These are the old pages from the weblog as they were published at Cornell. Visit www.allthingsdistributed.com for up-to-date entries.

March 23, 2004

Talk to Luke

if you are running SharpReader on host 12.6.232.1. You're one of the big spikes in the feed analysis graphs of last week. Luke is interested in finding out why your instance of SharpReader does not use conditional GET, even though you are running the latest SharpReader.

I know you have stopped pulling the feed the moment I started posting the graphs, but we're still very interested what was going on.

Posted by Werner Vogels at March 23, 2004 10:43 AM
TrackBacks

Comments

Interesting that they stopped pulling the feed as soon as you posted that graph. This obviously indicates that whomever caused the spike was aware of the problem, which makes scenario #1 (bug in SharpReader) even less likely, and #2 (faked useragent) more likely. Of course scenario #3 (header filtering in proxy) is still an option as well, though if it was me and I had that setup quite a while ago, I probably would not make the connection when reading the post about your spikes.

Is it just the ip+feed+agent combo that disappeared, or did the ip drop from your logs altogether?

Posted by: Luke Hutteman on March 23, 2004 02:14 PM

The IP address dissapeared completely, and there are no more Sharpreader with this behavior...

I don't think it was someone spoofing SharpReader as on 03/01 the version # changed from 0.9.3.2 into 0.9.4.0 and on 03/08 it changed into 0.9.4.1 which appears that someone was indeed upgrading the application. So maybe a faulty proxy is indeed the cause (but then why did this reader suddenly drop of the earth?)

BTW the last ID string was: SharpReader/0.9.4.1+(.NET+CLR+1.1.4322.573;+WinNT+5.2.3790.0)

Posted by: Werner on March 23, 2004 02:25 PM

That looks like a genuine #R useragent, except for the fact that it uses plus signs instead of spaces. Did their useragent actually include those plus signs or did you pull that string from some place that url encoded it or something?

I agree that if their version changed along with #R releases, it's pretty unlikely that it's a spoof...

Posted by: Luke Hutteman on March 23, 2004 03:49 PM