XF 1.5 'Change the default user agent on outgoing HTTP requests to indicate XenForo' email

[Stuart Wright]

Got this email today

Hello Stuart
We've seen 3 odd requests to our website www.ceoemail.com today, like this:

185.65.40.181 - - [12/Jan/2017:14:18:39 +0000] "GET /s.php?id=ceo-9195 HTTP/1.0" 403 9 "-" "XenForo/1.5 (https://www.avforums.com)"
185.65.40.186 - - [12/Jan/2017:14:30:23 +0000] "GET /s.php?id=ceo-9195 HTTP/1.0" 403 9 "-" "XenForo/1.5 (https://www.avforums.com)"
185.65.40.181 - - [12/Jan/2017:14:33:39 +0000] "GET /s.php?id=ceo-9195 HTTP/1.0" 403 9 "-" "XenForo/1.5 (https://www.avforums.com)"

It seems that this is new behaviour, according to this posting:
<pirate site snipped>

Here's the specific change description:

"Change the default user agent on outgoing HTTP requests to indicate XenForo and the triggering installation URL."

We checked with XenForo and they said that this behaviour doesn't come from their own software but from an unlicensed pirated version.
Are you running a pirated version of the XenForo forum software?
Look forward to hearing from you.

best wishes
Marcus Williamson
Editor www.ceoemail.com

Of course, we're not running pirated software.
Any idea what this is all about? I'm clueless.

 

[Paul B]

The reference to a pirated version was caused by some confusion in the initial report to us, which linked to and referenced a site which illegally makes pirated versions of XF available for download.

It's not clear why your site is making GET requests to the site in question - www.ceoemail.com - unless it's to do with link title conversion?

 

[Stuart Wright]

We have no recent posts to the website. One old one. If someone clicked the old one, would the link proxy system do a GET?

 

[Mike]

No. The only built in thing would be link title conversion or the image proxy systems. Bear in mind that this could happen via conversations or even just a message preview (without the message being submitted).