RE: [squid-users] another illegal character in hostname

From: Palmer J.D.F. <>
Date: Thu, 29 Mar 2001 12:55:33 +0100


I have been experiencing the same problem i.e getting messages in syslog
like this :
urlParse: Illegal character in hostname''

I am currently testing various 'Warez' clients such as bearshare, imesh,
gnutella etc in order to find which ports/IP are being used so that they can
be banned at our router.

By chance I noticed that these Illegal character messages were appearing in
my syslog on a test cache that I am configuring. I am the only user going
through this cache. They also appear in our main caches.

I have investigated this with the help of a mail posted by Samuel Atlan
3/11/2001 Message attached and it appears that in our case the problem is
being caused by the imesh warez client . It copies a file
called cd_load.exe into winnt\system32 it is an advertising banner client.

 <<[SQU] urlParse errors (CyDoor)>>

Jezz Palmer.
Internet Systems Officer.
Library and Information Services
University of Wales, Swansea
Singleton Park
Tel 01792 513260

 -----Original Message-----
From: John Croft []
Sent: 26 March 2001 01:05
Subject: [squid-users] another illegal character in hostname

> Subject: Correct example of "illegal character in hostname"
> Date: Sat, 24 Mar 2001 04:57:16 -0800 (PST)
> From: ssdd sdsds <>
> To:
> Oh yes. Thanx for pointing out. But actual contineos
> errors r of the machine name itself ie:
> urlParse: Illegal character in
> hostname''
> (where is FQDN machine name , with
> proper dns entry)
> Is there any other reason for "illegal hostname error"
> other than wrong spelled site name??
> bye

I have two client machines exhibiting this problem also.

I get one line in the cache.log, viz:
2001/03/26 09:56:22| urlParse: Illegal character
 in hostname ''

I get three lines in access.log, viz:
985564555.145 7 x.x.x.94 NONE/400 1204 GET - NONE/- -
985564555.172 5 x.x.x.94 NONE/400 1204 GET - NONE/- -
985564555.199 0 x.x.x.94 NONE/400 1270 GET
 &AW=168&LV=2040&CU=84427977 - NONE/- -

With this extra information, does anyone know which application
on the clients (both windows boxes) may be at fault ....


attached mail follows:


It seems to me that several proxy administrators had problems with the
urlParse error and the "strange" access.log lines like :

984326992.663 2 NONE/400 1315 GET - NONE/- -

Those lines repeat every 15 seconds or so. I think I've found one source
that is causing this and that fills up my logs : Cydoor ads banner software

I recently posted that Babylon software (from was creating
those lines in my access.log, so I looked up this issue a little bit

Using a "clean computer" running only babylon translator, I did a tcpdump on
the packets and I've found that :

My computer tries to contact on the 80 port directly
(connection that is blocked by my firewall) about three times, then it makes
a connection the the cache and do three bad queries :
984329080.652 2 NONE/400 1315 GET - NONE/- -
984329080.665 2 NONE/400 1315 GET - NONE/- -
984329080.678 1 NONE/400 1397 GET
 - NONE/- -

This results and two additionnal lines in /var/log/messages like those :
Mar 11 17:45:10 cache squid[675]: urlParse: Illegal character in hostname
Mar 11 17:45:10 cache squid[675]: urlParse: Illegal character in hostname

Then my computer redo those direct connections....

Here is the interesting part... a query on the IP
( gave me the address
of a ISP in Israel.
Then, I look at the technical forums in Babylon website to see if nobody had
reported problems with proxies. I came across a post
( who stated that is
was not possible anymore to circumvent the Cydoor Ads banner... I then went
to and found out that they had offices in Tel-aviv. So I used
tcpmon and found out that the port corresponding to the packet dump
genereting Squid's error where opened by "cd_load.exe" wich is a stub
program usied by CyDoor. Also, I installed several programs from CyDoor
websites and they generated the same errors on my Squid proxy with the same

CyDoor software tries to connect in an odd way and badly handle web cache...
causing it to trigger frequent errors.

Hope this helps some of you from getting rid of those messages.

Samuel Atlan.
To unsubscribe, see
Received on Thu Mar 29 2001 - 04:55:54 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:59:01 MST