Short synopsis of the question: We received spam with a strange URL;
> Dissecting the URL, I condensed it into:
> http://3626046468/
> [...] I can do a 'ping
> 3626046468', which seems to interpret the "hostname" as a decimal
> 4-byte integer representing the IP#, i.e., I effectively ping
> 21.156.232.102 - which seems to be unresponsive. Netscape, however,
> ends up on the webserver angelfire.com (216.33.20.4)?!?
Solution: Improve mastery of mouse when doing cut+paste, or doublecheck
what you do. :-} I accidentally pinged
^
362604646 (dec) = 159CE866 (hex) = 15.9C.E8.66 = 21.156.232.102 (dec)
^^^^
rather than
^
3626046468 (dec) = D8211404 (hex) = D8.21.14.04 = 216.33.20.4 (dec)
^^^^
Did I mention that I have a diploma in business math? !-S
Other possibilities:
> It is possible to embed javascript in a URL. Have you looked
> at the thing with a regular editor?
That's why I experimentally reduced it to just "http://3626046468/"
- not much room for such nasties in there, even if it were base64d
Java bytecode. ;-)
Comments:
1> There are no stupid questions ... outside of game shows that is ;-)
Don't challenge me on that. :-)))
2> Summarize that one -- I have seen it quite a bit on use net as
2> well - at first I thought it may have been some sort of IP
2> address format that could be resolved, but any mathematical
2> calculations don't cut it.
FWIW, the other "camouflage techniques" used in the URL as I
received it were
a) Percent escapes (e.g., "%30" instead of "0" - note that
30 (hex) is the ASCII code of "0") and
b) A userid mixed in (i.e., http://something@3626046468/some/path/),
though I assume that this userid actually gets logged in the
WWW server logs, allowing the spammer to gauge "success" of
every single spam campaign.
3> FWIW - Spammers sometime use octal values by preceeding each
3> octet with a leading ZERO ("0").
"0x" for hex equally works. (Just tried the famous 0xdeadbeef. ;-)
Thanks to:
Ian MacPhedran Ian_MacPhedran@mackenzie.usask.ca
Tim Pointing Tim.Pointing@dciem.dnd.ca
Rich Lafferty rich@alcor.concordia.ca
Chad Price cprice@molbio.unmc.edu
Trevor Paquette TrevorPaquette@metronet.ca
Harvey Wamboldt harvey@iotek.ns.ca
Frank Sorenson sorenson@traces.cs.byu.edu
Bruce Bowler bowler@alpha1.bigelow.org
Todd Herr herrt@hankhill.iisd.sra.com
Tom Cowan Tom_Cowan@pcworld.com
Michael Maciolek mikem@ne.cohesive.com
Burch Seymour RTPS bseymour@ns.encore.com
Dale Hsu Dale.Hsu@impacgroup.com
Michael Kalus micha@awwm.com
Chris Eslinger eslingc@atd.sprintcorp.com
Rik Schneider rik@netasset.com
Eric D. Pancer eric@outlook.net
James Ford jford@tusc.net
Matthew Stier Matthew.Stier@tddny.fujitsu.com
Drew Watson dwatson@ns.encore.com
Charlie Mengler charliem@anchorchips.com
Mike Fletcher mfletcher@iss.net
Bryan Blackburn blb@pobox.com
Graydon Dodson grdodson@lexmark.com
Brion Leary brion@dia.state.ma.us
... and probably quite a lot still to come.
Thanks again,
J. Bern
-- /\ /""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""\ / \/ bern@uni-trier.de/bern@ti.uni-trier.de| P.O. box 1203 | Ham: \/\ / J. \ (Accepting PGP, MIME, SUNAttachments) | D-54202 Trier | DD0KZ/ \ \Bern/ finger bern@informatik.uni-trier.de | Email autoreply \ / \ /\ http://www.informatik.uni-trier.de/~bern/ | on subject '##' /\/ \/ \____________________________________________________________/
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:13:20 CDT