Solved

Myterious message: "The Giraffe Dropcatcher System" appearing on webservers

Posted on 2006-07-04
25
891 Views
Last Modified: 2008-01-09
Today I was trying to get to a website but mistyped the domain name to end in ".coj". I got a page with plain text on it reading "The Giraffe Dropcatcher System". There is no country with the extension ".coj"! What is returning this message? I remoted into my work machine and got the same message so it's obviously not tied to my ISP. It happens with any domain ending in ".coj"

Googling "The Giraffe Dropcatcher System" brings up an LJ entry by a bloke with a similar discovery, but with the domain extension ".cmo", which again doesn't exist. Peculiar. Any ideas?
0
Comment
Question by:rgford
  • 6
  • 5
  • 4
  • +6
25 Comments
 
LVL 31

Assisted Solution

by:rid
rid earned 75 total points
Comment Utility
Look in the address field of your browser - what does it say?

My guess is that this is locally generated. Most browsers have some kind of way to notify you of misspelled URLs, perhaps some nice add-on has nested in your browser...
/RID
0
 

Author Comment

by:rgford
Comment Utility
rid:  "I remoted into my work machine and got the same message " would indicate this is not the case. Have since tried some other machines, same thing.

The address field retains the web address - why don't you try it yourself?
0
 
LVL 6

Assisted Solution

by:Booda2us
Booda2us earned 75 total points
Comment Utility
Sorry rgford, but when I try it all I get is "Page cannot be displayed".   Booda2us
0
 
LVL 6

Expert Comment

by:Booda2us
Comment Utility
Google says nothing matches.......Is your google better than mine?
0
 

Author Comment

by:rgford
Comment Utility
damn! I know people are often not very loathe to admit to having parasites on their machines, but unless the same thing has infected every machine at my work, plus clients' machines and my home ones, it's unlikely! Baffling what it could be.
0
 
LVL 62

Assisted Solution

by:☠ MASQ ☠
☠ MASQ ☠ earned 75 total points
Comment Utility
Talk to the people who admisiter your DNS servers, sounds like this has been put in by someone as a 404 error trap
0
 
LVL 31

Expert Comment

by:rid
Comment Utility
Do you get any kind of URL in the address field when this page displays?
Possibly this could be a sort of "catch-all" that is taking care of failed DNS lookups (which this invalid URL would constitute) and the current DNS server just passes on the request to this page. By locally I meant in the local machine and I just failed to register the part of "remoted into...", sorry.
/RID
0
 
LVL 31

Expert Comment

by:rid
Comment Utility
...oh, and I did try it... just get the usual "server not found" stuff, somewhat different but basically the same thing in 3 different browsers.
/RID
0
 

Author Comment

by:rgford
Comment Utility
sorry rid, didn't mean to come over like that - just plenty of people who never read questions properly, I get too used to it.

Looks like it might be something with BT then? (only common thing between machines). I manage the DNS at two of the sites, and can't rememebr anything myself!

Maybe it shall be left unsolved..
0
 
LVL 14

Expert Comment

by:JohnnyCanuck
Comment Utility
Its undoubtedly some kind of government internet usage spying software that hiccupped when you mistyped the url.
0
 
LVL 31

Expert Comment

by:rid
Comment Utility
I guess your local DNS servers aren't authoritative for unknown URL's, so the request will go out to a higher level, probably at your ISP. You could actually get something by asking them... :)
/RID
0
 
LVL 31

Assisted Solution

by:moorhouselondon
moorhouselondon earned 75 total points
Comment Utility
There is a company called:-

www.giraffe.co.uk

who register names.  If the name is registered it can be back-ordered at:-

http://www.dropcatcher.co.uk/

At first I thought these two companies were connected, which would explain things, they aren't, but nevertheless the terminology is relevant.

I would say that this (as has already been mentioned) is a "catch-all" way of "rescuing" failed searches so that a company can flog you a domain.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:rgford
Comment Utility
I guess so. thanks for the answers - MoorHouse, you seem to be onto something there! Two things confuse me though, and are behind why I bothered posting a question - firstly, the extensions we are talking about here *don't exist*. How can a company have registered a catch-all with every single extension for .coj and .cmo...? The only way I thought that was possible was if you had client software installed to pickup extra extensions which, as reaonsed earlier, I can't see any evidence of. The second thing ios more minor - just that if it is a method of catching visitors, why not have it point to something!? It's clearly not working very well!
0
 
LVL 31

Expert Comment

by:rid
Comment Utility
I would have thought that you couldn't register anything but accepted extensions, so it would be very interesting to know at which level the "catchall" operates... If it is at DNS level, it shouldn't be too difficult. The extension list is finite, after all, and anything that fails to match there could be dropped into a catchall, which in turn could be set to operate on some of the letter combinations that fall through. Pure guesswork here and the big idea totally escapes me.
/RID
0
 
LVL 31

Expert Comment

by:moorhouselondon
Comment Utility
NetworkSolutions tried to do this a while ago, but decided not to after adverse comment - admittedly this search was done within the same TLD, what you are seeing is redirection of non-existent TLD's.  Some third party in the chain (perhaps BT?) is tinkering in this way.

http://www.icann.org/topics/wildcard-history.html
0
 
LVL 6

Expert Comment

by:Booda2us
Comment Utility
It's probably that "Blue Pill" malware.....undoubtedly unleashed to monitor and hijack your network, steal all personal/corporate info from everyone...
0
 
LVL 55

Assisted Solution

by:andyalder
andyalder earned 50 total points
Comment Utility
What are your DNS forwarders set to? If we know that we can have a poke about and see what they return for non-existent TLDs.
0
 
LVL 17

Assisted Solution

by:Jared Luker
Jared Luker earned 50 total points
Comment Utility
Does it do the same thing in IE and Firefox (or opera or......)
0
 

Author Comment

by:rgford
Comment Utility
Yes, same with other browsers.

RID, seems about right. In the ICANN page you posted, moorhouse, doesn't this just refer to domain names, not extensions?
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
Comment Utility
What happens if you flush your DNS cache?  (or if people are connecting via a proxy internet server the DNS cache there?)
0
 
LVL 55

Expert Comment

by:andyalder
Comment Utility
The ICANN doc is about Verisign who look after the gTLD servers but to get to xxx.cmo you don't go to the gTLD servers but to the root servers and they would not return anything except non-existent domain so as moorhouse said it has to be BT that's doing it which is why we need your customers' DNS forwarder settings.
0
 
LVL 31

Expert Comment

by:moorhouselondon
Comment Utility
Andy has a good idea there.  To get at the info that he is asking for, I believe you need to do the following:-

At the DOS prompt, type :-

IPCONFIG /ALL

This will tell you which DNS servers your pc is using to resolve "anything.com" to a dotted IP address.  With that info, we can use the same DNS servers to see whether we get the same results as you.  

Alternatively if you wanted to free yourself of giraffe dropcatcher syndrome, you could change your DNS settings away from what they are at present (they may well be assigned "automatically", but you can force them by specifying them, then checking using IPCONFIG /ALL to make sure you have saved the info properly), so in Network Connections, properties for the TCP/IP protocol of your method of connecting to the internet, use one of the following DNS addresses.  Having done this, run your test again to see if the effect has disappeared:-

http://www.portforward.com/networking/dns.htm

(In this list are some BT DNS Addresses - these might be the ones you currently happen to be using).  Some DNS addresses listed may only be available to customers of that company, so you may not be able to browse the internet with some of these listed.
0
 
LVL 31

Expert Comment

by:moorhouselondon
Comment Utility
FWIW one of the DNS servers I am using is

38.9.223.2

This does not resolve the type of address you mentioned.
0
 

Accepted Solution

by:
tombull earned 100 total points
Comment Utility
The reason for this is as follows:

Windows stores a list of domain 'endings' to test with addresses that it can't resolve - try right clicking your LAN connection in 'Network Connections', 'Properties', click on 'Internet Protocol TCP/IP', 'Properties' button, 'Advanced' button, 'DNS' tab.

You will either have
a) A domain which ends in .co.uk AND 'Append primary and connection specific DNS suffixes' selected with 'Append parent suffixes of the primary DNS suffix' ticked, or
b) An entry for .co.uk entered in 'Append these DNS suffixes (in order)'

What windows does when looking for a machine name on your network (or the internet) is that it will look first for the actual name you typed in, then with the DNS suffixes appended. For example if you are on the companyname.co.uk domain, and you type in the address 'mailserver', windows will first look for 'mailserver', then 'mailserver.companyname.co.uk', then 'mailserver.co.uk' then 'mailserver.uk'. Hopefully it will find 'mailserver.companyname.co.uk', but if it doesn't, it will keep on looking.

The other part of the puzzle is a domain registration company in the UK called giraffe, who specialise in registering three letter domain names in the .co.uk domain name space. Something that domain registration companies often do is host DNS which will accept any host name at the domains they register (for example 'anything.anythingelse.something.hosteddomain.co.uk'). They often call this a catch-all. Giraffe call this a dropcatcher system (for no apparant reason).

Hence when you type in an address that ends in 'cmo' or 'coj' (or 'ikl' or 'rfg' or various others), your computer first searches for www.whatever.cmo (finding nothing), then www.whatever.cmo.yourcompany.co.uk (finding nothing), then www.whatever.cmo.co.uk (which is picked up by none other than the giraffe dropcatcher system).

Note this only works on domains ending in .co.uk with the specific settings mentioned above.

0
 

Author Comment

by:rgford
Comment Utility
Thankyou!
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Learn more about the importance of email disclaimers with our top 10 email disclaimer DOs and DON’Ts.
Digital marketing agencies have encountered both the opportunities and difficulties that emerge from working with a wide-ranging organizations.
Saved searches can save you time by quickly referencing commonly searched terms on any topic. Whether you are looking for questions you can answer or hoping to learn about a specific issue, a saved search can help you get the most out of your time o…
Where to go on the main page to find the job listings. How to apply to a job that you are interested in from the list that is featured on our Careers page.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now