Thursday, June 12, 2008

notify-None_Compliance_Page

On one of my web sites I've noticed an attempt to access any one of the following 3 pages:

verify-None_Compliance_Page

notify-None_Compliance_Page

accepted-None_Compliance_Page

The pages are frequently followed by a long hash key sequence. Often the referring URL is a search from Google.

I've noticed this every now and then (about every two to six months) and Google has always been involved. A search of the web shows that others have seen this but with referring URL's being from Live search as well. Most commentators think that it's a random attack bot. I don't think that it follows that pattern but I'm not discounting this theory.

Today I came up with a new theory based on the pattern I saw. This was someone clicking on the AdSense link on one of the pages and reporting it to Google for "non compliance." So I was wondering if Google now has an automated way of telling web masters that someone has reported one of their pages for non-compliance. This would make sense so that web masters could check their pages to make sure that they are compliant with AdSense.

I haven't been able to find any further info on this theory yet though...

9 comments:

  1. I don't think that's a correct theory, because I don't have adsense on my website and I get the "notify-None_Compliance_Page" in my failed referrer log. I'm curious as to it's cause as well. Considering that it's "None" and not "non" it sounds like bad spam or hackers to me.

    ReplyDelete
  2. @Jennifer - thanks for your comment. Subsequent pondering over this leads me to think that you're correct and in fact my theory is no good. I agree with you that it's a hacker bot.

    ReplyDelete
  3. I came across this page when researching this same problem.
    If you have the ability to do this, I was wondering if you could dig deeper in your stats and see if the IP address that is accessing the notify-None_Compliance_Page page is a military IP address.
    I don't know if this is a coincidence or not, but in my stats the user that access that page was using the below IP address and host.
    proxy02.kcab.centaf.af.mil (153.25.52.61)
    If you see the same pattern, it could be that a visitor was in the military and our websites wasn't on their proxy/server's "white list",
    Just a guess.

    ReplyDelete
  4. I had a visitor this morning who registered this information:
    proxy01.maab.centaf.af.mil (Uscentaf/scm)
    North Carolina, Edenton, United States
    153.29.60.60

    ReplyDelete
  5. Interesting - I just had the same thing with this IP as well.
    Montgomery, Alabama
    proxy01.asab.centaf.af.mil
    IP Address 153.25.111.60

    ReplyDelete
  6. The referrer in each of the attempts to hit these pages on my servers is actually from MSN or Live. That said, it's probably a crappy content filter at the Air Force. Some sort of NetNanny type thing that requires some form of authentication for new sites/pages.

    ReplyDelete
  7. I got one also from Montgomery, AL
    as follows:
    754th Electronic Systems Group (153.29.176.60)
    Montgomery, Alabama, United States
    They first came to my site un-referred and then they came from the "notify_None_Compliance URL with the hash... hmm.
    I have seen this before on some of my other web sites as well but I don't remember if they we from AL as well.
    Looks like a hacker thing

    ReplyDelete
  8. ah, seems like I am not the only one... came googling here after those weird referrers showed up in my log.
    And in times like these you tend to go full alert when some Big Brother army dudes from the "754th Electronic Systems Group" are seemingly messing with your server...
    Anyways - they were looking at a review page for sleepphones - so maybe these guys just have an insomnia problem, *lol*

    ReplyDelete
  9. "echo -n longhashkeysequence | base64 -d" just shows the full URL (http://domain/page.html) of the page they tried to access.

    ReplyDelete