Very odd - Referrers getting caught in IIS 6 logfiles?

Hi,
We have recently added our own 404 & 500 error pages to IIS6 which
writes errors to SQL database then posts an email to me to help
resolve any them quickly. Can anyone explain why I am seeing errors in
this log from other peoples websites, the 404 trigger should only
occur when someone tries to access pages within my site shouldnt it?

For example the below is a 404 on my IIS that has nothing to do with
our site/domain and with no outbound web access from the IIS server it
baffles me..

Referrer:
http://www.currys.co.uk/martprd/store/cur_page.jsp?BV_Sessio nID=@@@@1737658002.1196200812@@@@&BV_EngineID=ccggaddmjehmlh gcflgceggdhhmdgmi.0&page=GenericEditorial&genericeditorial=t oplevel_gaming&category_oid=-11107&fm=2&sm=undefined&tm=unde fined

File: http://store_doc:80/images/GE_Images/audio/dotted_arrow_blue .gif

Confused..

G

Re: Very odd - Referrers getting caught in IIS 6 logfiles?

On Nov 28, 12:37 am, gstar wrote:
> Hi,
> We have recently added our own 404 & 500 error pages to IIS6 which
> writes errors to SQL database then posts an email to me to help
> resolve any them quickly. Can anyone explain why I am seeing errors in
> this log from other peoples websites, the 404 trigger should only
> occur when someone tries to access pages within my site shouldnt it?
>
> For example the below is a 404 on my IIS that has nothing to do with
> our site/domain and with no outbound web access from the IIS server it
> baffles me..
>
> Referrer:http://www.currys.co.uk/martprd/store/cur_page.jsp? BV_SessionID=@@@@1...
>
> File:http://store_doc:80/images/GE_Images/audio/dotted_arrow _blue.gif
>
> Confused..
>
> G


You are seeing errors in your IIS log files because they have URLs
that intentionally/unintentionally reference a URL serviced by your
web server.

By default, IIS logs all requests to access resources on it from
anyone. There is no such limit as only logging requests from users
accessing pages within your site. IIS does not process pages from your
site so it literally does not know whether the users accessing pages
from it come from your site or not. Referer is data provided from the
client and should not be trusted/believed by the server when it comes
to distinuishing the source of a request.

In other words, I don't think there is anything to be worried or
confused about. I mean, give me your hostname, and I'll add a couple
thousand mysterious 404s to your log file with random referers. Oh,
and I'll spoof the TCP packets so that it appears to come from from
different IPs. :-) Do you think there is any way for you to stop me
or avoid people generating 404s in your log files whenever they want?
Do you still want to worry about the 404s?

Now, you may want to fix the 404s where the referer comes from your
own site because that indicates a broken link on your website, but if
the 404s come from outside your website, there is little you can do.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

Re: Very odd - Referrers getting caught in IIS 6 logfiles?

> You are seeing errors in your IIS log files because they have URLs
> that intentionally/unintentionally reference a URL serviced by your
> web server.
>
> By default, IIS logs all requests to access resources on it from
> anyone. There is no such limit as only logging requests from users
> accessing pages within your site. IIS does not process pages from your
> site so it literally does not know whether the users accessing pages
> from it come from your site or not. Referer is data provided from the
> client and should not be trusted/believed by the server when it comes
> to distinuishing the source of a request.
>
> In other words, I don't think there is anything to be worried or
> confused about. I mean, give me your hostname, and I'll add a couple
> thousand mysterious 404s to your log file with random referers. Oh,
> and I'll spoof the TCP packets so that it appears to come from from
> different IPs. :-) Do you think there is any way for you to stop me
> or avoid people generating 404s in your log files whenever they want?
> Do you still want to worry about the 404s?
>
> Now, you may want to fix the 404s where the referer comes from your
> own site because that indicates a broken link on your website, but if
> the 404s come from outside your website, there is little you can do.
>
> //Davidhttp://w3-4u.blogspot.comhttp://blogs.msdn.com/David. Wang
> //- Hide quoted text -
>
> - Show quoted text -


Thanx David, I am not worried about why they are there just curious as
I know for certain that some of the referers do not have any
"unintentionall references" to our site. One is a flash site that
simply has 5 pages and links only to itself! As I say we have many of
these, I cant believe all these sites would be referring to our site
on the same day by accident.

Cheers

Re: Very odd - Referrers getting caught in IIS 6 logfiles?

gstar wrote on Wed, 28 Nov 2007 00:37:02 -0800 (PST):

> Hi,
> We have recently added our own 404 & 500 error pages to IIS6 which
> writes errors to SQL database then posts an email to me to help resolve
> any them quickly. Can anyone explain why I am seeing errors in this log
> from other peoples websites, the 404 trigger should only occur when
> someone tries to access pages within my site shouldnt it?

> For example the below is a 404 on my IIS that has nothing to do with
> our site/domain and with no outbound web access from the IIS server it
> baffles me..

> Referrer:
> http://www.currys.co.uk/martprd/store/cur_page.jsp?BV_Sessio nID=@@@@
> 1737658002.1196200812@@@@&BV_EngineID=ccggaddmjehmlhgcflgceg gdhhmdgmi.0&
> page=GenericEditorial&genericeditorial=toplevel_gaming&categ ory_oid=-
> 11107&fm=2&sm=undefined&tm=undefined

> File: http://store_doc:80/images/GE_Images/audio/dotted_arrow_blue .gif

> Confused..

> G


In the Currys page is this:


The // at the start is causing some browsers (I noticed my IE7 does this) to
turn this into the equivalent of http://store_doc/images/GE_Images/audio/dotted_arrow_blue.gi f
.. What happens then is that the browser, or the TCP stack, will try to
resolve the IP address for store_doc, and may add common suffixes or those
defined in the TCP settings. For instance, IE may try store_doc.com,
www.store_doc.com, and a few other suffixes depending upon the country. At
some point DNS resolution points at the IP address for your site, and the
request is fired at it - and then you get the entries you see in your log.

Without knowing the IP address and mapped DNS hosts to the server it'll be
difficult, if not impossible, for someone to tell you exactly why it's your
server that gets this request.

Dan

Re: Very odd - Referrers getting caught in IIS 6 logfiles?

gstar wrote on Wed, 28 Nov 2007 01:01:48 -0800 (PST):

>> You are seeing errors in your IIS log files because they have URLs
>> that intentionally/unintentionally reference a URL serviced by your
>> web server.

>> By default, IIS logs all requests to access resources on it from
>> anyone. There is no such limit as only logging requests from users
>> accessing pages within your site. IIS does not process pages from
>> your site so it literally does not know whether the users accessing
>> pages from it come from your site or not. Referer is data provided
>> from the client and should not be trusted/believed by the server when
>> it comes to distinuishing the source of a request.

>> In other words, I don't think there is anything to be worried or
>> confused about. I mean, give me your hostname, and I'll add a couple
>> thousand mysterious 404s to your log file with random referers. Oh,
>> and I'll spoof the TCP packets so that it appears to come from from
>> different IPs. :-) Do you think there is any way for you to stop me
>> or avoid people generating 404s in your log files whenever they want?
>> Do you still want to worry about the 404s?

>> Now, you may want to fix the 404s where the referer comes from your
>> own site because that indicates a broken link on your website, but if
>> the 404s come from outside your website, there is little you can do.

>> //Davidhttp://w3-4u.blogspot.comhttp://blogs.msdn.com/David. Wang //-
>> Hide quoted text -

>> - Show quoted text -


> Thanx David, I am not worried about why they are there just curious as
> I know for certain that some of the referers do not have any
> "unintentionall references" to our site. One is a flash site that
> simply has 5 pages and links only to itself! As I say we have many of
> these, I cant believe all these sites would be referring to our site on
> the same day by accident.


Do they, by any chance, all have /store_doc in the image references? As I
hinted in my other reply, something is causing references to the hostname
store_doc to point to your server, but it may be restricted to just a subset
of internet users - for instance, a large ISP or registrar might have
configured their DNS incorrectly so that hostnames that can't be resolved
are pointing at what they thought was one of their own IPs so they could
slap up some advertising (for instance, Verisign did this a few years ago
when they took over Network Solutions and pointed all non-existant .com
domain requests to one of their own servers), but the admin entered the
wrong address and it's actually pointing at your server instead.

Dan

Re: Very odd - Referrers getting caught in IIS 6 logfiles?

> Do they, by any chance, all have /store_doc in the image references? As I
> hinted in my other reply, something is causing references to the hostname
> store_doc to point to your server, but it may be restricted to just a subset
> of internet users - for instance, a large ISP or registrar might have
> configured their DNS incorrectly so that hostnames that can't be resolved
> are pointing at what they thought was one of their own IPs so they could
> slap up some advertising (for instance, Verisign did this a few years ago
> when they took over Network Solutions and pointed all non-existant .com
> domain requests to one of their own servers), but the admin entered the
> wrong address and it's actually pointing at your server instead.
>
> Dan

Thanx Dan,
No they all have differing destinations, another example which we get
hit a lot with is this:

Referrer: http://uk.match.com/search/searchSubmit.aspx?&RN=4&lid=10&PN =2&DO=0
File: http://images.qa.match.corp:80/match/s.gif

I guess this is just something I will need to put up with.

Cheers

G

Re: Very odd - Referrers getting caught in IIS 6 logfiles?

gstar wrote on Wed, 28 Nov 2007 02:18:32 -0800 (PST):


>> Do they, by any chance, all have /store_doc in the image references?
>> As I hinted in my other reply, something is causing references to the
>> hostname store_doc to point to your server, but it may be restricted
>> to just a subset of internet users - for instance, a large ISP or
>> registrar might have configured their DNS incorrectly so that
>> hostnames that can't be resolved are pointing at what they thought
>> was one of their own IPs so they could slap up some advertising (for
>> instance, Verisign did this a few years ago when they took over
>> Network Solutions and pointed all non-existant .com domain requests
>> to one of their own servers), but the admin entered the wrong address
>> and it's actually pointing at your server instead.

>> Dan

> Thanx Dan,
> No they all have differing destinations, another example which we get
> hit a lot with is this:

> Referrer:
> http://uk.match.com/search/searchSubmit.aspx?&RN=4&lid=10&PN =2&DO=0
> File: http://images.qa.match.corp:80/match/s.gif

Again, notice the hostname of the file request - there is no .corp TLD.
Definitely looks to be some sort of DNS mapping of non-existent TLDs/hosts
to a landing page which is not working.

> I guess this is just something I will need to put up with.

Unless you can find the source of the problem, then unfortunately there's
not much you can do except to filter out requests for hosts that don't exist
on your server. If this is as I suspect an attempt at a landing page for
advertising, then it should sort itself out once the company responsible
realises their error and fixes whatever it is that they have set up.

Dan

Re: Very odd - Referrers getting caught in IIS 6 logfiles?

On Nov 28, 10:49 am, "Daniel Crichton"
wrote:
> gstar wrote on Wed, 28 Nov 2007 02:18:32 -0800 (PST):
>
> >> Do they, by any chance, all have /store_doc in the image references?
> >> As I hinted in my other reply, something is causing references to the
> >> hostname store_doc to point to your server, but it may be restricted
> >> to just a subset of internet users - for instance, a large ISP or
> >> registrar might have configured their DNS incorrectly so that
> >> hostnames that can't be resolved are pointing at what they thought
> >> was one of their own IPs so they could slap up some advertising (for
> >> instance, Verisign did this a few years ago when they took over
> >> Network Solutions and pointed all non-existant .com domain requests
> >> to one of their own servers), but the admin entered the wrong address
> >> and it's actually pointing at your server instead.
>
> >> Dan
>
> > Thanx Dan,
> > No they all have differing destinations, another example which we get
> > hit a lot with is this:
> > Referrer:
> >http://uk.match.com/search/searchSubmit.aspx?&RN=4&lid=10&P N=2&DO=0
> > File:http://images.qa.match.corp:80/match/s.gif
>
> Again, notice the hostname of the file request - there is no .corp TLD.
> Definitely looks to be some sort of DNS mapping of non-existent TLDs/hosts
> to a landing page which is not working.
>
> > I guess this is just something I will need to put up with.
>
> Unless you can find the source of the problem, then unfortunately there's
> not much you can do except to filter out requests for hosts that don't exist
> on your server. If this is as I suspect an attempt at a landing page for
> advertising, then it should sort itself out once the company responsible
> realises their error and fixes whatever it is that they have set up.
>
> Dan

Much appreciated..

Re: Very odd - Referrers getting caught in IIS 6 logfiles?

>>
>> Unless you can find the source of the problem, then unfortunately there's
>> not much you can do except to filter out requests for hosts that don't
>> exist
>> on your server. If this is as I suspect an attempt at a landing page for
>> advertising, then it should sort itself out once the company responsible
>> realises their error and fixes whatever it is that they have set up.
>>
>> Dan
>
> Much appreciated..

You could try actually sticking an image in those paths so it's not a 404.

If you dont want the traffic and want it to go away permenently, put some
German scat porn pictures there so the end user sees them. The problem will
get fixed from the other end pretty quick as the webmasters over there panic
and actually put some effort into proper web site operation.

>;)

Re: Very odd - Referrers getting caught in IIS 6 logfiles?

On Nov 28, 3:30 pm, ".._.." <.....@yourmom.mil> wrote:
> >> Unless you can find the source of the problem, then unfortunately there's
> >> not much you can do except to filter out requests for hosts that don't
> >> exist
> >> on your server. If this is as I suspect an attempt at a landing page for
> >> advertising, then it should sort itself out once the company responsible
> >> realises their error and fixes whatever it is that they have set up.
>
> >> Dan
>
> > Much appreciated..
>
> You could try actually sticking an image in those paths so it's not a 404.
>
> If you dont want the traffic and want it to go away permenently, put some
> German scat porn pictures there so the end user sees them. The problem will
> get fixed from the other end pretty quick as the webmasters over there panic
> and actually put some effort into proper web site operation.
>
>
>
> >;)- Hide quoted text -
>
> - Show quoted text -

Hah hah hah, Never thought of that, not sure me MD would be up for it
though!!

Cheers