52:59 -0600] "GET /victimpage6.html
HTTP/1.1" 200 5289 "-" "Microsoft URL Control - 6.00.8169"
207.79.74.222 - - [18/Apr/2000:02:53:00 -0600] "GET /victimpage7.html
HTTP/1.1" 200 5761 "-" "Microsoft URL Control - 6.00.8169"

Note that this appears to be an ill-behavied robot which is congesting Web
servers by making requests at an unacceptably fast rate. The "Microsoft URL
Control" agent field indicates that the hits are coming from a program
built around a Microsoft OCX -- in short, a custom "harvesting" program.

What is of greater concern, however, is that the IP address from which the
scan originated belongs to R.R. Donnelly
(http://www.donnelleymarketing.com/), the infamous seller of mailing lists
and personal information. They're partners with DoubleClick (presumably,
they help to correllate the information that DoubleClick gleans from
tracking Web users with other information about them) and are well known
for their sales of lists of phone numbers to telemarketers.

Could it be that this company is now compiling lists of e-mail addresses
for use by spammers? Or harvesting phone numbers from Web pages? Or both?

--Brett Glass