Amazon cloud once again...

Once again someone on the Amazon cloud network is trying to access our sites in programmatic ways:

OrgName: Amazon.com, Inc.
OrgID: AMAZO-4
Address: Amazon Web Services, Elastic Compute Cloud, EC2
Address: 1200 12th Avenue South
City: Seattle
StateProv: WA
PostalCode: 98144
Country: US

NetRange: 75.101.128.0 - 75.101.255.255

Someone or something at A2 hosting attempted to access our sites using some sort of PHP client:

Internet 123, Inc. INTERNET-BLK-I123-3 (NET-69-39-64-0-1)
69.39.64.0 - 69.39.95.255
A2 Hosting, Inc. I123-069039089000-032004 (NET-69-39-89-0-1)
69.39.89.0 - 69.39.89.255

Hopefully Internet 123, Inc. and/or A2 Hosting, Inc. will take a look at this and do something about it.

The offending IP: 69.39.89.40 tried to access our sites with two different versions of PHP.

MCI / Proxy IT - bad traffic

Someone in this proxy IP range attempted to hit our sites with Python.

65.200.199.106 at 7/5/2009 10:46:19 PM

MCI Communications Services, Inc. d/b/a Verizon Business UUNET65 (NET-65-192-0-0-1)
65.192.0.0 - 65.223.255.255
Proxy IT UU-65-200-199-D6 (NET-65-200-199-0-1)
65.200.199.0 - 65.200.199.255

MCI shoudl really do something about this because clearly someone is using this proxy to attempt to do their dirty work.

Bot out of University of Toronto

BlogScope bot hit our sites from University of Toronto

128.100.20.21

OrgName: University of Toronto
OrgID: UNIVER-36
Address: Computing and Networking Services
Address: 4 BANCROFT AVENUE - ROOM 101C
City: TORONTO
StateProv: ON
PostalCode: M5S-1C1
Country: CA

NetRange: 128.100.0.0 - 128.100.255.255

University Santa Cruz - WGet hackers

Someone at the University of Santa Cruz is attempting to access our sites using WGET from this IP 128.114.48.95 at 7/7/2009 7:53:48 PM

OrgName: University of California, Santa Cruz
OrgID: UCSC
Address: University of California, Santa Cruz
Address: UCSC Information Technology Services
Address: Communications Building
Address: 1156 High Street
City: Santa Cruz
StateProv: CA
PostalCode: 95064
Country: US

NetRange: 128.114.0.0 - 128.114.255.255

Colin-Miller - hitting our sites with Java

Someone at Colin Miller in San Francisco, California is attempting to access our sites with some type of Java client.

Comcast Business Communications, Inc. CBC-SFBA-13 (NET-173-11-64-0-1)
173.11.64.0 - 173.11.127.255
Comcast Business Communications, Inc. CBC-CM-4 (NET-173-8-0-0-1)
173.8.0.0 - 173.15.255.255
Colin Miller-San Francisco-CA-18 COLIN-MILLER-SAN-FRANCISCO-CA-18 (NET-173-11-77-96-1)
173.11.77.96 - 173.11.77.111

Programmatic traffic from eNet / XLHost

Getting clearly programmatic traffic rom this network:

eNET Inc. ENET-XLHOST-2 (NET-173-45-64-0-1)
173.45.64.0 - 173.45.127.255
XLHost.com Inc XLHOST-OOFFER3-4941 (NET-173-45-84-80-1)
173.45.84.80 - 173.45.84.95

Managed Solutions Group - Malware

Someone attempted to get at our web server using a Java software client of some kind from this IP: 205.209.142.43

This Ip belongs to "Managed Solutions Group" in California:

OrgName: Managed Solutions Group, Inc.
OrgID: MSG-48
Address: 45535 Northport Loop East
City: Fremont
StateProv: CA
PostalCode: 94538
Country: US

ReferralServer: rwhois://rwhois.managedsg-inc.com:4321

NetRange: 205.209.128.0 - 205.209.191.255

Twiceler - still doesn't obey robots.txt

Getting tons of hits from twiceler bot - still not obeying Robots.txt file. The hits are quite excessive. If they don't stop may just block at the firewall level.

Some of the IPs:
38.99.44.105
216.129.119.42
216.129.119.12
216.129.119.44
216.129.119.40
216.129.119.49
38.99.44.102

Problem with MS Terminal Services / VPN

There is a problem with Terminal Services from Microsoft and/or Cisco's VPN product. When using the Cisco client and VPN with Terminal Services and my connection gets disrupted in some way when I am connected to my server, first of all I cannot reconnect to the VPN. Somehow the VPN/firewall thinks I am still connected perhaps or maybe the services on my machine get corrupted in some way and causes this problem.

The second problem is that after a reboot (potentially restarting some services would also resolve this) and I reconnect to my VPN, Microsoft Terminal Services on the computer to which I was connected says all the Terminal Service sessions are in use and I cannot get back into my box. This is a potential security problem if someone else was able to connect to that particular session. It doesn't make any sense that I would show as still being connected because one particular account is supposed to terminate on disconnect or log out and so I should be able to get back in on that account after the network disruption.

On the flip side, I've had a problem where a particular account using Terminal Services is NOT supposed to shut down on disconnect, and when I get booted off the VPN via a network disruption, that account would shut down even when in theory it should not. It seems like maybe that problem was fixed but a new problem has arisen as a result of whatever changed.

Service Provider Corporation

If you've seen Service Provider Corporation IP addresses in your logs and then tried to find information about the company you'll end up here:

http://www.wdspco.org/

OrgName: Service Provider Corporation
OrgID: SPC-10
Address: 442 Route 202-206 North
Address: # 485
City: Bedminster
StateProv: NJ
PostalCode: 07921-0523
Country: US

NetRange: 166.128.0.0 - 166.255.255.255
CIDR: 166.128.0.0/9
NetName: NETBLK-CDPD-B
NetHandle: NET-166-128-0-0-1

This is an organization that allocates IP addresses to various wireless providers. Presumably some odd traffic on our server is from AT&T since the user agent appears to be IPhones. However the IPhones are acting a little strange and using a lot of different IP addresses for what appears to be the same web request. I could be wrong. We'll have to dig into this a bit more...

The other problem with this organization is that it actually hides the true source of the traffic in some cases. Someone on this network actually hacked into my web mail provider one time and apparently was reading my email. This organization states on their web site on a page that is not search engine friendly:

The WDSPCo NIC administers and maintains the IP address blocks that are leased from ARIN. The NIC assigns IP address blocks to WDSPCo members on request in accordance to the WDSPCo IP Management rules and the ARIN IP rules.

The NIC is also responsible for the WDSPCo DNS server. The NIC maintains the server. They also update with member server information for the reverse DNS lookup table for the leased IP blocks. When requesting a new block of IP addresses, members can supply their DNS server names so that the NIC can assign those server names to the IP block on the DNS server at the time of allocation. IP blocks can be leased without DNS server assignments.

The problem here is that some of the traffic coming from this IP range appears to be under the cover of this organization's name and you cannot truly report the source of the bad traffic to the company from whence it came if the IPs have been leased to someone else and not appropriately identified. In my opinion this organization should be forced by law to list both their name AND the name of the wireless company that is sending traffic to your sites.

123People - illegal scraping and reposting of content

123People.com is illegally scraping and reposting content from other web sites.

Information posted on social networks is posted by people who allow that particular social network to display information, some of it public, some of it not. This particular site has posted public information on their web site which I did not make available to the public. They have also posted photos which they are not authorized to copy off the other web site where I had posted it.

When you contact a web site that has posted information about you and you want it taken down, the professional thing to do would be to remove it. In this case this site appears to be posting private information and then trying to get you to use a service to get it removed. This is really shady business practice. I would recommend NOT contacting the "free" services they list but rather contact a lawyer, search engines and elected officials to get these types of unwanted posting of personal information on the web to stop.

123People.com was probably just created to grab your information and post it publicly in a way you don't like with other bogus information, then send you to a third party to clean it up. They need to take responsibility for the content they are posting. Additionally their scraping practices should be illegal if they are not. 123People.com also posts so much bogus information - there should be a law against that as well and some recourse for people whose information has been posted inaccurately or against their will and the person posting it refuses to remove it.

A better approach would probably be to get a lawyer or blog about 123People as I have done so other people can be warned and find it - and also complain to Google and other search engines using their functions for doing so, and your elected officials to get laws in place that prevent posting private information without your consent on web sites.

Here is the information from the 123People web site - again don't pay they to take down things you didn't authorize them to post. There needs to be a better solution to this situation:
______________________________________________________________

How do I delete the search results on the 123people?

123people refers to information originating from the other publicly available websites on the Internet. All we do is provide the viewing of the real time search results available on the Internet in a clear and well-arranged way.

If you want to edit or to delete information, there are two possibilities:

1. Contact the original source
If you want to delete the contents, please contact directly the original source of the information. You can find the source by clicking on the small icon to the left of all displayed results. Your support team will take care of your request voluntarily and free of charge.

2. Professional Services
There are services that take care of their customers online. We have selected a few of those services that you can use. Please contact one of the services of your choice directly for further information.
www.reputationdefender.com
www.myonid.com

Indication: 123people accesses data that have been found on other websites by classical search engines such as Yahoo. Search engines save the found information for certain period of time. These search engines do not explore all websites at the same time – that depends on how often the content on the website is updated, amongst other things – so it might take some time, (sometimes even months), until certain content has disappeared from the search results of big search engines. The information may appear on the site of 123people even if the source of the information has already been deleted.

The web site www.reputationdefender.com as well as www.myonid.com are independent companies who offer their services for free and do not stand in any form of cooperation with 123people.

Embarq Corporation - Malformed web requests

We are getting malformed web requests from this IP address on the Embarq Corporation network:

67.237.204.65

In fact we have seen a lot of bad traffic from Embarq network address ranges in the past.

OrgName: Embarq Corporation
OrgID: EMBAR
Address: 500 N New York Ave
City: Winter Park
StateProv: FL
PostalCode: 32789
Country: US

NetRange: 67.232.0.0 - 67.239.255.255

XLHost - Trying to access our sites progammatically

XLHost IP ranges continue to try to access our sites programmatically:

eNET Inc. ENET-XLHOST-2 (NET-173-45-64-0-1)
173.45.64.0 - 173.45.127.255
XLHost.com Inc XLHOST-DTODD1-5959 (NET-173-45-70-176-1)
173.45.70.176 - 173.45.70.183

Bad requests - Verizon

Got over 1200 bad requests from this IP on the Verizon network today: 71.176.87.58

OrgName: Verizon Internet Services Inc.
OrgID: VRIS
Address: 1880 Campus Commons Dr
City: Reston
StateProv: VA
PostalCode: 20191
Country: US

NetRange: 71.173.96.0 - 71.180.255.255
CIDR: 71.173.96.0/19, 71.173.128.0/17, 71.174.0.0/15, 71.176.0.0/14, 71.180.0.0/16
NetName: VIS-BLOCK
NetHandle: NET-71-173-96-0-1
Parent: NET-71-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.BELLATLANTIC.NET
NameServer: NS2.BELLATLANTIC.NET
NameServer: NS2.VERIZON.NET
NameServer: NS4.VERIZON.NET

Strange requests / odd headers

We're getting strange requests on our server for files we don't host like this:

ip: 69.72.169.233

query string: path[docroot]=http://barrasford.net/barras/1.swf??

Fri Jun 26 15:39:20 PDT 2009

User Agent: Mozilla/5.0

Headers:

TE: deflate,gzip;q=0.3

Connection: TE, close

author.dll

A bot called core-project is coming from different URLs and attempting to access something called author.dll on our server:


6/19/2009 11:03:08 PM 125.244.77.2 /_vti_bin/_vti_aut/author.dll core-project/1.0 POST
6/18/2009 3:14:16 PM 62.212.123.125 /_vti_bin/_vti_aut/author.dll core-project/1.0

Alaska Communications Group

Based on recent activity on my server, I have a hunch there are hackers coming out of this network but couldn't prove it at the moment. Will have to keep an eye on this...

OrgName: Alaska Communications Systems Group, Inc.
OrgID: ACSG-1
Address: c/o ACS Internet, Inc.
Address: 600 Telephone Ave.
City: Anchorage
StateProv: AK
PostalCode: 99503
Country: US

ReferralServer: rwhois://rwhois.acsalaska.net:4321

NetRange: 216.67.0.0 - 216.67.127.255

Turnitin Bot - Odd behavior

Turnitin bot is requesting pages and types of technology that hasn't existed on one of your sites for years - probably over five years.

First question is - where are they even getting these links?

Second question is - why are they not obeying robots.txt for this site?

Turnitin bot is on this network:

O1.com NETBLK-O1-BLK4 (NET-65-98-128-0-1)
65.98.128.0 - 65.98.255.255
iParadigms, LLC NETBLK-65-98-224-0 (NET-65-98-224-0-1)
65.98.224.0 - 65.98.224.31

SuperPages Bot - Bogus Requests?

The SuperPages bot is submitting web requests that don't appear to be true. I'm not even sure if this bot is really from super pages. It lists a particular web page as the referrer, but after visiting that web page, there are clearly no links to our sites on that page. Obviously the bot is making up bogus information that could skew marketing results. I hope people are also not paying for bogus clicks from this company as a result of this activity.

The IP address from which the bogus web request came: 151.138.13.244

Suspicious Login Activity

I just logged into my web server. First connect to VPN, then type in admin password.

I typed in the administrate password numerous times. I know it was exactly the right password. I must have typed it 10 or 20 times. I even typed it out in notepad so I could see what I was typing to verify I was typing the right thing.

About the 20th attempt - suddenly the password worked. This is the same password I typed each time over and over again very carefully after it failed the first few times.

Something very strange is going on...time to change passwords.

AT&T Wireless - Reports people in Florida when Not

AT&T Wireless reports people as logging in from Florida using their laptop connect cards when they are at the opposite side of the country. You'd think with all the work on with GPS and the government mandate regarding pinpointing people's locations when they are on cell phones for 911 calls that they would also accurately pinpoint locations when using laptop connect cards.

This is the network you get when you look up the associated IP addresses:

OrgName: AT&T Global Network Services, LLC
OrgID: ATGS
Address: 3200 Lake Emma Road
City: Lake Mary
StateProv: FL
PostalCode: 32746
Country: US

NetRange: 32.0.0.0 - 32.255.255.255

Perhaps this is for security reasons or otherwise, I'm not sure, but if they are serving up an IP in LA or Seattle it seems like they could pull it from an associated IP range mapped to that city so locations can be accurately reported in logs. This is another hole for cyber criminals - like AOLs IP address reporting which basically does the same thing. Everyone is in Virginia according to their IP ranges.

And by the way those ads "I just found the Internet" in all these out of the way places - AT&T Wireless doesn't work in the heartland in Wisconsin. It may be a little remote compared to a large city but it's not exactly Timbuktu. There are a bunch of towns out there with a significant enough population to have a Walmart that don't have any coverage.

Mail.Ru/1.0 not obeying Robots.txt

This bot Mail.Ru/1.0 read robots.txt, ignored it and tried to access a page anyway from this IP address 94.100.181.242

GoogleImageBot - Annoying

We have a site where we disallow the google image bot. We started putting the photos on a subdomain of that web site. Google-bot apparently scanned and put all the images on that subdomain on the net even though our robots.txt file for that site tells Google to bug off and there's no link to those images except from our site.

RUDE.

This is probably going to cost monetary loss for our business since people keep trying to rip off these images that are totally unique to our business.

Comodo - unwanted traffic

There is some obvious web request manipulation going on from this network which hosts the "comodo SSL checker" bot:

inetnum: 91.209.196.0 - 91.209.196.255
netname: COMODO
descr: Comodo CA Ltd
country: GB

FollowSite Bot

FollowSite Bot ( http://www.followsite.com/bot.html ) is not obeying robots.txt on our server.

AOL Hacker

We clearly get bombed with abusive traffic repeatedly by someone on AOL. We've reported this malicious traffic to AOL a number of times and still it continues. We've finally just had to completely block the IPs in this range:

205.188.116.0-205.188.117.255

Hopefully one of these days AOL will do something about malicious traffic on their network when it is reported. They had a habit of blocking spammers which I thought was pretty cool even though we inadvertently got blocked once. We were able to contact them and fix the problem.

Now the tables are turned - AOL won't fix this problem so we have to block some traffic from their network.

The problem is not a bunch of AOL traffic. That's great. The problem is the traffic is clearly not right because it comes in excess from a multitude of IP addresses and different sessions. If it were one user looking at all the pages, the traffic should have the same IP address and session throughout the visit.

Please AOL...read your abuse@aol.com emails and fix problems like this.

Websense

After asking Websense to please stop hitting our web sites with clearly altered or bogus traffic - they proceeded to hit all our web sites repeatedly with such traffic. This is not very nice behavior. They could have emailed me back to explain what they are doing and why instead of trying to continue to bomb our web sites.

Websense does security research which I appreciate, however I do not appreciate the bogus traffic they are sending to our web sites constantly. A check once in a while would be fine but they hit the sites repeatedly every day. This seems a bit excessive.

Seriously we have a handful of local sites. Do they need to hit them three times a day??

Websense (WEBSEN-1)
Websense Network Operations Center (WNOC-ARIN) arin@websense.com +1-858-320-8000
Websense, Inc (AS13448) WEBSENSE 13448
Websense TWTC-NETBLK-4 (NET-66-194-6-0-1) 66.194.6.0 - 66.194.6.255
Websense Inc12036038 SBC06711720112828040601125225 (NET-67-117-201-128-1) 67.117.201.128 - 67.117.201.143

Bad request - Pocketinet

Our web servers just went down for some reason. Right before the problem we got a bad web request from this ip address and network ...and additionally they attempted to access the site using Wget.

64.185.119.190

Pocketinet Communications, Inc POCKETINET-1 (NET-64-185-96-0-1)
64.185.96.0 - 64.185.127.255
PocketInet POCKETINET-BG-2 (NET-64-185-119-128-1)
64.185.119.128 - 64.185.119.255

Strange traffic - related?

Getting some weird web requests right now and wondering if traffic from these IPs are somehow related:

209.112.190.24

OrgName: Alaska Communications Systems Group, Inc.
OrgID: ACSG-1
Address: c/o ACS Internet, Inc.
Address: 600 Telephone Ave.
City: Anchorage
StateProv: AK
PostalCode: 99503
Country: US

72.192.71.233
Cox Communications Inc. NETBLK-COX-ATLANTA-11 (NET-72-192-0-0-1)
72.192.0.0 - 72.223.255.255
Cox Communications NETBLK-OK-RDC-72-192-64-0 (NET-72-192-64-0-1)
72.192.64.0 - 72.192.127.255


69.50.139.225
NationalNet, Inc. NATL-MACH10-NET (NET-69-50-128-0-1)
69.50.128.0 - 69.50.143.255
WTS MACH10-WTS (NET-69-50-139-128-1)
69.50.139.128 - 69.50.139.255

170.35.224.64
OrgName: BellSouth Cellular Corp.
OrgID: BCC-12
Address: 12555 Cingular Way
Address: Suite 4360
City: Alpharetta
StateProv: GA
PostalCode: 30041
Country: US

NetRange: 170.35.0.0 - 170.35.255.255

SuperPages bot traffic

Why is the SuperPages bot

a.) not obeying robots.txt
b.) getting referred from this web site: http://www.clearwatergazette.com
c.) hitting a site that we are not running super pages ads on...

The traffic is coming from:

OrgName: Idearc Media Corp
OrgID: IMC-97
Address: 2200 W Airfield Drive
City: DFW Airport
StateProv: TX
PostalCode: 75261
Country: US

NetRange: 151.138.0.0 - 151.138.255.255

MSR-ISRCCrawler not obeying robots.txt

Strangely, MSR-ISRCCrawler checked robots.txt. It clearly says in our robots.txt file that this bot is disallowed. Then it proceeded to crawl our site anyway. Hmm...

Cogentco - bad traffic again.

38.100.41.112

Cogentco is at it again. Actually now when you look up this IP address it doesn't say Cogentco anymore it says PSINet but same thing. They are hitting our sites with clearly garbage traffic. We've blocked them out and show a blatant error message to stay away and yet they persist.

It's pretty clear that the traffic in question is both automated and not valid as this particular IP: 38.100.41.112 has just hit all the pages in a site selling -- Christmas wreaths.

In June.

Cogentco / PSINet traffic is bad news. You may want to watch and potentially block it on your server.

OrgName: PSINet, Inc.
OrgID: PSI
Address: 1015 31st St NW
City: Washington
StateProv: DC
PostalCode: 20007
Country: US
NetRange: 38.0.0.0 - 38.255.255.255

Today's Robot.txt file

If you're trying to prevent most automated traffic except major search engines on a particular web site heres a robots.txt file. Note that not all these are actually bots and some things like Python, Perl and Java agents running around the Internet and used by hackers don't obey or even check robots.txt so you'll have to use other ways to monitor and handle this traffic on your web site.


User-Agent: FollowSiteBot
Disallow: /

User-Agent: nambu
Disallow: /

User-Agent: uberbot
Disallow: /

User-Agent: KaloogaBot
Disallow: /

User-Agent: Yeti
Disallow: /

User-Agent: Servage
Disallow: /

User-Agent: ServageRobot
Disallow: /

User-Agent: Trident
Disallow: /

User-Agent: uw_cse_xwc
Disallow: /

User-Agent: ZupeeCrawler
Disallow: /

User-Agent: Webspider
Disallow: /

User-Agent: LinkAider
Disallow: /

User-Agent: Axonize-bot
Disallow: /

User-Agent: ips-agent
Disallow: /

User-Agent: RiceComputerArchitecture
Disallow: /

User-Agent: AISearchBot
Disallow: /

User-Agent: flatlandbot
Disallow: /

User-Agent: FairShare
Disallow: /

User-Agent: SapphireWebCrawler
Disallow: /

User-Agent: LocalBot
Disallow: /

User-Agent: LaBot
Disallow: /

User-Agent: Butterfly
Disallow: /

User-Agent: robotgenius
Disallow: /

User-Agent: WillyBot
Disallow: /

User-Agent: GingerCrawler
Disallow: /

User-Agent:larbin
Disallow: /

User-Agent: ru_com_viewer
Disallow: /

User-Agent:Yandex
Disallow: /

User-Agent:yandex
Disallow: /

User-Agent:msnbot-media
Disallow: /

Sitemap: http://www.rainierrhododendrons.com/sitemap.xml

User-Agent:del.icio.us
Disallow: /

User-Agent:Sika
Disallow: /

User-Agent:whois.de
Disallow: /

User-Agent:Isidorus
Disallow: /

User-Agent:Yanga
Disallow: /

User-Agent:MSR-ISRCCrawler
Disallow: /

User-Agent:Snappybot
Disallow: /

User-Agent:Gaisbot
Disallow: /

User-Agent:SapphireWebCrawler
Disallow: /

User-Agent:BobCrawl
Disallow: /

User-Agent:OpenX
Disallow: /

User-Agent:Axonize-bot
Disallow: /

User-Agent:KaloogaBot
Disallow: /

User-Agent:kalooga
Disallow: /

User-Agent:OnTownsBot
Disallow: /

User-Agent:Cazoodle-Bot
Disallow: /

User-Agent: REAP-Crawler
Disallow: /

User-Agent: DotBot
Disallow: /

User-Agent: Gigabot
Disallow: /

User-Agent: NetcraftSurveyAgent
Disallow: /

User-Agent: SurveyBot
Disallow: /

User-Agent: DBLBot
Disallow: /

User-Agent: AISearchBot
Disallow: /

User-Agent: Charlotte
Disallow: /

User-agent: IntegraTelecom
Disallow: /

User-agent: PSIBots
Disallow: /

User-agent:Websense
Disallow: /

User-agent:HornySexSearch
Disallow: /

User-agent: SnapPreviewBot
Disallow: /

User-agent: Snoopy
Disallow: /

User-agent: libwww-perl
Disallow: /

User-agent: nexen
Disallow: /

User-agent: phpversion
Disallow: /

User-agent: attributor
Disallow: /

User-agent: Java
Disallow: /

User-agent: bsalsa
Disallow: /

User-agent: whoisde.de
Disallow: /

User-agent: envolk
Disallow: /

User-agent: QEAVis
Disallow: /

User-agent: NextGenSearchBot
Disallow: /

User-agent: boitho.com
Disallow: /

User-agent: boitho
Disallow: /

User-agent: Wget
Disallow: /

User-agent: Rankivabot
Disallow: /

User-agent: T-Online Browser
Disallow: /

User-agent: webalta
Disallow: /

User-agent: page_prefetcher
Disallow: /

User-agent: cyberpatrol
Disallow: /

User-agent: sitecat
Disallow: /

User-agent: cyberpatrolcrawler
Disallow: /

User-agent: internetseer
Disallow: /

User-agent: searchme
Disallow: /

User-agent: dcbot
Disallow: /

User-agent: scoutjet
Disallow: /

User-agent: sphsearch
Disallow: /

User-agent: exabot
Disallow: /

User-agent: NaverBot
Disallow: /

User-agent: naverbot
Disallow: /

User-agent: twiceler
Disallow: /

User-agent: zermelo
Disallow: /

User-agent: Moozilla
Disallow: /

User-agent: kyluka
Disallow: /

User-agent: scoutjet
Disallow: /

User-agent: baiduspider
Disallow: /

User-agent: MLBot
Disallow: /

User-agent: worio
Disallow: /

User-agent: turnitinbot
Disallow: /

User-agent: exooba
Disallow: /

User-agent: ViolaBot
Disallow: /

User-agent: speedyspider
Disallow: /

User-agent: becomebot
Disallow: /

# disallow Googlebot-Image
User-agent: Googlebot-Image
Disallow: /

User-agent: MJ12bot
Disallow: /

User-agent: QEAVis
Disallow: /

User-agent: VWBot
Disallow: /

User-agent: ShopWiki
Disallow: /

User-agent: SnapPreviewBot
Disallow: /

User-agent: panscient.com
Disallow: /

User-agent: panscient
Disallow: /
User-agent: sproose
Disallow: /

User-agent: voyager
Disallow: /

User-agent: grub
Disallow: /

User-agent: libwww-perl
Disallow: /

User-agent: OmniExplorer_Bot
Disallow: /

User-agent: Twiceler
Disallow: /

User-agent: WebDataCentreBot
Disallow: /

User-agent: OOZBOT
Disallow: /

User-agent: setooz
Disallow: /

User-agent: bsalsa
Disallow: /

User-agent: perl
Disallow: /

User-agent: botmobi
Disallow: /

User-agent: NextGenSearchBot
Disallow: /

User-agent: ASPSimply
Disallow: /

User-agent: Python-urllib
Disallow: /

User-agent: Moozilla
Disallow: /

User-agent: voilabot
Disallow: /

User-agent: WGet
Disallow: /

User-agent: obot
Disallow: /

User-agent: Java
Disallow: /

User-agent: libcurl-agent
Disallow: /

User-agent: phpversion
Disallow: /

User-agent: therarestparser
Disallow: /

User-agent: Jakarta Commons-HttpClient
Disallow: /

FollowSiteBot

The FollowSiteBot...

Not checking robots.txt like a good little bot...

FollowSiteBot came from this network today: 74.86.223.42

SoftLayer Technologies Inc. SOFTLAYER-4-4 (NET-74-86-0-0-1)
74.86.0.0 - 74.86.255.255
ASX Networks ApS NET-74-86-223-40 (NET-74-86-223-40-1)
74.86.223.40 - 74.86.223.47

uberbot - misbehaving

uberbot is not obeying robots.txt

Today's Bot Traffic - a lot of Twitter Referrals

We got hit with a lot of bots today. It seems that a great deal of this may be caused by Twitter posts.

14 174.129.124.97 Mozilla/5.0 (compatible; NetcraftSurveyAgent/1.0; +info@netcraft.com) GET 6 2009 10
13 67.202.8.12 Mozilla/5.0 (compatible; NetcraftSurveyAgent/1.0; +info@netcraft.com) GET 6 2009 10
12 75.101.139.240 Python-urllib/1.17 GET 6 2009 10
11 174.129.123.212 Mozilla/5.0 (compatible; NetcraftSurveyAgent/1.0; +info@netcraft.com) GET 6 2009 10
8 216.24.131.119 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0 Me.dium/1.0 (http://me.dium.com) GET 6 2009 10
8 216.24.131.119 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0 Me.dium/1.0 (http://me.dium.com) HEAD 6 2009 10
6 64.73.66.94 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30618) GET 6 2009 10
6 195.210.57.83 Mozilla/5.0 (compatible; KaloogaBot; http://www.kalooga.com/info.html?page=crawler) GET 6 2009 10
6 130.76.32.16 Mozilla/4.0 (compatible;) GET 6 2009 10
5 216.100.200.126 Mozilla/4.0 (compatible;) GET 6 2009 10
3 130.76.32.181 Mozilla/4.0 (compatible;) GET 6 2009 10
3 174.129.168.229 Mozilla/5.0 (compatible; NetcraftSurveyAgent/1.0; +info@netcraft.com) GET 6 2009 10
2 174.129.118.37 Python-urllib/2.5 GET 6 2009 10
2 208.74.66.43 libwww-perl/5.825 GET 6 2009 10
2 174.129.89.199 Python-urllib/2.5 GET 6 2009 10
2 67.220.192.206 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7 (.NET CLR 3.5.30729) GET 6 2009 10
2 67.112.74.47 Mozilla/4.0 (compatible;) GET 6 2009 10
1 67.202.58.81 rdfbot/1.0 (rdfbotsupport AT rediffmailpro DOT com) GET 6 2009 10
1 69.58.178.33 Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12; ips-agent) Gecko/20050922 Fedora/1.0.7-1.1.fc4 Firefox/1.0.7 GET 6 2009 10
1 67.23.27.247 Nambu URL Destination Determinator +bot http://nambu.com GET 6 2009 10
1 67.23.27.250 Nambu URL Destination Determinator +bot http://nambu.com GET 6 2009 10
1 75.101.178.247 Mozilla/5.0 (compatible; NetcraftSurveyAgent/1.0; +info@netcraft.com) GET 6 2009 10
1 174.129.224.58 PycURL/7.19.0 GET 6 2009 10
1 174.129.104.29 Python-urllib/2.5 GET 6 2009 10
1 174.129.223.229 uberbot 1.0 HEAD 6 2009 10

Twitturly - bad bot on Amazon network

Whatever Twitturly is it is not obeying robots.txt. It came from the Amazon network at this IP address: 174.129.88.144

Additionally it came in conjunction with a number of other bots that hit this particular site at the same time. I assume it was because the web site owner posted her site somewhere that is being monitored by bots. Unfortunately the bots seem to be misbehaving.

LocalBot not checking Robots.txt

Something coming from this IP: 121.138.194.106 called LocalBot is not checking robots.txt files. Annoying.

Tons of hits from 204.16.231.98 - Sparkplug, Inc.

Not sure why but our web sites are getting what seems to be an excessive number of hits from the Sparplug, Inc. network in Chicago.

The particular IP address doing the traffic generation is: 204.16.231.98

OrgName: Sparkplug, Inc.
OrgID: SPARK-3
Address: 303 W. Erie
Address: Suite 300
City: Chicago
StateProv: IL
PostalCode: 60610
Country: US
NetRange: 204.16.228.0 - 204.16.231.255

The traffic hitting our server seems to be focused on a particular web site that servers local customers for the particular business - who are not in Chicago.

Maybe this is just someone admiring the work on our web sites, I am not sure...seems a little odd however.

VeriSign - unwanted traffic

Why is Verisign hitting our sites repeatedly with unwanted traffic?

This IP address: 69.58.178.33 was hitting our a site repeatedly from 6/8/2009 8:19:33 PM to 6/8/2009 8:19:57 PM.

So what? The site is advertising the sale of Christmas wreaths and this is JUNE. It's the middle of the summer and obviously no one at Verisign is interested in buying Christmas wreaths.

The IP or computer/server at Verisign scanned this site and hit 25 different pages. Obviously this is not someone reviewing the site to buy something and obviously there is some automated software on this server at Verisign doing something on our servers - who know for what or why. It definitely was not for any service requested by us.

Here's the Verisign network in question:

OrgName: VeriSign Infrastructure & Operations
OrgID: VIO-2
Address: 21345 Ridgetop Circle
City: Dulles
StateProv: VA
PostalCode: 20166
Country: US
NetRange: 69.58.176.0 - 69.58.191.255

Norton - Update Not Working?

I set up Norton Anti-Virus on a new machine recently and when I did, I noticed that it looked different than the version of Norton running on my other machine. I installed Norton on this other machine probably close to a year ago but I have updated it regularly since then.

So is the problem that Norton Antivirus is not actually updating or if you have an old version they just leave parts of it in tact so it doesn't look completely like the new version?

With this and my last post about Adobe Acrobat - seems like you may want to frequently uninstall and reinstall certain software that may have been affected by malware or viruses.

Perhaps vendors also need a better way for vendors to verify their update process is working.

Adobe Acrobat Reader - Update Not Working?

I typically update all my software fairly regularly. I noticed a while ago that I have an old version of Adobe Acrobat Reader even after doing the updates many times. I finally I decided to uninstall Adobe Acrobat Reader 8.something so I could install the latest version.

I was reminded that I need to do this when I went to the Secunia web site and saw the latest Adobe Acrobat Reader advisory - which unfortunately includes version 9:

Adobe Acrobat Reader - Memory Corruption Vulnerability

This particular vulnerability above is only confirmed for Linux but chances are it occurs on other operating systems as well.

Additionally recently someone I know was using Adobe and some rogue JavaScript code caused him some problems on one of his machines - which is how I got into look at the whole Adobe Acrobat Reader update problem in the first place.

Interestingly enough, after uninstalling Adobe Acrobat Reader version 8, I try to go to the Adobe web site and when I click the link to install the most recent version of Adobe I got an error saying my IP was blocked. Ok so I'll just jump on a different network. That IP was blocked too. Ok that's odd. I went to a completely different machine and was able to click the download link. So I came back to document all of this in my blog - and suddenly now I can download again.

One thing I don't like about Adobe's web site is that the download is in HTTP, not HTTPS. How do we know files and bits and bytes aren't getting altered in transit?

Rundll.exe and task manager

When I pulled up task manager a process - I think using rundll.exe was running and disappeared shortly after opening the task manager. I have noticed a lot of times when I open the task manager whatever was hung up on my computer suddenly starts working. This leads me to wonder if some malware is designed to automatically shut off if the task manager is opened as users are getting hip to the fact that extraneous processes running could mean trouble...

Would be nice to have a button in task manager to easily get to some log of what was recently running on your computer as well as what is currently running.

Malware - DigExt?

Had a user cross our site today that hit our site with numerous bad URLs obviously looking for some type of hack.

Time/Date: 6/4/2009 9:04:23 PM
The user agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt)
IP Address: 204.16.231.98

They came from this network:

OrgName: Sparkplug, Inc.
OrgID: SPARK-3
Address: 303 W. Erie
Address: Suite 300
City: Chicago
StateProv: IL
PostalCode: 60610
Country: US

ReferralServer: rwhois://rwhois.sparkplugbb.net:4321/

NetRange: 204.16.228.0 - 204.16.231.255

Hotstocked.com - RateItAll

Had problems with web sites posting incorrect or harmful information about you and having a problem getting it removed?

You can post your comments about these web sites at RateItAll.com

For instance someone I know is having problems getting their name removed from HotStocked.com which has posted a lot of incorrect information about people and refuses to remove it upon request.

Add your comments about HotStocked.com:
http://www.rateitall.com/i-995297-hotstockedcom.aspx

For an example of the type of posts you'll find on Hotstocked.com which are derogatory and probably personal attacks and altercations rather than useful information, search the site for negative postings about people and requests for removal that have not been granted. I'm sure you'll quickly find what that Hotstocked.com is full of spammy, personal content and most likely fabricated information about people posted by those who dislike them for whatever reason.

Moozilla

We get repeated hits from a user agent called Moozilla. The hits will come from a bunch of different IP addresses on the Netscape/AOL network in succession. Sample hits:

6/1/2009 17:46 207.200.116.73 Moozilla
6/1/2009 17:46 207.200.116.131 Moozilla
6/1/2009 17:46 207.200.116.135 Moozilla
6/1/2009 17:46 207.200.116.136 Moozilla
6/1/2009 17:46 207.200.116.5 Moozilla
6/1/2009 17:46 207.200.116.12 Moozilla
6/1/2009 17:46 207.200.116.135 Moozilla
6/1/2009 17:46 207.200.116.136 Moozilla
6/1/2009 17:46 207.200.116.5 Moozilla
6/1/2009 17:46 207.200.116.12 Moozilla
6/1/2009 17:46 207.200.116.67 Moozilla
6/1/2009 17:46 207.200.116.6 Moozilla
6/1/2009 17:46 207.200.116.65 Moozilla

We have sent specific messaging back to this bot or software and contacted AOL about the problem but the particular traffic continues. When this particular software hits, it generates hundreds of hits on our web site in succession and does not behave like a normal web user.

The network reported generating this traffic is Netscape (now owned by AOL).

OrgName: Netscape Communications Corp.
OrgID: NSCP
Address: 501 E. Middlefield
City: Mountain View
StateProv: CA
PostalCode: 94043
Country: US

NetRange: 207.200.64.0 - 207.200.127.255

SurveyBot - Compass Communications

The SurveyBot from Whois.sc hosted at Compass Communications, apparently located at the Westin Building in Seattle is not obeying our robots.txt files.

OrgName: Compass Communications, Inc.
OrgID: CPCM
Address: 2001 6th Avenue
Address: Suite 3205
City: Seattle
StateProv: WA
PostalCode: 98121
Country: US

NetRange: 216.145.0.0 - 216.145.31.255

Some others have been asking about this particular bot on forums:

Compass Communications

I do not particularly appreciate the fact that they scrape web content during their visits.

Another Google Bot Impostor

Just got hit by another Google bot impostor:

216.240.151.50
6/2/2009 4:20:59 PM
Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)


OrgName: ATMLINK, INC.
OrgID: ATMLIN
Address: 600 W. 7th Street
Address: Suite 360
City: Los Angeles
StateProv: CA
PostalCode: 90017
Country: US

NetRange: 216.240.128.0 - 216.240.159.255

AT&T Wireless Doesn't Report Accurate Location

Interesting - Using AT&T Wireless card in Seattle reports an IP address that makes it look like I'm in Florida.

OrgName: AT&T Global Network Services, LLC
OrgID: ATGS
Address: 3200 Lake Emma Road
City: Lake Mary
StateProv: FL
PostalCode: 32746
Country: US

NetRange: 32.0.0.0 - 32.255.255.255

More Google Imposters

It appears (unless Google has Google bots in the cloud and on various little networks all over the place which I doubt after looking up these particular IP address networks) that there are some Googlebot impersonators out there. It would seem that this is really an impersonator because not only are these requests not coming from Google networks, they seem to only be interested in a few sites, not all the sites on our server. They are particularly interested in travel and real estate web sites. check your logs...if the IP address for Googlebots are not coming from Google networks - you probably want to block them from viewing your web sites. They can only be up to no good.

Here are the Google impostor IP addresses:

2 2009 5 12.20.32.67 Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
1 2009 5 151.84.166.1 Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
8 2009 5 209.7.26.158 Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
25 2009 5 216.177.164.100 Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
1 2009 5 216.240.151.50 Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
152 2009 4 24.44.206.249 Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
1 2009 5 65.213.90.26 Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
87 2009 4 68.238.131.215 Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
1 2009 4 69.116.160.44 Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
1 2009 5 69.116.160.44 Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
1 2009 5 69.70.64.94 Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
1 2009 5 70.101.224.174 Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
1 2009 5 71.116.210.34 Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
79 2009 4 71.43.155.145 Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
2 2009 4 74.169.43.199 Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
1 2009 4 74.243.24.159 Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
57 2009 4 74.243.25.64 Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
10 2009 5 75.146.149.53 Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
1 2009 5 76.249.223.78 Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)

Google Impostor - CoreExpress

There's a Google impostor in our logs - unless Google is on the Core Express network.

On 3/4/2009 4:47:01 AM someone at this IP address: 64.69.46.217 was putting GoogleBot in their user agent.

OrgName: CoreExpress
OrgID: COEX
Address: 600 W. 7th Street
Address: Suite 360
City: Los Angeles
StateProv: CA
PostalCode: 90017
Country: US

NetRange: 64.69.32.0 - 64.69.47.255

owssvr.dll - attempted access

This IP: 71.112.91.22 on the Verizon network was trying to access an IE component on our site that does not exist:

/_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=6211&STRMVER=4&CAPREQ=0

Robots.txt - More bots than people

Is your web site getting more hits from bots than people? You might want to try this in your robots.txt file. It blocks out a lot of bots we've seen but not major search engines. Alter as desired:

User-Agent: OnTownsBot
Disallow: /

User-Agent: ServageRobot
Disallow: /

User-Agent: uw_cse_xwc
Disallow: /

User-Agent: ZupeeCrawler
Disallow: /

User-Agent: uberbot
Disallow: /

User-Agent: Axonize-bot
Disallow: /

User-Agent: ips-agent
Disallow: /

User-Agent: RiceComputerArchitecture
Disallow: /

User-Agent: AISearchBot
Disallow: /

User-Agent: flatlandbot
Disallow: /

User-Agent: FairShare
Disallow: /

User-Agent: SapphireWebCrawler
Disallow: /

User-Agent: LocalBot
Disallow: /

User-Agent: LaBot
Disallow: /

User-Agent: Butterfly
Disallow: /

User-Agent: robotgenius
Disallow: /

User-Agent: WillyBot
Disallow: /

User-Agent: GingerCrawler
Disallow: /

User-Agent:larbin
Disallow: /

User-Agent: ru_com_viewer
Disallow: /

User-Agent:Yandex
Disallow: /

User-Agent:yandex
Disallow: /

User-Agent:msnbot-media
Disallow: /

Sitemap: http://www.rainierrhododendrons.com/sitemap.xml

User-Agent:del.icio.us
Disallow: /

User-Agent:Sika
Disallow: /

User-Agent:whois.de
Disallow: /

User-Agent:Isidorus
Disallow: /

User-Agent:Yanga
Disallow: /

User-Agent:MSR-ISRCCrawler
Disallow: /

User-Agent:Snappybot
Disallow: /

User-Agent:Gaisbot
Disallow: /

User-Agent:SapphireWebCrawler
Disallow: /

User-Agent:BobCrawl
Disallow: /

User-Agent:OpenX
Disallow: /

User-Agent:Axonize-bot
Disallow: /

User-Agent:KaloogaBot
Disallow: /

User-Agent:kalooga
Disallow: /

User-Agent:OnTownsBot
Disallow: /

User-Agent:Cazoodle-Bot
Disallow: /

User-Agent: REAP-Crawler
Disallow: /

User-Agent: DotBot
Disallow: /

User-Agent: Gigabot
Disallow: /

User-Agent: NetcraftSurveyAgent
Disallow: /

User-Agent: SurveyBot
Disallow: /

User-Agent: DBLBot
Disallow: /

User-Agent: AISearchBot
Disallow: /

User-Agent: Charlotte
Disallow: /

User-agent: IntegraTelecom
Disallow: /

User-agent: PSIBots
Disallow: /

User-agent:Websense
Disallow: /

User-agent:HornySexSearch
Disallow: /

User-agent: SnapPreviewBot
Disallow: /

User-agent: Snoopy
Disallow: /

User-agent: libwww-perl
Disallow: /

User-agent: nexen
Disallow: /

User-agent: phpversion
Disallow: /

User-agent: attributor
Disallow: /

User-agent: Java
Disallow: /

User-agent: bsalsa
Disallow: /

User-agent: whoisde.de
Disallow: /

User-agent: envolk
Disallow: /

User-agent: QEAVis
Disallow: /

User-agent: NextGenSearchBot
Disallow: /

User-agent: boitho.com
Disallow: /

User-agent: boitho
Disallow: /

User-agent: Wget
Disallow: /

User-agent: Rankivabot
Disallow: /

User-agent: T-Online Browser
Disallow: /

User-agent: webalta
Disallow: /

User-agent: page_prefetcher
Disallow: /

User-agent: cyberpatrol
Disallow: /

User-agent: sitecat
Disallow: /

User-agent: cyberpatrolcrawler
Disallow: /

User-agent: internetseer
Disallow: /

User-agent: searchme
Disallow: /

User-agent: dcbot
Disallow: /

User-agent: scoutjet
Disallow: /

User-agent: sphsearch
Disallow: /

User-agent: exabot
Disallow: /

User-agent: NaverBot
Disallow: /

User-agent: naverbot
Disallow: /

User-agent: twiceler
Disallow: /

User-agent: zermelo
Disallow: /

User-agent: Moozilla
Disallow: /

User-agent: kyluka
Disallow: /

User-agent: scoutjet
Disallow: /

User-agent: baiduspider
Disallow: /

User-agent: MLBot
Disallow: /

User-agent: worio
Disallow: /

User-agent: turnitinbot
Disallow: /

User-agent: exooba
Disallow: /

User-agent: ViolaBot
Disallow: /

User-agent: speedyspider
Disallow: /

User-agent: becomebot
Disallow: /

# disallow Googlebot-Image
User-agent: Googlebot-Image
Disallow: /

User-agent: MJ12bot
Disallow: /

User-agent: QEAVis
Disallow: /

User-agent: VWBot
Disallow: /

User-agent: ShopWiki
Disallow: /

User-agent: SnapPreviewBot
Disallow: /

User-agent: panscient.com
Disallow: /

User-agent: panscient
Disallow: /
User-agent: sproose
Disallow: /

User-agent: voyager
Disallow: /

User-agent: grub
Disallow: /

User-agent: libwww-perl
Disallow: /

User-agent: OmniExplorer_Bot
Disallow: /

User-agent: Twiceler
Disallow: /

User-agent: WebDataCentreBot
Disallow: /

User-agent: OOZBOT
Disallow: /

User-agent: setooz
Disallow: /

User-agent: bsalsa
Disallow: /

User-agent: perl
Disallow: /

User-agent: botmobi
Disallow: /

User-agent: NextGenSearchBot
Disallow: /

User-agent: ASPSimply
Disallow: /

User-agent: Python-urllib
Disallow: /

User-agent: Moozilla
Disallow: /

User-agent: voilabot
Disallow: /

User-agent: WGet
Disallow: /

User-agent: obot
Disallow: /

User-agent: Java
Disallow: /

User-agent: libcurl-agent
Disallow: /

User-agent: phpversion
Disallow: /

User-agent: therarestparser
Disallow: /

User-agent: Jakarta Commons-HttpClient
Disallow: /

facebookexternalhit/1.0 (+http://www.facebook.com/externalhit_uatext.php)

Facebook external hits are apparently blocking the end user IP that clicked on the link. This makes it a bit difficult to ensure your web site is secure by blocking bad user agents and track who is visiting your web site. I wish they would stop doing this and send the information of the end user that clicked the link instead if that is what this user agent is all about.

InfoUsa - Spam, Junkmail, Telemarketing

Getting hit by a bot from this network which is selling leads...Guess where they find them....by scraping them off web sites apparently.

OrgName: InfoUSA
OrgID: INFOUS
Address: 5711 S. 86th Cir
City: Omaha
StateProv: NE
PostalCode: 68127
Country: US

NetRange: 199.125.8.0 - 199.125.14.255

ClosedChannelException

Getting a bunch of closed channel exceptions (http://java.sun.com/j2se/1.5.0/docs/api/java/nio/channels/ClosedChannelException.html) from this IP in Florida:

32.156.248.113

OrgName: AT&T Global Network Services, LLC
OrgID: ATGS
Address: 3200 Lake Emma Road
City: Lake Mary
StateProv: FL
PostalCode: 32746
Country: US

NetRange: 32.0.0.0 - 32.255.255.255


Not sure why we get a series of these from various IPs and infrequently. The IP mentioned in an earlier post sent about 500 of these which was more than any other IP to date by far. They must have been doing something other normal web visitors don't do. Other IP addresses are sending a few of these randomly - maybe a couple of IPs per day with these errors showing up in the logs.

GingerCrawler

GingerCrawler was hitting out sites today. Apparently something to do with collecting information about the English language to help people with dyslexia. Aren't there enough books and documents available to help with this that would not require crawling the Internet and web pages? Not sure I get this but anyway it's more traffic on our sites we don't need as far as I can tell.

DoCoMo - calling itself a Googlebot

This is interesting - getting hits from user agent DoCoMo which is listing itself as a Googlebot:

DoCoMo/2.0 N905i(c100;TB;W24H16) (compatible; Googlebot-Mobile/2.1; +http://www.google.com/bot.html)

I looked it up and is in fact on the Google network:

OrgName: Google Inc.
OrgID: GOGL
Address: 1600 Amphitheatre Parkway
City: Mountain View
StateProv: CA
PostalCode: 94043
Country: US

NetRange: 66.249.64.0 - 66.249.95.255

I looked into this further and apparently Google and Japanese mobile carrier NTT DoCoMo have formed some sort of partnership:

Googe DoCoMo Partnership

twiceler

The Twiceler robot is not obeying robots.txt file.

This bot repeatedly hits our web sites when we have listed in each one in the robots.txt file that they should go stay off our sites.

Additionally when I went to the link below - it says page not found. Bad bot all around!

http://www.cuil.com/twiceler/robot.htm

It's coming from that same old repeat offender network that starts with the number 38 -- which you might want to block if you are experiencing the same problems:

38.99.13.119

OrgName: PSINet, Inc.
OrgID: PSI
Address: 1015 31st St NW
City: Washington
StateProv: DC
PostalCode: 20007
Country: US

ReferralServer: rwhois://rwhois.cogentco.com:4321/

NetRange: 38.0.0.0 - 38.255.255.255

ru_com_viewer larbin2.6.3@unspecified.mail

Seeing a new bot in the logs: ru_com_viewer

I can only guess that this is something that fetches pages for viewing by Russian users based on "ru" but that's only a guess.

This bot is using the larbin web crawler.

We'll see if they obey robots.txt or not.

Coming from Vrtservers network:

OrgName: Vrtservers, Inc
OrgID: VRTSE
Address: 801 S. Grand Ave #1204
City: Los Angeles
StateProv: CA
PostalCode: 90017
Country: US

ReferralServer: rwhois://rwhois.vrtservers.net:4321

NetRange: 64.56.64.0 - 64.56.79.255

Intega Telecom - More strange traffic

458 hits on the same image gif today by this IP address: 68.178.4.202 which is in the Integra Telecom network in Oregon:

OrgName: Integra Telecom, Inc.
OrgID: ITCM
Address: 1201 NE Lloyd
Address: Suite 500
City: Portland
StateProv: OR
PostalCode: 97232
Country: US

ReferralServer: rwhois://whois.integraonline.com:43

NetRange: 68.178.0.0 - 68.178.127.255

Not sure why we get so much strange traffic from the Integra Telecom network.

Yahoo doesn't support end to end TLS

Yahoo servers do not support end to end TLS. I tried to enforce this and various users complained that they could not email me due to this problem. I could email them so apparently Yahoo supports inbound but not outbound TLS. I would suggest if you are a politician or anyone else who doesn't particularly want their email being read by others - don't use Yahoo. Or any other email provider that does not support end to end TLS.

End to end TLS is probably not foolproof but not having it is definitely just asking for someone to read your email.

Additionally I don't think those who use such insecure forms of communication should be entrusted with our national security either. This is not a political statement. If those running for president and vice president are not informed on secure communications or have advisers who can inform them on such things while they are running for one of the highest positions in our country, then they probably are not a good candidate to enforce national security. Which party they are affiliated with is not the point. Information security is crucial to for homeland security.

Google Adsense - not working?

Google Adsense is doing something very strange. On a home page advertising in a specific industry of local businesses it is displaying ads for : IE8, Verisign and Splunk? What? This is a non-tech site and has no words related to such topics. Why is Google Adsense showing these unrelated links? It is a bug in Google? Has someone hijacked something? What is going on...

US Marshalls, FBI infected by virus

Virus affects US Marshalls, FBI

Posted from Google news.

Google Ad Competitor Filtering Not Working

I block certain domains in Google's competitor ad filtering and it doesn't work. I go back to the site and the ads are still there from competitors and unrelated sites I have blocked.

Additionally Google should allow blocking by keywords in ads and landing pages rather than URLs, otherwise some companies just keep changing their domain names and putting up new URLs.

If Google wants to get more people to use AdSense they have to provide a way to do it in such a way that the competition cannot basically steal traffic from a site.

The other thing I find odd is that when coming from my home IP address I get ads relevant to content. Coming from an IP on my VPN I get a bunch of completely unrelated ads. Huh?

Postini Blocking People that Aren't Blocked

Having Postini problems again. Postini is blocking people from IP addresses that I have not blocked in my system. Gathering the information to prove this is a royal pain - not to mention that I don't know how many people I don't know personally who are trying to email me this way are getting blocked.

Does anyone out there besides me consider the fact that if people you don't know who are potential customers are emailing you and they get directed somewhere else and think it is you - that you may be losing business and never even know it?

Everyone has been pooh pooh-ing my email and security concerns for quite a while. I'd say a majority of them have turned out to be true. I'm trying to figure out a way to better validate email - where it is coming from and where it is going - and that emails are getting to the people I think they are - and only the people I want to read them.

I am still not convinced there is any such secure email solution in existence at this time.

Google AdSense - Specifying Advertisers Didn't Work

I just used Google AdSense and tried entering specifications to only allow ads from specific advertisers. It didn't work. I kept getting ads from everyone.

Downloaded Software - Permissions Wish List

It would be very cool if Microsoft and other operating systems would allow you to configure permissions for each executable and what they can access in the system (if there is not a way to do this already).

For instance, I just downloaded some code from some guy I never met that had something I needed posted in a newsgroup. The guy's been on the newsgroup for a while but how do I know he's legit? He sent me exe's not source code so who knows what's in that - but I really need this little functionality because it will save me a ton of time.

So anyway, I'm sitting here debating if I should use this thing or not and that's when I was thinking it would be really cool if I could just right click on this little exe and set up permissions for it - whether or not it can access the Internet inbound or outbound - specify which IPs and ports it can access for some internal testing I need to do with it (is related to TCP/IP and sockets). Additionally I would like to be able to specify which user accounts it can run under and what directories and files it can access - and whether it can read/write/modify/delete those files or in those directories.

It would also be nice if I could set my default permissions for new files and executables and then alert me if some exe or program of some sort is trying to access something for which it doesn't have permission and let me decide if I want to give it permission or not.

Email Providers - Half a TLS Solution

Recently a person I had problems emailing due to issues with Postini told me that they were responding to my messages - but I am not getting them. I had looked up this person's mail server information and it looks as though that mail server supports TLS. However apparently that is only TLS inbound, and not outbound.

What is the point of mail services that only provide one way TLS encryption? That's only half a solution.

I believe the mail provider in this case is BlueHost - an ISP which I believe is out of Denver - however there are so many other webmail and Exchange and other mail solutions that do not provide two way TLS encrytpion it is almost impossible to find a complete end to end solution.

In fact, if you try to find a mail provide that does provide two way TLS enforcement that works with Exchange and allows you to have your own Postini account...good luck.

On top of that even if you find TLS enforcement both ways, I've been following the email list from the ITEF on TLS and apparently depending on how each aspect of TLS is set up and implemented may affect whether or the particular implementation of TLS is actually very secure. It's like a chain - and a chain is only as strong as it's weakest link.

I'm not a TLS expert but I can figure out enough from reading what's going on that there may be one small piece of the TLS implementation that basically undermines the whole set up.

Firefox 3.0.10 - listening for INCOMING requests?

Just installed 3.0.10

Norton reports this version of Firefox is listening for INCOMING requests? Why?

When I block this Firefox dooesn't work.

Http is to go out, get info and pull it down, not listen for and allow other computers to connect to my machine. What is going on here?

Calls on Inactive Number

It is interesting that I get phone calls on an invalid phone number that has been temporarily disabled. The phone numbers are clearly crappy phone calls where someone is trying to sell me garbage about publishing books or something.

How is it that when these people call this number they are able to get passed through to me on my other phones when supposedly this number is inactivated? Are they basically hacking some system to get through? Or did the phone company make some kind of mistake when they parked my number?

I have long wondered if somehow this number was hacked in some way. I switched my business number to a local number and suddenly got a bunch of leads and calls. It was kind of odd because shortly after the switch - it kind of died down again.

Additionally, one of the guys who hired me suddenly couldn't call me anymore. Not sure how he fixed it. Now other people are complaining they have called me but where not able to get through.

Is this all random? Are our phone systems all hacked too?

Images in frames not showing up in IE8

Another interesting change in IE8 - images in frames do not show up in the parent page is HTTPS and the inner frame is trying to display images from a url using HTTP.

I'm torn on this point. First it's better security to enforce a whole page to be completely https. On the other hand do you know how many web sites are going to be completely non-functional by enforcing this? Additionally this is not the functionality provided by other browsers. I think people will just switch over to a browswer that works in this case.

What are the implications of displaying an image from an http url vs an https url on an https encrypted site? It's just an image, not a page with functionality right? However sometimes images can be used to create hacks (search on hack + gif, etc. in Google).

I'm not so sure about this but will just have to make it work somehow in case it doesn't change I guess.

IE8 - More display issues

I was developing a page with a few IFrames for a web application. I was using Firefox since IE8 has so many problems with things not working that worked previously. When I finally went to look at the page in IE8 - it looks absolutely hideous. This is a pretty simple page with about 3 Iframes containing the various content from other pages of the app. There's nothing crazy or complicated going on here. The IFrames in IE8 are misaligned all over the page and have borders even though I have the border style set to nothing on one of the IFrames. The IFrames that do have borders are awfully ugly. They aren't the 1 pixel black solid border I specified. Yikes. I hope this stuff gets fixed pretty soon.

As a side note, I'd like to be able to easily specify that an IFrame should NOT run any Javascript inside of it from the parent application. There are convoluted ways to do this but I'd like an easier option. Then I could force all users to use an updated browser version and display contents in IFrames without having to worry about users getting into the rest of my app code.

Mac BotNet - Zombie Macintosh Computers

This article points out three things:

Mac BotNet

1. If you download free software off the Internet there may be malware embedded in it. Free is not always free. Who's auditing free software anyway?

2. This is the first reported Mac botnet. Macs are vulnerable as much as PCs, they just aren't typically targeted as much. Most likely if the Mac user base grows significantly this will change. Also if Mac is not as attacked and Mac is not as on top of security like Windows and encouraging computer owners to update, Mac owners may be more vulnerable. Update your software!

3. Web sites that allow stupid comments after their articles and don't pay attention or moderate them are wasting Internet bandwidth and degrading the quality of their sites. These comments which are supposed to be related to the Mac botnet and Mac security seem to be aimed at degrading any potential search engine rankings for this article rather than actually providing useful comments or feedback.

Directory Harvest Attacks - Asia

Recent directory harvest attacks from RIPE and LACNIC:

Begin Time 04/14 10:31:35
End Time 04/14 10:32:47
IP Address 217.197.245.64

Begin Time 04/14 20:56:20
End Time 04/14 20:57:48
IP Address 201.170.118.229

Begin Time 04/14 21:00:38
End Time 04/14 21:02:07
IP Address 201.21.233.128

Weird QuickTime Issue

I uploaded a .tif file to a web site and then when I tried to download it, QuickTime was trying to open it. Why is QuickTime, a movie application, trying to download a .tif file and other static images in my browser? That's odd isn't it?

Then, I tried to change the browser plugin to NOT open any static images - tiffs, jpgs, gifs, etc. I also stopped it from auto playing movies. I restarted my browser. After doing that the plugin continued to try to download the tifs. Why?

I searched around for a way to completely eliminate the plugin from my browsers but couldn't figure that out in a quick fashion, so I ended up just completely removing QuickTime from my computer. After doing that I was able to download the tif files without any problem and without them being embedded in my browser, which is NOT what I wanted.

Is there something odd going on here with QuickTime? I know QuickTime is included with QuickBooks for some reason. Not sure what that was all about.

IE8 - Lots of problems

Is anyone else having a lot of problems with Internet Explorer 8 like I am? Basically a lot of forms aren't working because it seems like some ways to access the DOM or document object model have somehow changed. These same sites work in IE 7 and also Firefox so not sure why they don't work in IE 8. I cannot believe these changes are not affecting other web sites as the programming is very common. Nothing obscure or tricky going on in these web sites - just getting values out of fields via the document object model. What's up with these changes?

Recent Directory Harvest Attacks

Looks like there were quite a few directory harvest attacks around Easter. Perhaps those repsonsible for these directory harvest attacks figured people would have better things to do on the holidays than pay attention to their mail servers.


Begin Time 04/13 23:55:33
End Time 04/13 23:56:47
IP Address 71.68.21.45
Road Runner HoldCo LLC

Begin Time 04/12 20:11:27
End Time 04/12 20:12:59
IP Address 206.252.161.165
Earthlink, Inc.

Begin Time 04/12 15:57:26
End Time 04/12 15:58:59
IP Address 69.171.162.121
Cricket Communications Inc

Begin Time 04/12 12:53:01
End Time 04/12 12:54:39
IP Address 71.188.170.110
Verizon Internet Services Inc.

Begin Time 04/12 09:44:12
End Time 04/12 09:45:51
IP Address 72.14.74.9
ISP Alliance, INC. / Sjoberg Cable MNCABLE

McAfee Billing for things I didn't renew

McAfee is trying to bill me for software I did not renew. Why?

Intuit.com - Backup.com - Security Issues

I just tried to get an email from Intuit. They send automated emails from a system and those emails never come to me. They just sent me a temporary password for a system and I'm not getting the email. I'm 99% sure I was entering the right password in the first place and I don't think I ever changed that password so not sure why it wasn't working.

When I do an nslookup to get the mx records for Intuit.com I get 5 mail servers IP addresses. I checked in Postini and these IP addresses are not blocked. Additionally this domain does not have TLS enforcement on. No, the emails are not in any spam boxes.

So I've been on hold going around in circles with this person online who clearly is not a native English speaker and although I asked if this email was coming from an INTUIT.COM email server many times, finally I asked him - is this email coming from within the US? All intuit mail servers are on a 12.x.x.x IP address so if coming from an INTUIT.COM mail server this email would be coming from the US (ARIN).

Finally the guy admits that the mail is coming from a server in India. I have some IP ranges blocked in India due to spam. Aha. Now we are getting somewhere. So to unblock these mail servers I need to know the specific server from which the mail is coming.

Personally, I would rather that Intuit send such emails from within the United States. I also did not like the fact that Intuit is using some unknown mail server to send my passwords for all my backup information around and that it is not one of the intuit specified mail servers so I can enforce TLS encryption and receive my password securely. I also tried to check if Intuit mail servers support TLS and got booted off the mail server so not sure if it is safe to force TLS and ensure emails regarding my backup service and financial applications are secure.

But at this point I thought I understood what the problem was. Wrong.

After getting escalated again to another manager he told me that the mail was not coming from INTUIT.COM but rather BACKUP.com. So again I look up the mail servers and can see that the mail is coming from 4 Symantec mail servers. Again I dig through with nslookup and figure out that these mail servers are in the US (Arin) and are not blocked by my mail system.

The manager suggests sending to an alternate email address. OK that will take two days for them to set up and in the meantime my password is floating around out there. Great.

But wait...just as he's about to do this...he notices that the email address in the online backup system is spelled wrong. Two letters are transposed in the system. Hmm. I have gotten many emails from Intuit and I know that I have not recently changed my email address with them. So apparently my emails from them at some point started going to this alternate domain name. I checked and the domain name WAS previously registered. That means apparently in the past someone would be able to get my emails from them and potentially get hints as to what my password was and/or call into them and get my backup password information.

Of course they assure me no one else has gotten into my backups. Probably because they do not want to be liable when it is uncovered that someone has stolen all the financial and business information I have been backing up with them.

I assume when Intuit has you put in email addresses for a backup system which is highly critical, that they verify the person who put in the email got an email back from them before they start sending passwords out this way to that email address.

This is a pretty serious problem if you ask me. I am now wondering who has stolen all my data that I have tried to back up with them for security reasons.

Finally -- I'm wondering how, after they reset my password to a temporary password - I can still backup my files. If the password has been reset shouldn't access to the backup system be denied if my local software is using the old password?
_____

OK I just got a call from Intuit again and this manager I was speaking to told me they have regenerated the password email. I still do not have any emails from them. I am calling in again. The person I got on the phone is trying to get information from me and I'm telling him just to get me back to that person so I don't have to spend another hour and a half on the phone....

...ok got through to that person again. Apparently he called and told me the email went through but he checked some system and the change to the email to correct it was not made. So he's going to go back and check again. He says usually this process takes a couple of days and he's pushing it through so I appreciate that. It's just kind of a huge hassle to get this resolved.
____

Hours later...still no email from Intuit. I guess I'll have to call tomorrow a.m.
____

Next day... I had two emails telling me this issue was resolved and asking for feed back...trying to call again...they are making me go through all the questions again and asking what the problem is over and over again...this is really annoying. Don't they have my business name and all that related to the case number?

...OK the manager I was supposed to ask for is going ot call me back in 15-20 minutes....
____

I got a call. It was more than 15-20 but I got a call so that's good. I had to leave my house by that time to run errands so wasn't at my computer. The email hadn't arrived by the time I left my house. The manager re-initiated the email shortly after he called me and when I was able to login to my computer a few minutes later the email finally arrived.

The strange thing is that he told me he received confirmation that the automated emails were sent prior to this one - they never arrived. So why did this one?
____

And in summary...I don't trust online backup anymore. Encryption shemcryption. It doesn't matter if someoen can compromise your password - and even after the password has been changed, the software still allows access to upload and download files. Somehow my email got changed in their system, someone set up a fake domain potentially and got access to the files.

Security is not about encryption only. Security is about process and people and auditing and verification and surprise random testing and monitoring.

From here on out I think I'll figure out a way to encrypt my local files before I send them over to the online backup service. This is a total pain as it depends on me remembering my password to encrypt and decrypt the files however so it's a pain.

I think I will also set up a periodic test to download and decrypt my files to make sure someone has not again changed my email, gotten my password, etc. But now it's probably too late. Someone probably has my pertinent data if they already got in there and there's not much I can do about it.
___

Oh and for the record, the email did not come from backup.com OR intuit.com. It would be nice if the service people knew what they were talking about in that regard as well. However it should still be coming from an Intuit mail server and those servers should publish that they use TLS so people can enforce end to end TLS.

Firefox Keylogger

When I start up Firefox using some software that is supposed to alert to keyloggers it says there's some keystroke polling/logging going on when Firefox starts up. When I block whatever this software is, nothing I type into Firefox shows up. The same is not true of Internet Explorer. Maybe this keystroke logging / polling is part of Firefox and to be expected. Wish I understood this better and could see exactly what Firefox is doing.

Clearwire Nodes

Yesterday I noticed one clearwire node in my local network while using my Clearwire card. I restricted access from that node to my computer. Then others popped up as noted in my last post. The thing I find odd is that yesterday I only had one node in my newtork after using Clearwire for quite a while. Since blocking that one node, I've got tons of Clearwire nodes popping up in my network constantly. Today when I checked there were 53 Clearwire nodes in my network with "protected" access to my machine, whatever that means.

Also strange - today when I turned on my computer and had my clearwire card plugged in, my computer would not boot up. It kind of froze on start up. The disk was spinning like it was trying to do something but it just kind of sat there. This may have nothing to do with Clearwire at all and just a coincidence. I removed the Clearwire card, rebooted, and the computer was fine. Then I restarted again with the Clearwire card, and it was fine again.

Not sure if any of this is related or matters, just reporting what I see.

Machine Accessing My Computer on Clearwire Network?

I was just checking out what was out there connecting to my computer while logged into Clearwire. I noticed a strange machine I didn't recognize had restricted access to my computer. I blocked all access. Then another machine poppoed up. I blocked that one. And so on and so on until I blocked 7 different IP addresses. When I looked them up they all belonged to Clearwire, the network I happen to be connected to at the moment.

So my question is, why does a clearwire machine need access to my computer while connected to their network? After blocking these machines my network still seems to work, so I don't think this is required for network connectivity. In my opinion these machines should not be connecting to my machine. I should connect to their machines when I choose, not vice versa. Is this intentional for some type of network optimization, or is something more devious going on here?

The IPs in question which are aparently a variety of Microsoft, Apple and other adaptors are:

96.26.200.234
75.92.204.151
75.92.167.167
96.26.197.19
75.92.248.37
74.61.30.136
74.60.6.73

Different Browser - Different Google - Same Computer

Just wondering why when I search in Google on the same computer with two different browsers I get different search results for some keywords. I thought Mozilla was off in the past and IE was correct. Now I'm not sure anymore. I know all caching is turned off on my machine. I also turned off a bunch of add-ons and even uninstalled Google toolbar to see if that made a difference. What in the world is going on...is Google displaying different results based on user agent? Is my ISP caching results? Is IE8 doing something weird? What?

I looked further and have something called Search Wiki running. I am not sure how that got onto my computer. Did I install it? I don't remember installing it...The strange thing is it used to only be in Firefox - now it's in IE 8 but it's no longer in Firefox. When I choose to move pages up or down using Search Wiki it totally skews Google results across searches I didn't alter and removes other pages I haven't removed from the search results as well.

I can see pros and cons of this application. The biggest con of all would be someone altering a person's search results on their computer to make them think they have #1 Google rankings when they don't. Con as in con man. But this tool does have some useful application like blocking out sites from search results you don't like. Problem with that is it pretty much skews all your search results across broad categories of pages which I'm not sure is a good thing since Googles search algorithms already work pretty well. I found using search after that had some problems when the results were skewed.

Hallelujah. Things are working?

Ok there is no issue with my SPF records - that was a mistake. So SPF records are good. Email is going through Postini. Messages previously failing are getting through. Emails are flowing in from places I haven't gotten email from in a month or months - I suspect due to spam, SPF, incorrect MX records, companies finally setting up TLS on their mail servers and a million other reasons. I can look up email servers to see if they support inbound TLS. I have been able to resolve some inbound and outbound TLS restrictions finally and people say they are getting the emails. I was able to get my SSL cert from Network Solutions after two weeks in a very odd fasion and unbelievable install it and it worked (only the second try this time and didn't realy have to go around in circles on hold for hours like last time - though I did have to call in twice and they called me twice). Apparently there is no Viagra spam from me in Network Solutions system anymore. They are flagging my email as spam for some unknown reason (the guy suggested because of the word "software"? Huh?) and apparently got more messages from me then I sent.

But I don't care at this point - it all seems to be working for the moment. I just hope the SSL cert is legit after all that rigamarole.

Network Solutions certificate re-issue seems to be broken

When I submit a request to reissue a certificate at the Network Solustions web site I get a blank screen after submitting the request. After calling in today I emailed back and forth with someone through their ticket system. After fixing a few issues on my email system, my emails worked up to the point where I sent them the certificate request. However when I sent them the CSR, suddenly the guy noticed that someone started managing the queue and taking out all the messages when they had previously been ignoring it. The CSR took quite a while to come through while the other messages came through almost instantly. He put me on hold for five minutes while he waited for it and finally came back on the phone when he got it. At that point they were supposed to send me back a signed certificate. However sending a certificate through their automated system failed. It never came through. So finally the guy (again, as always) just manually emailed me the cerficate. This has happened for the past three years. When I tried to get the issue resolved with the guy, he said basically all SRS Plus people have to get their certs this way. It never works.

For three years? The directions on the web site are wrong for three years? They haven't fixed their systems for three years? Network Solutions is a big company right?

So, I cannot get the reissue to work on the web site, I cannot get the cert off the web site because some tab I'm supposed to see is missing, their automated system for sending me a certificate doesn't work, and my emails get flagged as spam when they are not, and they get more messages from me than I've actually sent.

The guy said there were 17 emails from me. That's not true, but even if it was, it has been about two weeks that I've been having this problem, and my argument would be - if you answered my first email within 24 hours and resolved the problem you'd probably only get one email. I think I waited almost a week after I sent the first email and got no response and then I got on them to get this fixed. I've had to call in twice and got back a phone call once. I've never gotten an email from them until today.

Not sure what is going on, but I did not send 17 emails to them. I did not send viagra spam. The second guy told me he didn't see any spam in the system from me as the first guy claimed. Who is telling the truth here? Why is my email getting flagged as spam?

It is hard to believe with these kind of issues that these certificates are reliable.

On the phone however the guy claimed someone has hacked the Verisign EV certificates in some super secret presentation. Basically they could hack a PayPal cert. Is this true or is this just some line to keep people from buying an EV cert? Who knows.

I think it would take getting a PHD to have the time to study and validate all these things. Maybe I will.

Recent Directory Harvest Attacks

Event Type Directory Harvest Attack
Begin Time 04/01 13:39:07
End Time 04/01 13:40:21
IP Address 68.204.153.83

Event Type Directory Harvest Attack
Begin Time 04/01 01:05:49
End Time 04/01 01:07:03
IP Address 68.40.159.253

Event Type Directory Harvest Attack
Begin Time 03/30 17:13:50
End Time 03/30 17:14:57
IP Address 173.78.34.160

Latest Google / Postini Dilemma

I thought the Google / Postini issues were fixed but still having problems. I had added some domains in on which I wanted to enforce TLS. After discovering that some of those company's mail servers don't support TLS I moved these restrictions from my configuration. Apparently removing those domains is not working because I tried sending to people on these domains after removing the restriction and the emails are still bouncing.
___

OK this is odd - follow up - the first time I went into Postini and added TLS domains, I checked inbound and outbound. The list was the same for both. If I added one domain to either place it showed up in the other. More recently I went in and double checked my settings. Now I'm seeing different TLS lists for inbound and outbound. I was able to remove certain domains that were failing from the outbound queue. I swear this option did not exist previously.
___

Additionally I was able to look up Network Solutions SSL (netsolssl.com) mail servers - based in the UK? Why? The people on the phone sound like they are in the US. But anyway, I was able to then send/receive mails - until I tried to get a cert back from their automated system. Netsolssl.com mail servers say they support TLS. Is there any chance their automated system is NOT sending emails via TLS? This is a certificate authority - you would think they would be doing that. The only other reason I can think of is that they are sending certs out of some alternate server on different IP addresses (the guy on the phone seemed very knowledgable and said they are not). So then why is this failing? I'm sure I'll never find out.

H1B Visas - 2009

Why don't more Americans have jobs? In part due to the H1B Visa and some very poor regulation that allows tech companies to ship employees in from overseas rather than hire qualified Americans.

A recent but of an H1B Visa Scam shows that someone in the government needs to be paying more attention to this problem. Unlike Mexicans coming over the boarder to fill jobs that Americans don't want that pay very low wages to begin with in many cases, these are highly paid IT jobs - and people willing to work at prices that undercut American wages and put people out of work who actually want those jobs.

Legislation to fix some of the problems with H1B Visa was previously rolled into a larger, I would guess more controversial from the public perpective, immigration bill which failed. Hopefully the 2009 H1B Visa Legislation will not have such a fate and something can be done about this problem sooner than later to put more Americans back to work.

I recently worked at a company on contract and asked them why there were so may people from other countries when highly qualified Americans (like me) were out there looking for jobs. Turns out the overseas headquartered company (with I suppose an American office was handling all the H1B Visas) was giving the company I worked for a huge discount if they spent millions of dollars on consulting so the rates would be very low. This caused managers around the company to pressure other people in the company to use the foreign consulting firm to get the discount. That set up also gets the company I was contracting for off the hook for the H1B Visas. They can hire Americans at higher rates as needed and the foreign workers can still be paid less since they aren't getting hired on H1B visas through the American based company - but rather through the foreign based company.

The foreign company fails to comply with hiring Americans when available because if they hired an American who demanded a higher rate, they would have to bump up the pay for all the foreign workers on H1B visas. Therefore they only hire the foreign workers from overseas through some loophole in the legislation obviously. I didn't see one born and raised, native speaking American worker on the staff of the foreign company. I also noticed that in the IT lunchroom every day the foreign workers far exceeded the number of Americans. So obviously that puts me and a bunch of qualified Americans like me (my qualifications far exceeded those of the foreign workers - I was told this by managers at the company) out of a job and lowers American wages in this industry.

Not only that, the foreign workers are learning and becoming well versed in all the latest and greatest technoloogies at this big company, while American workers fall behind in skill sets and knowledge. Large companies can usually try, buy and utilize technologies that small companies cannot afford so workers gain valuable knowledge and experience. Right now the big American companies using this model are training staff in other countries and hurting the American technology base that supports the research and development that helps America remain a world leader. Also by undercutting wages and putting more Americans out of work - they have less customers, less revenue and less profits. It's a really poor business decision if you ask me and incredibly un-American.

Hiring these people from overseas who are able to crank out some code but not very good at designing software that is well architected and maintainable, and who cannot effectively speak the language or get the project done in a timely manner, companies end up throwing bodies at a problem rather than efficiently solving problems. One prior manager from Microsoft (who is European, not American) commented that the overseas workers were cheaper but it took so many more of them to do the job and so much longer that it wasn't cost-effective.

I have worked with some very intelligent people from this particular foreign company I'm talking about but on average I would have to say the people were highly unskilled and in some cases not working much at all. I also don't see the sense of having these people write specifications documents when they cannot even speak English very well and no one can understand them and there are so many micommunications it drags out the project eternally. Working with these foreign companies may be a dream for managers who get kissed up to while a nightmare for employees who are being sabotaged and undermined by political maneuverings. In my case I went straight to management (after completing a successful project) and explained exactly what was going on. Since I was leaving they knew I had no reason to make these things up. I hope that some smart American managers are able to see through the politics and what is best for our country and their businesses - not just hiring people who kiss their you-know-whats.

I wouldn't wouldn't call companies that kill American jobs and import or outsource American jobs "Best Places to Work" as some of them have been listed in various magazines. Before CNN updates the Best places to work list again, they should take this issue into account. Is the company outsourcing all a large percentage of IT or other jobs overseas? These places are not an ideal place to work if you cannot get the job.

By the way I heard that the company I was working for cut all their foreign staff. I applaud them. I hope they keep it that way for the sake of their revenues and the American economy in the short term and long term.

Directory Harvest Attacks

Recent directory harvest attacks:

03/30 10:02:59 by IP: 98.215.146.62 - Comcast

03/29 11:06:51 by IP: 71.1.227.69 - Embarq

03/28 22:32:19 by IP: 71.245.168.231 - Verizon

Email Attachments Replaced In Transit

Don't think your email can be altered in transit? Don't see a need for TLS? Find out how the Dalai Lama and US government computers have recently been hacked? The Dalai Lama had email attachments appearing to be from coworkers replaced in transit:

Emails Hacked In Transit

Using TLS is at least a starting point to help reduce this kind of thing. I am not well versed enough to know if it would prevent what the Chinse hackers did in this case to swap out email attachments in transit, however at least it provides authentication on both ends of the message and fixes a few problems in SSL.

Gmail Spamming Network Solutions

I have a gmail email address and a business email address that I have used to email Network Solutions in the past. Someone has bombarded Network Solutions with spam from my email addresses - both of them - so my email addresses got blocked by Network Solutions. The person at Network Solutions said the emails contained Viagra spam among other things.

The most annoying thing is that Network Solutions will not give me any of the mail headers so I can see who is doing it. The second most annoying thing is that I have set up TLS communication between myself and Network Solutions SSL. They had to email me the attachment via GMail - which is obviously not very secure.

I have contended for a long time that someone has been messing with my email and this pretty much confirms it. Coinicidence that it was both my gmail account and my business account? I doubt it.

So is it a problem with Gmail that someone can spoof my address to Network Solutions? Is this a problem with Gmail SPF records or lack thereof? Or is the problem that Network Solutions systems are not correctly checking SPF records and cannot tell the difference between spam and real emails that are actually from me?

The other problem with this whole scenario is the Network Solutions person said they were getting my emails, and replying to them. How is it that if my email address was blacklisted due to spam, they can still RECEIVE my emails (potentially spam) but not SEND emails to me? This doesn't really make sense to me. Don't you usually block spam? When they send to me they get no errors - so they didn't know they couldn't get emails to me until I called them and complained that someone really needs to fix this.

Additionally, they at first did not want to add the week onto my certificate for the time I have spent trying to get this to work - when the problem was not my fault. I cannot control their mail servers and know they are trying to email me but they cannot. This whole thing is very odd.

The other interesting thing is that they say they are sending these emails from the UK. This cannot be true because I have a block on emails from the UK. And it is also quite coincidental that one of my customers has been complaining suddenly that he cannot send emails to/from the UK -- but when he sent me the email header in question -- it was coming out of Texas.

Really, what is going on here? When is anyone going to believe that our email systems are really hacked and messed up and everyone needs to start using TLS (if that even works but it seems to be better due to authentication on both sides of the equation).

123People - 123 People

Norton is reporting that 123 People is hosting drive by download software. Not to mention the completely bogus information they are displaying on their site. This site is bad news. Don't give them any "correct" information either, becuase who knows how tehy are using it.

IBM is un-American

IBM is moving about 5,000 jobs off shore to India, Asia and Latin America as a record number of Americans are losing jobs. Boycott IBM.

Rather than fire these people if they cost too much, they could have offered these people lower wages if that was the only issue.

IBM is un-American.

IBM outsourcing jobs to India

Network Solutions SSL Cannot Email Me....

Just wondering what the problem is with Network Solutions trying to email me. Kind of odd - I've been a customer of theirs for years. Seems like the last few times I requested SSL certificates they couldn't send me an email with the new cert. They are fixing the problem now but I find this all kind of strange. Why me? Why a problem with my email address? What is going on? Email is so frustrating.

TLS Enforcement From Postini - Was Never Working?

Ok I've had TLS enforcement turned on in Postini since I got it for a particular domain of a company at which I was working. I just not got an error message stating that I cannot email this company because their mail server does not support TLS. I just used nslookup and telnet to test these mail servers and in fact they do not support TLS. So I don't know for how many months this "TLS Enforcement Policy" was not working. At all. I was sending messages to and from this client thinking they were encrypted.

Delay in TLS failure notifications

Apparently when using Postini TLS policy enforcement, there is quite a delay if you send an email to someone and their inbound server does not support TLS. It looks like it takes about a day or longer, so if you turn on TLS you won't know for some time that your email didn't go through.

Volt Email Servers - TLS Failure

I tried TLS enforcement while sending to Volt email servers using Postini's TLS enforcement policies. I get a bounce back message saysing Volt servers do not support end to end TLS enforcement.

The error message is:
Technical details of temporary failure:
Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 451 451 Recipient does not support STARTTLS - psmtp (state 14).


This is very surprising since Volt is a very large technical staffing company. Why wouldn't they want the most secure email possible to protect the identities of their employees and their business communications?

The other odd thing is that I sent to another Volt person and the email seemed to go through. Either that or the TLS failure messages are very delayed and I haven't gotten that failure message yet, which seems odd. Shouldn't the message rejection be immediately available? Isn't there a way to test an email server to see if it supports TLS prior to sending the message so I don't get a whole bunch of failures over time and wastes mail server resources when they continually try to resend when an email server doesn't support TLS?

At any rate not sure why Volt email servers don't support TLS. This seems kind of odd. Additionally a person at Volt could not email me for some reason. There seems to be something strange going on with their mail servers.

Google - MD5 Cipher

I just noticed that in my error messages on Google an MD5 Cipher is being used:

version=TLSv1/SSLv3 cipher=RC4-MD5

I am not an expert on TLS and SSL but the latest SSL hack that got a lot of hoopla in the news was using an SSL certificate with MD5 encryption. It has been widely reported that SHA is much more secure and MD5 has been vulnerable for a while. Why is Google using MD5 in that case?

MD5 hacked