Detect "weird" user agents

User agents are completely "free text" and whatever software sends web requests can choose to send their user agent in any format imaginable. When you're handling normal, legitimate user agents, you'll still see a huge variety of user agent formats, but with a bit of head scratching it generally it all still "sort of makes sense"...

However, user agents can come also in some absolutely crazy formats, which are either subtly "wrong" and "weird", or, which are completely malformed.

We have used our extensive exposure to user agents and our huge collection of them to identify many ways that a user agent can be "weird", the user agent parsing API will tell you if any user agents you send seem "weird" to us. This page has a detailed description of all the ways we know and detect a user agent can be weird.

The reasons we might mark a user agent as "is_weird"

Here is more detail about each reason a user agent might be marked weird, including a variety of user agents that match the given criteria.

is_weird_reason_code Description of reason Some sample user agents which trigger this check
fake_version_number There are a lot of user agents with fake version numbers in the wild; in particular, fake Chrome Version numbers. As such, we now maintain a detailed list of every single real Chrome version number and check Chrome on Desktop version numbers against it. If the version number isn't real, it is marked as fake_version_number.
Find out more about Chrome user agents with fake version numbers.
  • Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2931.44 Safari/537.36
  • Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.3; Trident/4.0) AppleWebKit/517.31 (KHTML, like Gecko) Chrome/41.7.2249.59 Safari/517.31
  • Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.3; Trident/4.0) AppleWebKit/527.28 (KHTML, like Gecko) Chrome/40.1.2005.88 Safari/527.28
  • Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Trident/6.0) AppleWebKit/509.11 (KHTML, like Gecko) Chrome/40.7.2209.83 Safari/509.11
  • Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.3; Trident/6.0) AppleWebKit/512.24 (KHTML, like Gecko) Chrome/42.8.2026.67 Safari/512.24
  • Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0) AppleWebKit/515.6 (KHTML, like Gecko) Chrome/42.3.2212.45 Safari/515.6
  • Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2747.47 Safari/537.36
  • Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2753.75 Safari/537.36
  • Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2976.78 Safari/537.36
  • Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2647.41 Safari/537.36
didnt_have_software_version_but_needs_one Some user agents should always have a version number in them; if the version number is missing then it's obvious that the user agent is fake or has been tampered with.
  • Mozilla/5.0 (Windows NT 4.54; x64) Gecko/20100101 Firefox
  • Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/hmm
  • 123QA/4f68f7e4/7foe9sp8zwmj6rvt (Linkchecker;DEV07;firefox)
  • Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/B7C29C
  • Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/--.0
  • Mozilla/5.0 (Linux; Android 8.1.0; SM-G610F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/9D91CF217427 Mobile Safari/537.36
software_version_int_too_big If the version number is very large (in the thousands), the software is marked as weird, because the only way this would happen is if the user agent is fake or tampered with.
Note that this is not a blanket test: we maintain a whitelist of software which is allowed to have large version numbers and won't get marked as weird.
  • Mozilla/5.0 (Windows NT 6.3; rv:98452315.0) Gecko/20100101 Firefox/98452315.0
  • Mozilla/5.0 (Windows NT 5.3; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/2000.0.3497.100 Safari/537.36
  • Mozilla/5.0 (X11; Linux x86_64; rv:34000000000000000000000.0) Gecko/20100101 Firefox/3400000000000000000000.0
software_version_int_not_reasonable This is similar to software_version_int_too_big, but is more subtle: it looks for version numbers which are too high, based on what we know to be the latest version number for that software. For example, if the latest version of Chrome on Desktop is 131, if a user agent reports that it's Chrome 136, then we mark it as software_version_int_not_reasonable. We also check to confirm that it's not too low as well (eg Chrome Version 0)
  • Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/138
  • IE12 (compatible; MSIE 14.0; Windows NT 12.1)
  • Mozilla/4.0 (compatible; MSIE 69.0; Windows NT 500.1)
  • Mozilla/5.0 (Windows; U; Windows NT based; ar-EG) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/0.1.2.3 Safari/525.13
found_weird_fragment_from_list We maintain a list of fragments which instantly indicate that something is weird about the user agent. Any user agent with one or more of those fragments will be marked as weird. This list contains things like "c:\", "was here", "firstname", "whatismybrowser", all sorts of HTML tags, various groupings of symbols, "_utm", and so on.
These various "weird" fragments are based off the hundreds of millions of user agents we've examined and found problems with; often it's clear that some kind of malfunctioning code has sent the user agent in their request, or that someone has intentionally changed their user agent to something silly or impossible.
  • Mozilla/5.0 (compatible; Googlebot/ </textarea>'"><script>alert(document.cookie)</script>; +http://www.google.com/bot.html)
  • --user-agent=Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_7; da-dk) AppleWebKit/533.21.1 (KHTML, like Gecko) Version/5.0.5 Safari/533.21.1
  • This is a test user agent string.
  • >>> Your new user agent string here <<<
  • Mozilla / 5.0(compatible; bingbot / 2.0; +http://www.bing.com/bingbot.htm)
  • Mozilla / 5.0(MSIE 12.0; Trident / 7.0; rv: 11.0) like Gecko
  • <script>alert(' X S S ed')</script>
  • <h1 onclick=alert(1);>ABCD</h1>
  • Mozilla/5.0 () AppleWebKit/535.19 (KHTML, like Gecko) xD/18.0.1025.142 Safari/535.19
  • Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; acc=; acc=none)
  • screenwidth=1600;screenheight=900;platform=Win32;Vendor=Google Inc.;UserAgent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
  • Mozilla/5.0 ()
  • C:\Users\foobar\Desktop\Useragents.txt
  • Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; [UserAgentString] (like .NETC40); rv:11.0) like Gecko
  • Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 3P_UVRM/C:\\Program Files\\VirusRemover2008\\VRM2008.exe Files\\VirusRemover2008\\VRM2008.exe Files\\VirusRemover2008\\VRM2008.exe Files\\VirusRemover2008\\VRM2008.exe Files\\VirusRemover2008\\ Firefox/3.5.3
  • Mozilla/5.0 (Linux; Android 9; MAR-LX1A Build/HUAWEIMAR-L21A; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/76.0.3809.111 Mobile Safari/537.36 Instagram 106.0.0.24.118 Android (28/9; 480dpi; 1080x2107; HUAWEI; MAR-LX1A; HWMAR; kirin710;..
  • Mozilla/5.0 (Linux; Android 4.4.2; ??) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36
has_contradictory_info Some obviously fake user agents seem to just throw everything in there to see what sticks... we mark that as weird.
  • Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.71 Safari/537.36 Firefox/25.0a1
  • Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.119 Safari/537.36 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0
  • Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.75 Safari/537.36 Mozilla/5.0 (Windows NT 6.2; WOW64; rv:69.0) Gecko/20120101 Firefox/69.0
  • Mozilla/5.0 (Linux i686; Trident/ 7.1 ; en-us) like Gecko Chrome/34.9.235.461 Firefox/6.3
  • Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Trident/5.0) AppleWebKit/511.22 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/511.22
has_impossible_info This when we detect "impossible" things, for example Internet Explorer on iPhone. It's similar to has_contradictory_info
  • Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; iPhone; U; CPU like Mac OS X; en)
  • Mozilla/5.0 (Linux; U; Android 4.2.2; en-; IPHONE 6 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
  • Mozilla/5.0 (iPad; U; CPU OS 7_0 like Mac OS X; en-ca; MediaPad 7 Youth 2 Build/HuaweiMediaPad) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B367 Safari/531.21.10
  • Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/537.13+ (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2)
has_long_weird_alphanum Some user agents have long, inexplicable alpha-numeric strings in them. Often they seem added by the manufacturer or an app or extension on the browser. They often appear in otherwise normal-looking user agents. If we see them, we'll flag them as weird. Note that the user agent sanitizer will neatly remove some of the more common instances of these fragments, leaving you with a normal user agent.
  • LG-LG236C/1.0[TF268435461211567751000000012562750208] Profile/MIDP-2.1 Configuration/CLDC-1.1 UP.Browser/6.2.3.8 (GUI) MMP/2.0
  • Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1;; APCPMS=^N20150107050730110068DDDC35576EEEDA3F_758^; Trident/6.0)
  • Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Mobile/14A456 baiduboxapp/0_11.0.0.8_enohpi_4331_057/2.0.01_1C2nohPi/1099a/7D5481C2AC15199B35B3EC67C54574F1D125053C1FRSPFKHJNC/1
  • *BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoDAAAAAAAAAAAA=
  • acfun/6.5.1/K6015ER7WRLLGCE9GO6HPYZN3UZWMKFL/UU50P5FZX5SAPY6PBQQ6SLXCHM6SW2Y4/cache
rubbish_fragments Some user agents have weird rubbish fragments in them; randomized groups of characters and/or symbols. We detect these in lots of different formats/configurations.
  • Mozilla/5.0 (X11; Linux i686; rv:6.0.2) (JC+r/fEBSdQnnr/4V3OO2w971TESd/38xS1sOuRD9yU=) Gecko/20100101 Firefox/6.0.2
  • Mozilla/5.0 (8tGgbehMPbKtgNbZOvR7PFJOayo2eZ; rv:50.0) Gecko/20100101 Firefox/50.0
  • KSPZZ8aNvSZ (FreeBSD; Intel Windows 65.611; rv:88.10) 57WVt5pxo1y 8GZR5YjnjA92 Opera/14.7 OZcUmEzMCmZ Safari/91010610626 FbxCXlGl9Z8Arwq 9N9IdfyZZfn 99vyjLrf wL9l12fglUgJYV 2i4x98mRUPOhVZ 99959mI9WhVFZ9
  • Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:66.0) Gecko/20100101 pScnVWgP-29 pScnVWgP-29 Firefox/66.0
  • 3WdYaulOGf5e2U8526qg2N2SDzRXka5GTY9HR81u0qQDJ3zXAAAAAA
  • 99E1pZ0ZI Konqueror/14.7 KXOVDlMfcacon Mozilla/111673637 (SUSE NT 7.11; rv:155.5) l9IU1oZiFyw 9N5YZYcsRK
  • Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 eA9yLPOj-19 eA9yLPOj-19 Firefox/69.0
started_with_weird_fragment_from_list The user agent started with a particular fragment that we know real user agents shouldn't start with.
  • =Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
  • Chrome 41 (iOS 8.4)
  • Mozilla/7.0 (OpenBSD) AppleWebKit/932.28 (KHTML, like Gecko) Browser/90.0.2234.115 Browser/932.28
  • Mozilla/99999999.0 (Linux; U; Android 4.0; en-us; GT-I9300 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
  • /5.0 (BB10;Touch) AppleWebKit/537.10 (KHTML, like Gecko) Version/10.0.9.773 Mobile Safari/537.19
  • 0 Opera/9.80 (J2ME/MIDP; Opera Mini/6.5.28159/34.873; U; en) Presto/2.8.119 Version/11.10
  • ''''//..///../././//.//..//..//..//k
  • Mozilla/666
  • 'Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1'","Firefox","Windows XP","Other
has_encoded_character There's some kind of encoding problem with the user agent; most likely due to a malfunctioning bot/script.
  • Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; ------=(\xc5\xd8\xca\xce-\xd0\xee\xf1\xf1\xe8\xff)=------)
  • Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; \xba\xd3\xc4\xcf\xb4\xf3\xd1\xa7\xcd\xbc\xca\xe9\xb9\xdd\xb5\xe7\xd7\xd3\xd4\xc4\xc0\xc0\xca\xd2)
  • xef\xbb\xbfMozilla/4.0 (compatible; MSIE 5.5; Windows 98)
  • Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FunWebProducts; Seednet\xaa\xa9\xa5\xbb)
escaping_problem There's some kind of escaping problem with the user agent; most likely due to a malfunctioning bot/script.
  • Mozilla/5.0 (Windows NT 6.1; Win64; x64) Firefox\/56.0
too_long The user agent was too long. This one is simple; normal user agents shouldn't be too long. Barring one or two exceptions, any user agent that's too long is considered weird. Often you can see why it's ended up so long; malfunctioning software has repeated a fragment over and over, or multiple user agents have been concatenated, or there's just really random junk fragments.
  • Mozilla/5.0 (Linux; Android 4.4.2; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; pt-pt; Metro Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Mobile Safari/537.36
  • Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0E; InfoPath.3; Microsoft Outlook 15.0.5125; Microsoft Outlook 15.0.5125; Microsoft Outlook 15.0.5125; Microsoft Outlook 15.0.5125; Microsoft Outlook 15.0.5125; Microsoft Outlook 15.0.5125; Microsoft Outlook 15.0.5125; Microsoft Outlook 15.0.5125; Microsoft Outlook 15.0.5125; Microsoft Outlook 15.0.5125; Microsoft Outlook 15.0.5125; Microsoft Outlook 15.0.5125; Microsoft Outlook 15.0.5125; ms-office; MSOffice 15)
  • Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729; GetGoLauncher 467; RDPSession#10; RDPSession#19; RDPSession#3; RDPSession#4; RDPSession#11; RDPSession#18; RDPSession#22; RDPSession#23; RDPSession#5; RDPSession#7; RDPSession#8; RDPSession#17; RDPSession#12; RDPSession#9; RDPSession#16; RDPSession#2; RDPSession#13; RDPSession#; RDPSession#6; RDPSession#14; RDPSession#15; RDPSession#21; RDPSession#35; RDPSession#26; RDPSession#29; RDPSession#28; RDPSession#33; RDPSession#30; RDPSession#25; RDPSession#31; RDPSession#27; RDPSession#24; RDPSession#20; RDPSession#32; RDPSession#39; RDPSession#37; RDPSession#34; RDPSession#42; RDPSession#40; RDPSession#38; RDPSession#36; RDPSession#46; RDPSession#44; RDPSession#43; RDPSession#84; rv:11.0) like Gecko
too_short The user agents shouldn't be too short either
  • AT&T
  • IE 6
  • p?d?
  • bot/
  • ££££
duplicate_fragments The user agents contains duplicate fragments. Note; this is a new check and the detection sophistication is still evolving. It will catch some duplication but admittedly not all of it yet. We continue to improve the algorithm.
  • Mozilla/5.0 (Linux; U; Android 2.2; md-us; sec_smdkv210 Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 Android Android Android Android Android Android Android Android Android Android Android Android Android Android Android Android Android Android Android Android Android Android Android Android Android Android Android Android Android Android Android Android Android Android Android Android Android Android
  • Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:85.0) Gecko/20100101 Firefox Firefox/85.0
x_on_y We went through a phase of seeing hundreds of thousands of user agents that had a sort of "X on Y" fragment in it. They don't appear as frequently these days, but the user agents are obviously weird, and we filter them out. There are many variants of them too; some look like people just changing their user agent by hand, others look like a bot sending the "simple_software_string" from our API back through the API as the user agent.
There are actually a few exceptions to this rule too; there are some valid user agents that have an "X on Y" style fragment; these are noted in the example column too.
  • X-UA-Compatible (Edge 12 on Windows 10))
  • Opera 8.51 on Windows XP Opera/8.51 (Windows NT 5.1; U; en)
  • chrome28 on linux
  • Mozilla/5.0 (STOP USING UA DETECTION ON FRONTENDS!; Windows NT 9.9; Win64; x64; rv:99.0) Gecko/99999999 Firefox/99.0
  • Opera Running on Mac OS - Opera/9 (Macintosh; Intel Mac OS X 10.8.8; U; eng) Presto/2.8.189 Version/28.0
  • Mozilla/5.0 (Woofer 1.0; Pup64; x64) BoneWebKit/3.32 (KHTML, like Gecko) A Dog/ Pawing on his labtop/ Woof 1.0

FYI: These user agents are examples of ones that have an "X on Y" fragment but which we don't consider weird:

  • Mozilla/5.0 (X11; Linux i686 on x86_64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
  • SSL Labs (https://www.ssllabs.com/about/assessment.html); on behalf of 123.123.123.123
one_big_long_string If the user agent is all just one big long string, then it will be marked as weird. This mostly seems to happen due to malfunctioning software sending the request; often it seems that all the spaces have been stripped out. The user agent must be at least 60 characters for this check to take place, otherwise legitimate user agents such as Baiduspider-image+(+http://www.baidu.com/search/spider.htm) would get incorrectly marked as weird. There are also some exceptions, such as Facebook's Mobile App user agent which doesn't have any spaces in it.
  • Mozilla/5.0(iPhone;U;CPUiPhoneOS4_0likeMacOSX;en-us)AppleWebKit/532.9(KHTML,likeGecko)Version/4.0.5Mobile/8A293Safari/6531.22.7
  • abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz
  • Mozilla/5.0(Macintosh;IntelMacOSX10_7_0)AppleWebKit/535.11(KHTML,likeGecko)Chrome/17.0.963.56Safari/535.11
  • Mozilla/5.0(Linux;Android4.4.2;GT-P5210)AppleWebKit/537.36(KHTML,likeGecko)Chrome/75.0.3770.101Safari/537.36

These user agents are examples of ones which all one big string but which we don't consider weird:

  • Baiduspider-image+(+http://www.baidu.com/search/spider.htm)
  • [FBAN/FB4A;FBAV/236.0.0.40.117;FBBV/169421994;FBDM/{density=4.0,width=1440,height=2768};FBLC/sv_SE;FBRV/170474407;FBCR/Telia;FBMF/samsung;FBBD/samsung;FBPN/com.facebook.katana;FBDV/SM-G960F;FBSV/9;FBBK/1;FBOP/19;FBCA/arm64-v8a:;]
started_with_bracket User agents shouldn't start with brackets, it's almost always a sign of a problem.
  • (Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0))
  • (Unknown)
  • (null) [FBAN/FBIOS;FBDV/iPhone7,2;FBMD/iPhone;FBSN/iOS;FBSV/11.4.1;FBSS/2;FBCR/TELIA;FBID/phone;FBLC/sv_SE;FBOP/5;FBRV/124134826]
  • (Windows NT 10.0; WOW64) xR73LFXn-37 FxSync/1.53.0.20170125094131.desktop
  • ( ; ; ; Trident/7.0; rv:11.0) like Gecko
  • (en_AU; iOS 11.4.1) Apple/iPhone iPhone10,3
surrounded_by_quotation_marks This often happens because a bot is sending it's user agent correctly. If you see it happen a lot with your API requests, ensure that you're not accidentally double-escaping the strings or anything (make sure you always use a proper JSON library instead of escaping strings yourself!)
  • "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
  • "Mozilla/5.0 (Linux; Android 8.1.0; Redmi Note 5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.90 Mobile Safari/537.36"
  • "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36"
  • "Mozilla/5.0 (iPhone; CPU iPhone OS 11_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1"
surrounded_by_apostrophes This is basically the same problem as Surrounded by quotation marks.
  • 'Mozilla/5.0 (iPhone; CPU iPhone OS 12_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148'
  • 'Mozilla/5.0 (iPhone; CPU iPhone OS 14_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.2 Mobile/15E148 Safari/604.1'
  • 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)'
entirely_symbols If the user agent consists entirely of symbols and numbers, it's weird.
  • 0.181840959468358
  • &@#^!**!#*%)(*#
  • ::::::::::::::::::::::::::::::::::::
has_obvious_rubbish_fragment Our systems constantly see user agents with weird, random, obviously wrong/fake fragments in them. We detect a variety of these weird fragments and mark them as weird. In some cases they seem to be some kind of "anonymizer" extension doing it, other times they seem like some kind of software defect.
  • Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15/4tfr4gup-52
  • Mozilla/5.0 (iPad; CPU OS 9_3_5 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13G36 Safari/601.1.46/351769312
  • Mozilla/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/605.1.15/10743189152
  • Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.2 Safari/605.1.15/Mbs0sQIY-33
  • Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1 Safari/605.1.15/eYKuKARs-52
  • Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Safari/605.1.15/2eTKQidq-1
has_a_time_stamp We've seen lots of user agents that have time stamps in them. This is not normal behaviour.
  • Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.215 Safari/537.36 uJs81Viaf4wxiAHIhUM67yKszeU= 2013-10-26T13:15:54.959Z
Note that the preprocessor/sanitizer will actually remove the weird uJs81Viaf4wxiAHIhUM67yKszeU= style string, as well as the 2013-10-26T13:15:54.959Z time stamp as well. Sanitized field in the Integration Guide for more information.
is_a_hash_32 Occasionally, we've been sent user agents via the API which seem to be encoded as some kind of hash or md5sum.
  • 0e1b8b3ef01dad60a89c3b16b6eeff54
  • 2e9fc04905ca36f4fcc2fa8146703a46
mismatched_parentheses Obviously truncated user agents indicate a problem.
  • Mozilla/5.0 (Android 4.2.2
  • Mozilla/5..0;(X11; ))Safari
  • HacKer boi :)
  • Mozilla/5.0 (Macinto
multiple_mozilla Some user agents get concatenated for one reason or another, we check for this. Maybe the visitor's user agent changing extension is faulty or there might be a problem with the way you're handling user agents on your server.
  • Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
  • Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/601.2.4 (KHTML, like Gecko) Version/9.0.1 Safari/601.2.4
  • Mozilla/5.0 (Mozilla/5.0 (Windows; rv:24.0) Gecko/20100101 Firefox/24.0; rv:24.0) Gecko/20100101 Firefox/24.0
  • Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.2; Trident/5.0; Mozilla/4.0 (compatible; MSIE 7.0; America Online Browser 1.1; Windows NT 5.1; (R1 1.5); .NET CLR 2.0.50727; InfoPath.1))
multiple_trident User agents that have multiple Trident fragments. This isn't normal and as such we mark them as "weird". Similar to the multiple_mozilla reason code, it can also indicate that a user agent has been concatenated with another one.
  • Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; Trident/5.0)
  • Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C), Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C)
  • Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Windows NT 6.3; Trident/6.0; Media Center PC 6.0)
  • Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; Trident/5.0; Trident/5.0; Trident/5.0; Trident/5.0)
one_big_alphanum User agents that are one big string of alphanumeric spaces get marked as weird.
  • 1HLoD9E4SDFFPDiYfNYnkBLQ85Y51J3Zb1
  • Browser123
  • yechjyuw8Rcyxcswtwlhvdun8qbRxbqpg
  • 0x00000
  • zqex066BqMtuG51bHdd9XDhyC2EUYvJU3Q0FJBMmGbQefL0XQAAAAA
words_with_spaces The user agent is literally just one or more words with spaces in between; not even version fragments or symbols, just words and spaces. Often these get marked as is_spam too, as some organizations apparently try to spam their name all over the internet with user agent strings? Other people have changed their user agent to things like Stop trying to track me and other fake things.
  • Example Web Marketing
  • mozzarella
  • vdgnuxdi hjbhvwhkhhxexrdoy
  • hi Hjs vqxemxnimem ywjekgtdhippdm
  • Screw your analytics
missing_too_much_parse_data_to_not_be_weird There wasn't enough information found in the parse for this to not be considered "weird". In all "normal" user agents, there's enough information to at least work out what the user agent string represents, but if it's been flagged as missing_too_much_parse_data_to_not_be_weird then it means we couldn't figure out enough info from the user agent to not assume that it's "weird".
Be careful with this one; it mainly exists so that our user agent listing doesn't include user agents that we haven't added detection for yet. These might be legitimate user agents that we haven't added detection for yet, although it will also catch user agents that are also quite strange but which didn't get caught by the other "weirdness" checks.
  • LOLCATZ!
  • Mozilla/5.0 ayy/1.4.2 lmao/46.2
  • Internet/3.0 (Personal OS; rv:3.1) Guess Who/10101011 Jesus/Like
  • Mozilla/4.0 (compatible; ICS)
missing_mozilla_fragment The user agent is missing the very common Mozilla fragment at the start. This check doesn't apply to all user agents; many bots don't have it or require it, but normal browsers do. This seems to happen when a bot or extension isn't sending the user agent properly.
  • 5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112 Safari/537.36
  • 5.0 (Linux; Android 10; SM-G973F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Mobile Safari/537.36
  • /5.0 (iPhone; CPU iPhone OS 7_0 like Mac OS X; en-us) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11A465 Safari/9537.53
invalid_trident The Trident/ fragment (used by Internet Explorer) is invalid.
  • Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Win64; x64; Trident/1.0)
  • Mozilla/5.0 (compatible; MSIE 9.0; Linux x86_64; Win64; IA64; Trident/2.0)
  • Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; WOW64; Trident/1,0; SLCC1)
  • Mozilla/5.0 (PPC Mac OS X 2.54; rv:38.79) Gecko/20100101 Trident/38.79;Mozilla/5.0 (X11; Linux i686 on x86_64; rv:29.39) Gecko/20100101 Trident/29.39;
operating_platform_code_too_long We haven't seen many instances of useragents like this, but when they appear it's usually because the user agent is malformed in some way.
  • Android 6.0; es_ES; ALE-L21 Build/HuaweiALE-L213889205507-8099681841534386173
ended_with_weird_fragment_from_list There's a few fragments we've noticed that some weird user agents end with.
  • Mozilla/4.0 (Windows; MSIE 6.0; Windows NT 5.0),
  • Mozilla/5.0 (X11; U; Linux i686; it; rv:1.8.1.3) Gecko/20070410 Firefox/2.0.0.3))"..'..),
  • Mozilla/5.0 (X11; Linux x86_64; rv:10.0) Gecko/20150101 Firefox/44.0 (Chrome)
surrounded_by_type_declaration An odd little check, but we've seen user agents being sent with what looks like some kind of type declaration around the user agent string. If we see that, we'll mark it as weird, because something's sending the user agent wrong.
  • b'Mozilla/5.0 (X11; Linux i686;) AppleWebKit/536.36 (KHTML, like Gecko) Chrome/52.0.2840.71 Safari/536.36'
  • b'Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/533.3 (KHTML, like Gecko) Chrome/5.0.358.0 Safari/533.3'
all_lower_case If the user agent comes through entirely in lower case, then something is weird.
  • mozilla/5.0 (linux; android 8.1.0; sm-j410f build/m1ajb) applewebkit/537.36 (khtml, like gecko) chrome/87.0.4280.86 mobile safari/537.36
  • mozilla/5.0 (linux; u; android 9; sm-j810f build/ppr1.180610.011; wv) applewebkit/537.36 (khtml, like gecko) version/4.0 chrome/81.0.4044.117 mobile safari/537.36 opr/52.2.2254.54723
  • mozilla/5.0 (linux; android 10; titan build/qp1a.190711.020) applewebkit/537.36 (khtml, like gecko) chrome/87.0.4280.86 mobile safari/537.36
  • mozilla/5.0 (linux; android 8.1.0; berry 2 build/opm2.171019.012) applewebkit/537.36 (khtml, like gecko) chrome/87.0.4280.66 mobile safari/537.36
csv_fragment Sometimes malformed user agents come through that look like they're part of a CSV file or a JSON structure.
  • Mozilla/5.0 (Linux; Android 9; Redmi Note 8 Pro Build/PPR1.180610.011; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/80.0.3987.149 Mobile Safari/537.36 hap/1.6/xiaomi com.miui.hybrid/1.6.1.0 com.xpspeed.qmouse/1.2.1 ({"packageName":"com.miui.home","type":"shortcut","extra":{"original":{"packageName":"com.tencent.mtt","type":"url","extra":{}},"scene":"api"}})
  • Mozilla/5.0 (Linux; Android 10; LYA-L29 Build/HUAWEILYA-L29; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/87.0.4280.86 Mobile Safari/537.36 hap/1077/huawei com.huawei.fastapp/3.0.2.300 com.huawei.quickapp.airlens.europe/1.0.2.301 ({"packageName":"com.huawei.intelligent","type":"url","extra":"{}"})
regex_fragment Sometimes malformed user agents come through that look like someone accidentally sent a regex through
  • ^FooBar
  • Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:[0-9\.]+) Gecko/[0-9]+ Firefox/[0-9\.]+
found_weird_fragment These kinds of useragents are fairly rare and seem to be the product of some user agent anonymizer
  • Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148/mnwyigjtqvkykukgmiqrmtwhcgekfjqo
  • Mozilla/5.0 (iPhone; CPU iPhone OS 13_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148/oasjggofxfrakhalgrmyvehidbkvckgp

Why does it matter if a user agent is "weird"?

The primary reason for caring is that normal, legitimate software doesn't usually send user agents that are "weird". So if you are really concerned with weeding out "bad" traffic, checking the is_weird and is_weird_reason_code fields is a great way to get a better idea about the software sending the request.

With the addition of the is_weird_reason_code field, you now get a very clear idea about exactly why we consider a particular user agent "weird" - depending on your business logic you may decide to do something different with that particular user agent/web request.

The parse response might still have useful info, even if it's weird

When we detect a user agent as "weird", usually all the other parsing detection runs as normal. As such, even if there's a fragment that shows it's obviously a tampered with user agent and we mark it as such, there still might be other fragments (perhaps a Browser name, or Operating System) which get detected as normal. So just because a user agent is marked as is_weird, you might still be able to use some of the parse data from it.

The API Response

On any of the paid API plans you will see a is_weird key in the parse section of the response (For the normal Parse or the Batch Parse end points). If the user agent parser thinks that the user agent is "weird", the value in that key will be true.

With the release of v2.4.6, the parse results will also contain an optional key: is_weird_reason_code. If a user agent is marked as is_weird: true, the is_weird_reason_code will also include a text slug that indicates why the user agent was marked as weird.

This is a list of all the reasons we might mark a user agent as "weird", including some sample user agents which indicate the problem. Every single sample user agent here is one that our website or API has seen in the wild. It goes to show how prevalent these issues are and how important it is to look out for them. Note that a user agent might actually have more than one reason why it would be considered "weird", but the key will only ever contain one value.

Note that if a user agent is marked as is_weird might still also be marked as is_abusive and/or is_spam etc.

Get started now

The API is free to use and easy to set up, so why not get started right now.

Do you have a question? Get in touch! We'd love to help you.