A geeky mystery – and what the heck is gravee?

Some of my more loyal readers may have noticed that this site has been unreachable a few times in the past week or so. Given the miserable heat of the day here in New England, it seemed like a good day to tackle a nasty, persistent technical problem. And after a bunch of poking around in my logfiles, I discovered that each crash I’d experienced lately was preceded by a bunch (usually 70+ in 4-5 minutes) requests for very odd-looking URLs:

202.75.49.131 – – [02/Aug/2006:14:48:56 +0000] “GET /blog/?p=561%22%20gping=%22/GLinkPing.aspx?/_1_9SE
/1?http://www.ethanzuckerman.com/blog/
?p=561&&DI=194&IG=69fe5f250d2546e389bb5a05dbe0eb3f&
POS=2&CM=WPU&CE=2&CS=AWP&SR=2&sample=0 HTTP/1.1” 200 14189 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5”

These URLs produce pages on my blog, but it’s an awfully convoluted way of loading that page. I’m wondering whether the URL is doing something else as well: copying the source of the page for use for spam farms? Passing the page as an input to another URL (encoded in the “IG=” string perhaps?) Or is this the result of a new search engine spider that’s being insufficiently considerate?

I ran nslookup on the different IPs making these requests. They’re all in Asia, mostly in Malaysia, with one or two in Hong Kong. Many are owned by the same company – some are not – but they all appear to be tech companies. If they’d all been the same company, I’d respond with an email to the firm – with origins from all over, I’m less tempted to do this.

In the meantime, I’ve blocked the offending IPs (thanks to iptables and the lovely folks at Rimu). But before I fix the problem correctly (probably blocking “GLinkPing.aspx” using mod_rewrite), I’d love to know what the heck “GLinkPing” is?

My current theory: it has something to do with Gravee.com, which advertises itself as a new type of search engine, sharing revenue with listed sites. Viewing source on their search results pages gives lots of these “GLinkPing.aspx?” strings – they appear to be triggered when someone clicks a link turned up by their search engine.

Anyone else got a theory on this? Anyone else seeing a lot of these turning up in their search logs? (Yes, obviously, I’m going to write to Gravee and see if they tell me anything… I’ll post any responses I get.)

This entry was posted in Geekery. Bookmark the permalink.

4 Responses to A geeky mystery – and what the heck is gravee?

  1. Mike says:

    I get this in my log too. They are all from ev1.net or Everyone’s Internet a large US based hosting provider.

    207.44.134.12
    66.98.158.13
    66.98.178.9
    66.98.194.83
    67.15.14.5
    69.57.136.31
    69.57.136.56

    I am going to be sending an email to ev1.net’s abuse email address to find out what is going on.

  2. Pingback: padawan.info

  3. James McFarland says:

    Ethan,
    Due to the way our URLs are formatted, these hits actually cause errors on my site.

    You are one of the few posts about this, some others refer to msn.com search results, and I am speculating now it has to do with the way sponsored links are rendered on msn partner sites.

    THANKS for your post.

    -james

Comments are closed.