Message Board

Tracking Harvesters/Spammers

Older Posts ]   [ Newer Posts ]
 User Agent switching
Author: S.Metler2   (19 Nov 12 7:58am)
Hi there,

I am reviewing website logs and looking at different atypical visitor patterns.

One pattern that I see is where the 'User Agent' changes halfway though a visitor's visit.

Here is a simple example of this:

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.04506.30; InfoPath.2; .NET4.0C; .NET4.0E)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.04506.30; InfoPath.2; .NET4.0C; .NET4.0E)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.04506.30; .NET4.0C; .NET4.0E; InfoPath.2)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.04506.30; .NET4.0C; .NET4.0E; InfoPath.2)


Specifically, the last part of the User Agent:

InfoPath.2; .NET4.0C; .NET4.0E

V.S.

.NET4.0C; .NET4.0E; InfoPath.2

While this indicates the same plugins are enabled, the order of the User Agent plugins has changed.

I am curious if this typical or unusual ??

I would expect that a regular (legitimate) Browser client would form the User Agent string using the the same order of operations each time (thus producing an identical User Agent string) for each page view of that user's visit.

Does anyone know if this minor 'User Agent' change is typical behavior?

If not, then I would like to add this in as a 'Red Flag' within my log analysis viewer.
 
 Re: User Agent switching
Author: J.Editor   (25 Aug 16 8:27am)
I have seen the same thing from what looks like a very dodgy user (234.227.204.207.client.static.strong20.as22781.net), eight hits a day is usual from this one. Does the same thing you discribed as well as faking my site as the referring URL.



do not follow this link

Privacy Policy | Terms of Use | About Project Honey Pot | FAQ | Cloudflare Site Protection | Contact Us

Copyright © 2004–17, Unspam Technologies, Inc. All rights reserved.

contact | wiki | email