spoofy weirdness

found in referrer logs: wizard.yellowbrick.oz
spoofed, of course. but why?

google led me to confessions of a g33k, which in turn led me to google groups, in which this URL is used in a Perl script intended to “automate an HTML form submission” (in which case this would most likely be an unsuccessful test run, since no form submissions accompanied these visits).

so far i have these two IPs, DNS traces to arrival.net (bakersfield)?:

66.17.15.132 (dns is 132.15.17.66.in-addr.arpa domain name pointer 66-17-15-132.biz.bkfd.arrival.net.)
66.17.15.164 (dns is 164.15.17.66.in-addr.arpa domain name pointer 66-17-15-164.biz.bkfd.arrival.net.)

ARIN returns this, consistent with the above:
Arrival Communication, USA ARRIVAL-COM (NET-66-17-0-0-1)
66.17.0.0 – 66.17.63.255
Lightspeed Technologies ARRV-66-17-15-128 (NET-66-17-15-128-1)
66.17.15.128 – 66.17.15.191

i will now pause to contemplate my navel referrer logs for further spoofage and ponder the meaning of this, life, the universe, and everything.

4 thoughts on “spoofy weirdness

  1. i found some suspicious things in my logs. i found some other places who found the same things. i did a little research and put this out here, mostly for future google reference. google’s not just a toy, you know.

  2. Well, about this wizard.yellowbrick.oz , I’ve got his visit on my blog as well… I just blocked the IP.. I also am talking to the g33k.. have u found any other interesting info about this issue??

Leave a Reply

Your email address will not be published. Required fields are marked *