Time to submit some more strange emails I’ve received recently. Here’s one I suspect may be someone who spots that curl is being abused against some host. I really wouldn’t even know how to begin to answer this…
Someone is using your code to continually hack small businesses I work
with. How on earth do I stop them?!
(This is an authentic email we received at Haxx the other day. Names, emails and URLs are replaced in this excerpt to save the innocent)
Date: Thu, 29 Nov 2012 14:59:25
hello, can you tell me how to hack into web site:
so it is showing:
when you click on a link in google results?
for example if you click on a google result:
[URL to a google.rs search for something on the FIRST URL site]
the point is i would like to protect my web site form that kind of attack so please let me know how to do that
how did i found you? there is your address at [FIRST URL]/coockies.txt so i think you did it, but was polite enough to leave address.. please help me.
Of course I was curious enough to check the “coockies.txt” file, and the beginning of that file looked like this:
# Netscape HTTP Cookie File
# This file was generated by libcurl! Edit at your own risk.
[FIRST URL] FALSE / FALSE 0 PHPSESSID dfn1a5ll0hs8odpfh3p2qtlcj3
This tells us a few trivial things, all of which might not be obvious to the untrained eye:
- The file was generated by libcurl that was 7.16.0 or later, but no later than 7.18.3 as we only used the URL in that file between those releases.
- The spelling of that cookie file is so hilarious we can guess it wasn’t a native English speaker who named it. The subject of the email is similarly bad so perhaps it was a fellow countryman of Serbia? (the TLD of the google URL was .rs after all)
- The person doing this didn’t even try to clean up the remaining junk file(s) afterwards
- The guy sending me the email is completely in the blue of what has happened or even who he’s contacting or my relation to this all.
- The world can be a harsh and cruel place and it isn’t easy to know your way around all of it…
Today I learned that Need for speed World (I first had to google what “NFS-world”Â actuallyÂ means) uses curl when I received this email:
I can notÂ go intoÂ the gameÂ for 4 monthsÂ my nicknameÂ “[removed]”.Â itÂ writesÂ the error “Login failed,Â please try again.”Â PleaseÂ solveÂ this problem. SupportÂ GroupÂ does not help.
But no, I don’t know why this guy emailed me…
I then went on to look for other Electronic Arts games using libcurl, and I fell over these forum posts that clearly indicate Game Face uses it, but I found no credits or other information page online.
Can you find any other?
How to figure out if a program uses curl? I get mails from users of it since the curl license is included somewhere and it includes my email address and very often that is the only address available…
To: Daniel Stenberg <daniel@haxx...>
Subject:Â Rosetta Stone Question
I am trying to install Rosetta Stone on my Mac but I am having
trouble. The ReadMe says to contact the author, and this email
was in the license info. Am I to understand that you are
I don’t know exactly what Rosetta Stone is, but I guess it is the language learning software at www.rosettastone.com
In my mini-series of strange mails I receive, here’s another one:
Subject: Product Request
I am interested in purchasing some of your products, I will like to know
if youcan ship directly to SPAIN , I also want you to know my mode of
payment for this order is via Credit Card. Get back to me if you can ship
to that destination and also if you accept the payment type I indicated.
Kindly return this email with your price list of your products..
I assume I’ll never figure out what products he speaks of, or how on earth he ended up sending me this… I’ll admit I was tempted to make up some “interesting” products to offer.
Update: I was informed that this is probably “just” another online fraud attempt. How boring.
I’m going about my merry life and I use google every day.
Today Google decided I’m in China and redirects me to google.com.hk and it shows me all text in Chinese. It’s just another proof how silly it is trying to use the IP address to figure out location (or even worse trying to guess language based on IP address).
Click on the image to get it in its full glory.
I haven’t changed anything locally, but it seems Google has updated (broken) their database somehow.
Just to be perfectly sure my browser isn’t playing any tricks behind my back, I snooped up the headers sent in the HTTP request and there’s nothing notable:
GET /complete/search?output=firefox&client=firefox&hl=en-US&q=rockbox HTTP/1.1
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:126.96.36.199) Gecko/20101209 Fedora/3.6.13-1.fc13 Firefox/3.6.13
Cookie: PREF=ID=dc410 [truncated]
Luckily, I know about the URL “google.com/ncr” (No Country Redirect) so I can still use it, but not through my browser’s search box…
This is a full quote from a genuine email I received just moments ago:
What URL do I put in to get free apps ?plese tell me
Sent from my iPhone
I have no words to describe it further.
Okay it has been known for a while, but I just recently found out so I figure I should help put the light on a recent hilarious article published in the Red Hat Magazine: It is never correct to abbreviate â€œRed Hat Enterprise Linuxâ€ as â€œRHELâ€. (That’s actually not the correct title of the article, but the correct title is so ridiculously long I won’t paste it here since it’d take everyone’s breaths away.)
According to this article, RHEL is “never correct” as an abbrivation for Redhat Enterprise Linux – even though Google finds almost 2 million pages mentioning it, and the top search result it shows links to www.redhat.com/rhel/. Limiting the search to within redhat.com gives more than 52,000 hits.
Some people complicate matters more than others…