Life on the edge

Yeah well. Most of us use MS Windows or Linux on pretty normal Intel or PPC architectures but there are some people who like to live on the edge. Here is the modest (like one, man) beginning of our "exotic strings" list.

Crawlers and Robots

This list is being discontinued since there are already a number of locations where you can get much better information than is maintained here. One of the best is also the home of the robots.txt site which describes how to stop (politely behaved) robots from looking at parts of your site using the robots.txt file. The current entries may now be seriously out of date.

Browser Help Objects

This section shows strings from a number of plug-ins or proxy services whose job in life (they have decided) is to help (maybe) the user as they meander throughout the 'net. We are going to try and build a list with links to the plug-in site and - with your help - categorise them both as to how they get installed - e.g. willing user or stealth and wheter they are benign or nasty. In may cases we just show the additional string that will result rather than a full browser string - we're not gonna install nasty things just for your information now are we - well not willingly we're not!

..FunWebSearch...

Explanation: MyWebSearch (or FunWebProducts enhanced browser - not classified as sypware or adware. To remove it - go here. Info from Chris Gulutz - thanks.

Mozilla/4.0 (compatible; Powermarks/3.5; Windows 95/98/2000/NT)

Explanation: PowerMarks seems to be a benign Bookmark enhancement for most of the popular browsers - not classified as sypware or adware. Info from David Ross - thanks.

Mozilla/5.0 (compatible; IDZap)

Explanation: IDZap enhanced browser. OK its done a good job and just defeated every browser detection string - now what.

Mozilla/3.01Gold (Macintosh; I; 68K)

Explanation: Life behind a junkbuster proxy. This is MSIE 5.0 on a Windows'95 PC - pretty obvious really! String from Phil Hibbs - thanks.

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; ESB{A8417D9D-5087-4807-9D73-9E09290256CD})

String from Remco de Vijlder. Axel Kollmorgen and Eugene Sadhu suggest that it is most likely EasySearchBar (ESB - geddit). Jim Rofkar and Eugene Sadhu both add another possibility - Easy Start Bar for laptops. Thanks guys.

Page Validation Services

Page validation services are great until you try 'em with dynamically generated pages based on the browser - then you gotta know what they send.

Bobby/4.0.1 RPT-HTTPClient/0.3-3E

Explanation: A tool that checks web pages for Accessibility - Section 508 and W3C WCAC. String from Erik Bolsø

W3C_Validator/1.183 libwww-perl/5.64

Explanation: The W3C validation service string supplied when you request page validation by URI.

Jigsaw/2.2.0 W3C_CSS_Validator_JFouffa/2.0

Explanation: The W3C CSS validation service string.

Potentially Unpleasant Things

These strings or partial strings may have unknown side effects or be downright malicious depending on who is using them. You may want to know about 'em when they are visiting.

vobsub

Explanation: Contributed by Jan Praestkjaer. A CD ripping plug-in. More information may obtained here.

DigExt

Explanation: Contributed by John Bridges. 'DigExt' can appear in a MSIE browser string and is potentially pretty nasty. If you ask for content to be available off-line in certain versions of MSIE (we saw it on 5.0 and 4.x) then MSIE will grab a lot of stuff from the sites you visit and slave it in its temporary internet files. Pretty unpleasant stuff since it chews up your and the sites bandwidth. Sounds like a nice option but MS don't tell you the consequences. Now if I just knew where the option was I'd disable it but since I just upgraded to MSIE 6.0 (cos my 5.0 kept crashing after I refused an automatic update - any connection!! Oh and by the way in case you think we are prejudiced we also upgraded to NS6) I can't find any of this stuff and my browser string doesn't show 'DigExt' anymore - is this another mystery! If you are interested to get more info on the pernicious 'DigExt' John provided this link.

This may have morphed in the first string shown under the MSIE list - it contains 'MSIECrawler' - thanks to Adam Hauner.

Mystery Strings and Questions

1. Anyone recognize the CS 2000 in this string:

   Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:0.9.4.2) Gecko/20021112 CS 2000 7.0/7.0
   

   String from Willem van Nunen. Answer from Richard Aspden it is "the CompuServe 2000 application, which had Gecko built-in. AOL was going to do the same with it's own native software (AOL owning CS), but decided to use IE in the end anyway.". Many thanks.

2. Anyone recognize the ESB stuff in this string:

   Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; ESB{A8417D9D-5087-4807-9D73-9E09290256CD})
   

   String from Remco de Vijlder. Axel Kollmorgen, Eugene Sadhu and Jim Rofkar all made suggestions - we moved this one to the BHO section with the best links we can find.

3. Anyone recognize the DIL0001021 in this string:

   Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; DIL0001021)
   

   String from John Dobson.

4. Anyone recognize the H010818 in this string:

   Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+NT+4.0;+H010818)
   

   String from Jim Rofkar. Possible Answer: From Eugene Sadhu "Interestingly this string "H010818" is found in the registry of WinME machines and may have some correlation to the WindowsUpdate App. Perhaps a browser used after visiting the WindowsUpdate site will send this string to other machines on the same session.
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\H010818" Many thanks.

5. Anyone recognize this CLSID like string in a browser:

   Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+{4E449FBB-3E07-4F3B-AF93-9F441086A756};+.NET+CLR+1.1.4322)
   Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+{8E13D179-78A2-4C06-9BFC-EA5BF2EE1750})
   

   String from Jim Rofkar - followed by the answer from Jim also. These may indicate the browser has a BHO (Browser Helper Object) software installed (perhaps unwittingly) from either LOP foistware (site link appears broken) or WurlMedia. This site seems to keep a reasonably up-to-date list of nasty things. If you think you have got some nasty stuff on your browser just type 'hijack' into a google search and follow the most promising links.

6. ...SURF...

   Anyone know what application the word SURF in a browser string comes from? String from Erik Nelson. Tyler Bannister writes" One of our students is having a problem with her browser pre-fetching every page she reads in Internet Explorer. The problem doesn't occur in Netscape, thus it seems likely that "SURF" is some type of browser help object for IE and probably malware" - thanks - anyone got more on this one?

7. Mozilla/4.01 (Compatible; Acorn Phoenix 2.08 [intermediate]; RISC OS 4.39) Acorn-HTTP/0.84

   Anyone know what the browser being used is? String from Erik ?. Answer from Jim Rofkar. An early port of Phoenix (remember the pre firebird pre firefox mozilla browser!) onto the ACORN RISC OS. For all you ACORN fans current port is called Rozilla.

8. Anyone recognize this one:

   mozilla/4.0 (compatible; msie 6.0; windows 98; ypc 3.0.2; yplus 4.4.01d)

   Anyone know what the ypc and yplus is? String from Bruce Preston.

   Answer: It's Yahoo Parental Controls which seems to be available to you if you sign-up with Yahoo. Answer from John Pye - thanks.

9. Anyone recognize this one:

   Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FREE; .NET CLR 1.1.4322)

   Anyone know what the FREE is? String from Jean Christophe Olivain. Axel Kollmorgen writes "seems to be a customized version of IE made by free.fr or a related company. all the "FREE" agents in my logs are from france and their ip's related somehow with free.fr". Thanks Axel. Confirmation from Symon Rottem who says that the isp free provides an installation CD with a customised version of MSIE. This one is now dead - maybe we should move to the MSIE strings.

10. Anyone recognize this one:

    Mozilla/4.5 RPT-HTTPClient/0.3-2

    We suspect this may be an e-mail extractor program, but we could be wrong. Anyone got a definitive answer? String from Michael Wilcox.

    Answer: It's an HTTP client library. Answer from Eugene Sadhu - thanks.

11. Anyone recognize the KTXN part of this string:

    Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; KTXN)

    Anyone got any idea? String from Chug Yang.

12. Anyone recognize this one:

    SUNPlex 4.1 (Trusted Solaris 8 Operating Environment; Solaris 8 OE; Sun Fire 15K)

    Seems to be from a SUN Secure cluster - benign application or something more sinister? String from Erik's ? logs.

    We got this in response: "SUNPlex Manager is a web-based administration tool for the SunCluster 3 clustering software. Trusted Solaris is a secured version of the Solaris operating system (I believe it at one point was rated C2 in the Orange Book but I don't know for sure what it is now). Sun Fire 15K is the Godzilla of servers, one of my favorite machines to work on, and makes one awesomungus web browser." Thanks to Joe George.

13. Anyone recognize this one:

    Mozilla/3.0 (compatible; HP Web PrintSmart 04b0 1.0.1.34)

    String from Dan Johnson's logs.

    Answer: Eugene Sadhu writes "HP Web PrintSmart software is a tool for creating custom printed documents from Web pages that you retrieve from anywhere on the Web." His view is its probably not available now (we checked and could only a historic reference n HP's pages). Thanks Eugene.

14. Anyone recognize this one:

    Mozilla/4.0 (compatible; MSIE 5.0; Win3.1; ATHMWWW1.1;)

    String from Dan Johnsons logs. MSIE 5.0 does not run on windows 3.1 so its something else. Just someone playing with browsers ids?

    Answer: This is the browser string from Excite@home's custom browser so we suspect is version 3.1 runing on a Windows platform - anyone know the base technology e.g. custom MSIE or what. Answer from Eugene Sadhu - thanks.

15. Anyone recognize this one:

    Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322)

    Answer: Neal Blomfield writes "The following user agent string listed as a mystery string on your website looks like IE6 on Win2k running both verion 1 (.NET CLR 1.0.3705) and version 1.1 (.NET CLR
    1.1.4322) of the .NET framework". Sounds plausible to us. Thanks Neal. Bobby Mcgee also provided this link http://www.httprevealer.com/usage_dotnet.htm to help identify folks using the .NET infrastructure. Thanks Bobby.

16. What does 'DigExt' mean (solved - credit to John Bridges see here).
17. Anyone recognize the browser or OS:

    'Mozilla/4.0 (compatible; ICS 1.2.105)'

    Answer: Marc Schneider suggests it's probably from Novell's Internet Caching system. We also got confirmation of this from Eugene Sadhu "It is most probably from the Compaq TaskSmart C-Series server, in fact, one that had the upgrade patch to build 1.2.105 installed (released 15 Sep 2000)" Mystery solved - thanks guys.

18. Anyone know what the 'U' is in many Linux browser strings.
    Answer: From Rickard Anglerud - thanks: It defines security level and may have one of the following values:
    • N for no security
    • U for strong security
    • I for weak security
19. Anyone recognise this baby?
    Sqworm/2.9.85-BETA (beta_release; 20011115-775; i686-pc-linux
    Submitted by: Mike van Riel
    
    Answer: From Evan Walters - thanks: Its a new crawler from Sqworm.com a search site - a most unfortunate name don't you think (maybe they thought it was funny or something).

Our Browser rants

Maybe you got here by mistake or just scrolled off the bottom, however now that we got your attention here are some of our rants:

• Browser strings II: There is no standard for browser strings. There is a passing reference and a single example in the RFC 1945 and 2096 (The HTTP specs). In the meantime chaos reigns. Folks have concerns about privacy, some about security and buggy software so the operational solution is to allow the user to set whatever string they want which defeats the whole objective. We think the W3C (or maybe IETF) should standardize. We have written to the W3C since we think its more in their domain. We don't care what the standard is - but we'd like one!

• Browser strings: We gotta support the main browsers. We use 5 tests in our Apache server to tell us what Javascript/HTML/CSS to deliver for the DOM and CSS variations. We don't plan to add a 6th test (our objective in life is not to have the longest browser detection script in the world). We check the Mozilla equivalence level, MSIE number, and now for 'Gecko'. If any browser provides this information correctly we'll generate good results and the new browser gets to piggy-back to fame and stardom .. if not well..... Terribly sorry about that - don't know what came over us!

• Unsupported Browsers: Well we finally decided to give in and we now place the following notice on our pages for folks whose browser we don't support 'If you are happy it's OK - but your browser is giving a less than optimal experience on our site. You could, at no charge, upgrade to a W3C STANDARDS COMPLIANT browser such as Mozilla'. Yes it messes up the page layout but is probably messed up anyway.

• Netscape 4.x: We regard this browser as dead. Its quirks - which were ground breaking at the time - are now just a pain. We have stopped adding new capability for this browser. We still check pages load correctly but that's it. End of an era. But the beginning of another - long live Gecko.

• W3C DOM Support: Seems to us we are making a mistake by doing all this cross-browser work. With the advent of the W3C DOM why should we site owners reward a non-compliant browser by putting effort and code into supporting something quirky. OK we have no choice with MSIE - whatever its quirks the majority of site visitors by far will be using it. And from v6 it's NOT BAD. But other browsers - we will increasing treat them as if they did not support Javascript and we are considering putting a note on the page to the effect that their browser is not W3C compliant. Comments?!

• Our Opinion - read with care. Was a time when there was only Netscape, then MSIE destroyed Netscape and took over - because it had a better browser. But today MSIE 6.0+ is a very ordinary browser - fat and feature poor. Now we have multiple very high quality Mozilla versions (Mozilla, Phoenix/Firebird, Camino, NS 7.x), the Gecko clones (K-Meleon is our current browser of choice) and now Opera 7+ which looks great (love that Aqua menu bar) is very small, has great CSS2 support and reasonable DOM support and is feature packed. Why does MSIE still have that 80+% market share? We don't understand it. End of opinion!