I Found A User Agent — Bot or Not?

As opposed to "believe it or not", it is "bot or not".

Here We Go

Manual optical character recognition (OCR) by reading, selecting, copying, and pasting it:

Mozilla/5.0 (Windows; U; Windows 98) AppleWebKit/535.36.7 (KHTML, like Gecko) Version/4.0.4 Safari/535.36.7

Oh by thunder, Windows 98 AND AppleWebKit/535.36.7? That is like spotting a horse-drawn carriage with a Toyota badge. I mean, if that's a Toyota, then why the horse? A one-horse-power Toyota carriage?

Let Us Properly Dissect the User Agent String

Mozilla/5.0 Historical compatibility token. Means absolutely nothing now. Every browser and their nan has been sending this since the 90s browser wars. Pure legacy noise.
(Windows; U; Windows 98)
- Windows All right.
- U
  Strong encryption badge (U) from a dead regulatory era. Utterly pointless in 2024 onward. The list — also on WhatIsMyBrowser's Note:
  - U (USA): strong encryption (unrestricted).
  - I (International): weak encryption (international, restricted).
  - N (No... encryption): no encryption.
- Windows 98 Released 1998. The star of the theatre.
AppleWebKit/535.36.7 And HERE is where it falls apart spectacularly. WebKit 535.36 is from roughly 2012. Windows 98 received its last security patch in 2006 and couldn't run any software from 2012 even if you begged it. A 2012 engine on a 1998 OS is physically, categorically impossible.
(KHTML, like Gecko) Well, no contradiction, just standard boilerplate.
Version/4.0.4 Safari/535.36.7 Claims to be Safari 4 — which was 2009 — yet the WebKit version is 2012. Safari 4 never ran on WebKit 535. Ever. Those two never met in the wild. Not once.

So in summary: this single string simultaneously claims to be from 1998, 2006, 2009, and 2012. It's less a user agent and more a time-travelling ghost wearing four costumes at once.

It's as if we named ourselves Kublai Khan Louis XIV Roderick Stewart Lady Gaga Jumping Mackerel. It would be too much to process. I mean, there's a mackerel there. They aren't familiar with the microphone or... the concept of throne.

Conclusion

Definitely a bot.

🤖 (Beep beep.)

"Evening guv'nor, I'm definitely a legitimate browser, me!"

Aye, sure. (Sips tea.)

Bot

Bot is an automated process that navigates and interacts with nodes in the web. Not a living being, specifically human, using a browser to manually access a website.

Age of automation is comical.

Specifically this type of web-software automation.

Most sites now assume any visitor as a bot by default. It's easier.

Oh your internet protocol address good sir, it's rubbish. How do we know? We know. Would you mind completing this easy quiz? Simply solve this picture puzzle and the exciting algebra. Oh yes, two stages. Good sir. We believe our developers have already tested it. How do we believe it? We pay them salary and we have two fine chambres de torture.

Imagine, placing a broken or half-arsed configured Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) to visitor? That is utterly hilarious. Oh, but that two fine chambres de torture obliterates our imagination. Not just a torture chamber — FINE torture chambers, TWO, possibly with pleasant décor. Trip Advisor would give them four stars.

⬆️ "Turing" is taken from Alan Mathison Turing. The brilliant mathematician from Maida Vale, London. Tragically treated though, classic. Even his middle name is "Mathison"! Math-is-on! Would you look at that? You see how mathematics had already been embroidered onto him since birth? The "math" part. Is on, ladies and gentlemen.

The specific concept, CAPTCHA, is drawn from Turing's 1950 paper — Computing Machinery and Intelligence — where he proposed what he called the Imitation Game — which the world later nicknamed the Turing Test. That phrase in CAPTCHA, "Turing test".

Though it would be more complete and sound a bit mystical, it wasn't publicised as CAPTTTTCAHA. Right? 3 A's, 4 T's ➡️ Completely Automated Public Turing test to tell Computers and Humans Apart.

CAPTTTTCAHA does sound like an ancient Sumerian incantation or a spell from a particularly dodgy mediaeval grimoire.

🧙‍♂️ Speak the words! CAPTTTTCAHA!

(Visitor.) Come again?

🧙‍♂️ Farewell, bot.

(Visitor.) Hey hey. Oh, blimey. Now I need to find another resource on how to boil an egg properly. That bearded melon.

In their boardroom:

(CEO.) (Looking at visit statistics.) 👀 Why no... VISIT?

🧙‍♂️ Speak the words! CAPTTTTCAHA!

(CEO.) 👀 Who are you?

🧙‍♂️ Farewell, bot!

(CEO.) (Looking at everyone else.) 👀 Who's that guy?

(Bob.) Oh, it's possibly AI generated.

(CEO.) 👀 But... AI is the way!

(Karen.) Yes. And that's the way.

You see, "Turing", torturing? Oh by golly, the cosmos and its jest. Let's roll with it:

Completely Automated Public Torturing test to tell Computers and Humans Apart

Ah, I feel complete momentarily. HANG ON, that "completely" part. Fascinating.

CAPTCHA in Military

Imagine if CAPTCHA were employed in military closed network?

(2 Lt Gerald.) Oi mate, the radar data... why do I need to... what does that say? (Squints.) This is madness. Who gave the green light for the update? AI?

(2 Lt Thomson.) 🤔 Maybe.

🧙‍♂️ Speak the words!

(2 Lt Gerald.) Aha!

(2 Lt Thomson.) Anyway mate, that's a picture puzzle. We need to select the proper one? Maybe?

(2 Lt Gerald.) So what to choose then?

(2 Lt Thomson.) It says "Select all... squirrels with... braffix...", maybe? Where's the squirrel?

(2 Lt Gerald.) You see? I can't read that too! Wait, squirrels, squares. It has squares, what do you think? But... braffix? Breastplate? That's a "b" and that's an "x" for certain! Right?

(Maj Cuthbert.) Aye, pick any picture, soldier.

(2 Lt Gerald & 2 Lt Thomson.) 👀👀 Sir!

🧙‍♂️ Farewell, bot!

Others

Welcome to my gallery. This consists of... things. I observed my statistics externally, the data was taken from the generous Cloudflare GraphQL Analytics API. Then I constructed the filtering and the rendering for my own amusement. This was taken from twenty-four hours timespan. Behold, the wondrous wilderness.

This trashes the Windows 98-user-agent lad. 🤔 But perhaps it came from the same lad, but using different approach. Well, this approach trashes the prior one.

⬆️ Windows 95! With Opera 9! With "Version/11.00"! Which one then? Do I need to speak Xhosa? Hm, Zuid-Afrika locale is being used as camouflage here, including the IP I presume. Indeed, it's Dutch, "Zuid" and "Afrika". In English, it's "South Africa". The actual Africans call that region, well, plenty... other than that. Like us, calling a one particular Tesco's address, plenty. It depends. And he put xh-ZA code in user agent string instead of using Accept-Language HTTP request header. Indeed, most likely a "he", these shenanigans. More than ninety-three per cent, give or take. The Y chromosome does the heavy lifting. Though "shenanigans" starts with a "she", that's a bloody disguise. Again.

⬆️ About the 4 MB RAM in Windows 95 powered machine. It could load Opera 9 OR 11. That is indeed impressive.

Hm, 9 or 11 ➡️ 9|11, that sounds like something else from 2001. 🤔
At least this other lad was being honest, or lazy, thus accidentally being honest. We've just entered the philosophy of... things.

⬆️ Profoundly proclamating itself as an automated process. That is quite virtuous. Because of being lazy.

Similar to this:
This user agent below smashes Go-http-client and python-httpx user agents. At least those put the versions. Take a glance:

⬆️ Just Chrome. We've achieved a new tier of couldn't-be-bothered that I didn't think was technically possible.
And this user agent had me in stitches.

⬆️ pc user agent. By eternal sausage, that is... quite literal. Oh, I'm coming from a PC, thus my user agent should be pc. That will show how dignified I am! HAHA. Yes. pc! 🥳

Akin to this one below. But now it is capitalised.

Dignity is grandly reaffirmed! UA! 🎉
This rogue diversed-primates convention. Batters EVERYONE. I cannot.

⬆️ That is halfway, innit? Oh, let's empty the user agent. And then what? That's it. That is the WAY! The way... of getting caught? Interesting approach.

You know, it's like in those bank heist or convenience store hold-up films, they... wore proper masks and such to be unidentified by everyone. Most of the times. But this, they went au naturel. I cannot.

Somewhere:

Fellow primates. This year's strategy — send nothing. Say nothing. Be nothing. Questions? Good. Refreshments are in the chambre de torture B.
Oh, this peculiarity.

⬆️ On OpenBSD. Right. 🤔 Perhaps a security researcher or a paranoid sysadmin. But... i386? AND THAT Chrome 36!

It's got all the hallmarks of someone who:
- Googled "how to spoof user agent".
- Understood approximately none of what they read.
- Just grabbed impressive-sounding words and mashed them in.
Because Chrome's Linux builds were for Linux, not OpenBSD. Chrome was never officially built for OpenBSD. You'd have to go through some serious gymnastics — ports, compatibility layers, probably a blood sacrifice or two — to get Chrome running on OpenBSD at all, let alone version 36 specifically.

So that Chrome 36 on OpenBSD i386 in 2026 ➡️ either he compiled it himself from source like an absolute maniac in 2014 and never updated once, or just grabbed words from a Wikipedia article and called it a day.

That user agent wanted to look mysterious and technical and instead walked in wearing a Halloween costume with the price tag still on. Upside down. Inside out.

Well, it's fine.

Abducting Electrons

Imagine if we could hold the bot hostage, that would be amusing. Because we cannot hold electricity hostage at the moment. Well, I'm leaving the door open for future electricity hostage technology. I will certainly consult Mister Tesla's ghost for that. His legacy to wipe Edison's smirk carries on. And to commemorate Topsy, the elephant.

Currently, it's just electrons dutifully shuffling along copper and fibre, completely indifferent to whether they're being tarpitted, labyrinthined, or sent to the chambres de torture. Essentially, their timeout setup: More than 10 seconds. Bye. — Hey wait! — Well? — Right.

(Imagined successful electrons abduction scenario.) Why does my beloved cheaply-rented VPS now cost me ten-thousand times more?

⬆️ Indeed, why.

Abducting electrons sounds like 🤔 seizing water molecules. It's not impossible, but! Cheers, here's another one. Analogous to arresting individual raindrops to stop the rain. Then... we loop back to the traditional method. Instead of that uncharted quantum approach, pull the plug. 🔌

And that's the end of this gallery.

Note

Right so, the whole trajectory in a nutshell:

What started as lone script kiddies running cobbled-together scrapers with delusions of overnight riches gradually proved itself a genuinely scalable, monetisable operation, and the corporates took notice.

They swooped in, professionalised the chaos, hired people to tidy up the old scripts — with an exception of those comical user agents, and crucially, started throwing seriously expensive cloud infrastructure at it. I've collected specimens from Azure, AWS, Chinese telecom providers, Hong Kong, and plenty others. Started from HTTP traffic. Oh, why suddenly traffic spike from Canada? I didn't write anything that might interest Canadians here. And from there, comparing to DNS requests, made a cup of coffee. That coffee now is... done for. ⬇️

Azure and AWS don't come cheap, and Chinese telecom cloud at scale even less so. That level of spend doesn't come out of some bloke's personal debit card. That's a budget, a boardroom decision. Which leads rather cleanly to the conclusion that what I'm seeing hammering my server isn't bedroom shenanigans anymore — it's a corporate operation, sanitised and invoiced, repackaging what is essentially digital trespassing into a respectable-sounding B2B data intelligence product.

And somewhere a VC might have even funded it.

Anyway, for all their clever country-hopping across, say Azure, regions thinking a different geographic label would throw anyone off the scent, they rather forgot that the ASN doesn't lie — MICROSOFT-ASN is MICROSOFT-ASN whether it's waving at me from Singapore, Brazil, Poland, or the Tesco. Tesco is now officially a nation.

The most devastating cyberattack in history requires no malicious code — just a bloke in Shenzhen quietly declining to ship the next batch of racks, leaving AWS empire as nothing more than an enormously expensive shed full of burnt-out silicon and wounded pride.

Goodbye

Right then, this concludes the post. See you later. Thanks for visiting. 👋

2026-04-20T08:52:30+01:00

✒️ Edit

Monkey Raptor V.2

Search This Blog

I Found A User Agent — Bot or Not?

Labels

Comments

Post a Comment

The Song Said Weep — The Video Said Aerobics

Windows 11: CTRL + SHIFT + ESC

How Does a Search Engine Work, Roughly?

Front Door Dilemma

GARTH

The Trumpet Emoji

A Brief Study in How Not to Handle a Software Vulnerability

Comical Chess: Bird Opening — Confining The Queen

Blogger Conditional Tag — b:if and b:else

Rogue Chess: Bishop's Opening: Calabrese Countergambit