<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.hoenzb
{mso-style-name:hoenzb;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-AU link=blue vlink=purple><div class=WordSection1><div><div><p class=MsoNormal><span style='color:#1F497D'>></span>The order isn't necessarily wrong. There's a number of very well-known security products that do this type of request (although not this exact pattern, at least not for the ones I'm aware of) after the initial request has occurred. It's generally referred to as a sacrificial lamb concept, where if the content is bad then the initial requester gets infect, but any future requests from other users will be blocked. Blue Coat, Websense and Zscaler all do this in some form of other, although as I said not with the exact pattern seen here.<br><br><span style='color:#1F497D'>></span>Whilst doing it in the reverse order might seem to make more sense, and might stop that one client getting infected, it introduces additional latency and generally requires significant more capacity to do.<br><br><span style='color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>True, but all of those services subsequently block access to infected sites. My reading of the tests carried out by WPoolers are that this was not the case – so it’s either a work in progress and has been employed passively, or it’s not about malware at all. Occams razor seems to fancy the latter.<o:p></o:p></span></p><p class=MsoNormal><br><br><br><o:p></o:p></p></div></div></div></body></html><br><p>Message protected by MailGuard: e-mail anti-virus, anti-spam and content filtering.<br /><a href="http://www.mailguard.com.au/mg">http://www.mailguard.com.au/mg</a></p>
<!-- MailGuard Message ID: 4fe7c62f1b5f11 - use this number for reporting -->
<br> <br>