Chris Gulker: 'Were shadowy figures in a spooky government facility perusing my weblog?'

The FBI came "knocking" the other day here at gulker.com. They wanted me to know that my weblog, an expression of free speech protected by the US Constitution's First Amendment, was now included on their "suspects" watch list.

Or at least that's what I initially made of a reference in my web server's access log. If you didn't already know, web servers – the 21st-century's version of Gutenberg's press – also record details about everybody who visits. And a weblog, also for those who don't know, is a personal online diary of things of interest, presented in reverse chronological order. Mine is served by an ageing Macintosh running Apache, the (free) open source web server software. Apache records, among other things, the IP address of every web visitor, as well as something called the "referrer".

The referrer is a line that, in theory, tells me who sent the visitor my way. For example, if you clicked a link on The Independent's digital web page that sent you to www.gulker.com, the access log would record a line that would include the following: 209.220.11.66 "GET index.html"; "http://www.independent. co.uk/digital". Translated, this means someone whose computer was using the IP address 209.220.11.66 accessed the home page ("index.html"), which they got to by clicking a referring link on The Independent's digital page. So imagine my surprise when these referrer lines appeared: http://homeland.fbi.gov/Watchlists/suspect/view.jsp?record=895754; http://homeland.fbi.gov/Watchlists/suspect/view.jsp?record=948082.

FBI? Watchlists? Suspect? Uh, oh Houston, I think we may have a problem here...

A nerdy Sherlock would infer from these lines that two pages of my website had been recorded in a database maintained on a server named "homeland" belonging to the FBI. Were shadowy figures lurking in a spooky government facility perusing my "suspect" web pages?

But things aren't always what they seem to be. The pages that homeland.fbi.gov had supposedly viewed were rather dry, technical treatises, not some of my more outspoken rants expressing deep reservations about my nation's current foray into Iraq. Curious, I thought.

A quick check of the world's Domain Name Server records showed no entry for "homeland.fbi.gov". However, a Google search revealed some 200 pages containing "homeland.fbi.gov". Diving into those pages, it was apparent that dozens of weblogs had seen the same thing. Brent Simmons, a Seattle-based programmer, had seen them on his utterly apolitical weblog. Brent's weblog allows visitors to leave comments: many of those comments, left by other programmers, proclaimed the whole affair a hoax. Computer scientists offered the same opinion on an e-mail list where my experience was posted.

It turns out that it's easy to spoof the referrer line: a programmer with only modest skills could write a short program (a "script") that would cause the entries seen at gulker.com and elsewhere. So, hoaxed again... but it then occurred to me that the hoaxer had chosen a very unusual medium through which to perpetrate this mischief. A web server's access log is hardly e-mail or a web page.

But the hoaxer succeeded, knowing that I, like other webloggers, periodically scan these logs to see who's been visiting. Many have even observed "referrer spam" in which a site records a sudden surge of hits. When the curious victim clicks the referring link they get a page advertising the usual spammer dross. Indeed, one Canadian firm touts such referrer-advertising services, but they may be ruing the day. Turns out a miffed programmer wrote and posted a script that proved popular: when the firm's software visits a weblog and leaves a referrer link back to a spam site, the script sends the spam site a referrer link of its own, replete with a 90-word, highly unpublishable admonition that could have come from GoodFellas. Yes, it does include "and die".

cg@gulker.com