Mystery Requests

, Dec 7, 2006

For some reason I don’t know, I get strange requests to an old blog post. It happens about every one or two minutes, it’s always to requests from the same IP, one immediately after the other. IP addresses (except these pairs) never occur twice. The user agent string is always Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322), but only on the second request (the first one doesn’t have any). There’s no referrer string.

Example:

88.83.212.250 - - [07/Dec/2006:17:08:04 +0100] "GET /blog/st/2004/10/30/data_is_code_code_is_data.html HTTP/1.1" 200 9254
88.83.212.250 - - [07/Dec/2006:17:08:04 +0100] "GET /blog/st/2004/10/30/data_is_code_code_is_data.html HTTP/1.1" 200 9254 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
208.61.114.21 - - [07/Dec/2006:17:10:23 +0100] "GET /blog/st/2004/10/30/data_is_code_code_is_data.html HTTP/1.1" 200 9254
208.61.114.21 - - [07/Dec/2006:17:10:23 +0100] "GET /blog/st/2004/10/30/data_is_code_code_is_data.html HTTP/1.1" 200 9254 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
82.121.46.145 - - [07/Dec/2006:17:10:58 +0100] "GET /blog/st/2004/10/30/data_is_code_code_is_data.html HTTP/1.1" 200 9254
82.121.46.145 - - [07/Dec/2006:17:10:58 +0100] "GET /blog/st/2004/10/30/data_is_code_code_is_data.html HTTP/1.1" 200 9254 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

The page is not defaced or anything, but for some reason, it was referenced from this Wikipedia entry (I removed it there and entered the post from Bill de hÓra that I linked to instead).

Any hints would be greatly appreciated.

On December 8, 2006 12:41 AM, Alex said:

Well, the “.NET CLR 1.1.4322” part says that it’s using .NET (with version), and a bit of Googling reveals that a lot of sites are experiencing problems through this. My suspicion is that it’s someone’s blogging software trying your system (you’re using MovableType, right?) by traversing links, and goes in circles between your link to Bill and his trackback? One good suspect is http://www.metacentric.net/feed/reader/browser/Maxthon/index.jsp which uses that signature as one of many. Maybe pop them a mail?

On December 16, 2006 11:48 PM, Stefan Tilkov said:

I’ve reconfigured the server so that requests to that particular post get redirected to the requester’s IP. Let’s see whether someone notices …

On December 17, 2006 12:07 AM, Stefan Tilkov said:

BTW, thanks for the comment - it seems very plausible, and I wrote an email to those folks (who never replied). And yes, I’m using MT.