Jump to content

Microsoft Url Control

jen

By jen
in Security Discussions

 Share

Recommended Posts

jen Rookie

jen

Posted
Posted

Hi, something called Microsoft URL Control - 6.00.8169 is hitting my site at about 100 hits per minute. It's using hundreds of megabytes of bandwidth.

 

I can send more info, but is this something I should send to tech support, or can somebody here help me?

 

The referring URL is from an excite.com email:

 

 

Thank you!

Jen

Deverill Grand Master

Deverill

Posted
Posted (edited)

Here's an explanation I found of what it is:

Just to ley you know, programmers (e.g. visual Basic) have

access to a number of controls which can be used in the

development of software applications.

 

Such controls include a web browser control, or something called

the Internet Transfer Control (Inet) through which web

pages and their html code can be downloaded.

 

When an application/program using the above control accesses

your page then it leaves the "Microsoft URL Control" footprint.

And here is an untested and non-warranted line you are supposed to be able to add to your .htaccess file to stop it but I've done NO testing on it:
RewriteCond %{HTTP_USER_AGENT} ^microsoft.url
Perhaps someone more familiar with .htaccess coding can fill in any blanks on how to use this. Edited by TCH-Jim
jen Rookie

jen

Posted
  • Author
Posted

Hi Jim,

 

Thank you so much for taking the time to look that up.

 

Tech support was able to ban the IP.

 

I still want to know who this was, and why they were doing it. It looks like a DoS attack, so I would like to know if it was somebody just targeting my site, or the server. From my logs, it looks like just my site (although Aromal originally said server-wide).

 

Here is a part of my log file where you can see the original email referrer, and then the hits from Microsoft Url Control.

 

This is only one minute of hits. It continued for another 12 hours at this rate, until a level 2 support tech put a different IP ban in my .htaccess file.

 

68.86.38.51 - - [19/Jun/2004:10:44:06 -0400] "GET / HTTP/1.1" 200 17170 "http://e20.email.excite.com/msg_read.php?m=0&d=1&mid=3380&ArdSI=

 

55a8a010dbef3ecdbb6ff70d1ee9b462&ArdSI=55a8a010dbef3ecdbb6ff70d1ee9b462" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

68.86.38.51 - - [19/Jun/2004:10:44:06 -0400] "GET /images/PDC.jpg HTTP/1.1" 200 9355 "http://www.iloveplaya.com/"'>http://www.iloveplaya.com/"'>http://www.iloveplaya.com/"'>http://www.iloveplaya.com/"'>http://www.iloveplaya.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

68.86.38.51 - - [19/Jun/2004:10:44:07 -0400] "GET /images/dolphin.jpg HTTP/1.1" 200 3946 "http://www.iloveplaya.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

68.86.38.51 - - [19/Jun/2004:10:44:07 -0400] "GET /images/aaa.jpg HTTP/1.1" 200 789 "http://www.iloveplaya.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

68.86.38.51 - - [19/Jun/2004:10:44:07 -0400] "GET /images/w3.gif HTTP/1.1" 200 2328 "http://www.iloveplaya.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

68.86.38.51 - - [19/Jun/2004:10:44:07 -0400] "GET /images/playablueparrothotel4.jpg HTTP/1.1" 200 26518 "http://www.iloveplaya.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

68.86.38.51 - - [19/Jun/2004:10:44:09 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:10 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:10 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:11 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:12 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:12 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:13 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:14 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:15 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:15 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:16 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:17 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:18 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:19 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:19 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:20 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:21 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:22 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:23 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:23 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:24 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:25 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:26 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:26 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:27 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:28 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:28 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:29 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:30 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:31 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:31 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:32 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:33 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:33 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:34 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:35 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:36 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:36 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:37 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:38 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:38 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:39 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:40 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:40 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:41 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:42 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:43 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:43 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:44 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:45 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:45 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:46 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:47 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:47 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:49 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:49 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:50 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:51 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:51 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:52 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:53 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:53 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:54 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:55 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:55 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:56 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:57 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

68.86.38.51 - - [19/Jun/2004:10:44:59 -0400] "GET / HTTP/1.1" 200 17170 "-" "Microsoft URL Control - 6.00.8169"

Deverill Grand Master

Deverill

Posted
Posted

Do you send out emails with links to your site (assuming iloveplaya is yours)? Especially if they are unsolicited? It looks to me (who is definitely no expert) that someone on excite got an email, went to your site, then tried to shut you down. If you had spammed it could be an anti-spammer attack program that someone wrote in retalliation to spam.

 

Please don't take offense! I'm not accusing you of spamming, just wondering what other motivation could cause this. Maybe it's a competitor to your site that wants to shut you down? It's hard to say. That address is a comcast site so without their cooperation you will never find out who it is in all likelihood.

jen Rookie

jen

Posted
  • Author
Posted

Oh, no...I have never sent anybody spam. I haven't even sent out any link exchange requests, yet, because I hate bothering people.

 

I don't even use that email address, except to respond to people who email me first to ask a question about my site. I sent a few ecards through my photo gallery program to my family, but not to anybody I don't know.

 

When I was researching this thing, I did find that spammers often use this Microsoft URL Control to search for formmail.pl, and then it will email them if it finds it on your site, and they can use your server to send spam out. I don't use any type of form mail, though.

 

As far as competitors, my site isn't very popular, yet. It crossed my mind, though. I guess it would depend if Aromal was correct when he said it was a serverwide attack. And that I do not know.

 

I sent abuse complaints to comcast and excite.com yesterday, but I never heard anything back from them except for the auto-replies.

 

I'm very, very curious, though.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...