Comments on: MS Live Search hitting web sites with fake referer information http://www.everfluxx.com/ms-live-search-hitting-web-sites-with-fake-referer-information/ Contempt Is King.™ Fri, 21 Nov 2008 03:54:15 +0000 http://wordpress.org/?v=2.2 By: MSN Live Search Spam BOT Cloaked referrals - Yack Yack SEO http://www.everfluxx.com/ms-live-search-hitting-web-sites-with-fake-referer-information/#comment-44 MSN Live Search Spam BOT Cloaked referrals - Yack Yack SEO Sat, 21 Jun 2008 09:23:49 +0000 http://www.everfluxx.com/ms-live-search-hitting-web-sites-with-fake-referer-information/#comment-44 [...] MS Live Search hitting web sites with fake referer information [...] […] MS Live Search hitting web sites with fake referer information […]

]]> By: Everfluxx http://www.everfluxx.com/ms-live-search-hitting-web-sites-with-fake-referer-information/#comment-23 Everfluxx Sat, 03 Nov 2007 09:59:19 +0000 http://www.everfluxx.com/ms-live-search-hitting-web-sites-with-fake-referer-information/#comment-23 Hi Stefano! :) I'm still not sure this is an automated check for referer-based cloaking. The same IP has also been requesting linked CSS and JS files... Take a look: <code>65.55.165.15 - - [02/Nov/2007:02:02:58 +0100] "GET /requested/url.html HTTP/1.0" 200 65429 "http://search.live.com/results.aspx?q=keyword&mrt=en-us&FORM=LIVSOP" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322)" 65.55.165.15 - - [02/Nov/2007:02:02:59 +0100] "GET /css/main.css HTTP/1.0" 200 2832 "http://www.example.com/requested/url.html" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322)" 65.55.165.15 - - [02/Nov/2007:02:02:59 +0100] "GET /js/prototype.js HTTP/1.0" 200 96046 "http://www.example.com/requested/url.html" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322)" 65.55.165.15 - - [02/Nov/2007:02:03:00 +0100] "GET /js/scriptaculous.js?load=effects HTTP/1.0" 200 2152 "http://www.example.com/requested/url.html" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322)" 65.55.165.15 - - [02/Nov/2007:02:03:01 +0100] "GET /js/effects.js HTTP/1.0" 200 31969 "http://www.example.com/requested/url.html" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322)" 65.55.165.15 - - [02/Nov/2007:02:03:01 +0100] "GET /js/lightbox.js HTTP/1.0" 200 23825 "http://www.example.com/requested/url.html" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322)" 65.55.165.15 - - [02/Nov/2007:02:03:02 +0100] "GET /css/lightbox.css HTTP/1.0" 200 1637 "http://www.example.com/requested/url.html" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322)"</code> If the guys at MS really wanted to check for cloaking, why issue an easily recognizable (and, thus, cloakable!) referer in the first place? I don't think this was intentional, after all. I think the referer with the "FORM=LIVSOP" parameter might have been <strong>leaked</strong> by an internal interface used by Live Search's quality raters instead (remember, msndude said this was a "quality check")... Maybe (I'm guessing) "LIVSOP" = "LIVe Search OPerator [Console]"? ;) Just a thought... Hi Stefano! :)

I’m still not sure this is an automated check for referer-based cloaking. The same IP has also been requesting linked CSS and JS files… Take a look:

65.55.165.15 - - [02/Nov/2007:02:02:58 +0100] "GET /requested/url.html HTTP/1.0" 200 65429 "http://search.live.com/results.aspx?q=keyword&mrt=en-us&FORM=LIVSOP" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322)"
65.55.165.15 - - [02/Nov/2007:02:02:59 +0100] "GET /css/main.css HTTP/1.0" 200 2832 "http://www.example.com/requested/url.html" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322)"
65.55.165.15 - - [02/Nov/2007:02:02:59 +0100] "GET /js/prototype.js HTTP/1.0" 200 96046 "http://www.example.com/requested/url.html" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322)"
65.55.165.15 - - [02/Nov/2007:02:03:00 +0100] "GET /js/scriptaculous.js?load=effects HTTP/1.0" 200 2152 "http://www.example.com/requested/url.html" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322)"
65.55.165.15 - - [02/Nov/2007:02:03:01 +0100] "GET /js/effects.js HTTP/1.0" 200 31969 "http://www.example.com/requested/url.html" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322)"
65.55.165.15 - - [02/Nov/2007:02:03:01 +0100] "GET /js/lightbox.js HTTP/1.0" 200 23825 "http://www.example.com/requested/url.html" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322)"
65.55.165.15 - - [02/Nov/2007:02:03:02 +0100] "GET /css/lightbox.css HTTP/1.0" 200 1637 "http://www.example.com/requested/url.html" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322)"

If the guys at MS really wanted to check for cloaking, why issue an easily recognizable (and, thus, cloakable!) referer in the first place?

I don’t think this was intentional, after all.

I think the referer with the “FORM=LIVSOP” parameter might have been leaked by an internal interface used by Live Search’s quality raters instead (remember, msndude said this was a “quality check”)… Maybe (I’m guessing) “LIVSOP” = “LIVe Search OPerator [Console]”? ;)

Just a thought…

]]> By: Stefano Gorgoni http://www.everfluxx.com/ms-live-search-hitting-web-sites-with-fake-referer-information/#comment-22 Stefano Gorgoni Fri, 02 Nov 2007 20:30:06 +0000 http://www.everfluxx.com/ms-live-search-hitting-web-sites-with-fake-referer-information/#comment-22 well, i think you spotted the point. referer-based cloaking is maybe the hardest cloaking to detect. so, adding a fake referer can help search engines to find it out... :) am i wrong? well, i think you spotted the point. referer-based cloaking is maybe the hardest cloaking to detect.

so, adding a fake referer can help search engines to find it out… :)

am i wrong?

]]>