SUMMARY: Netscape Hostname Magic? (Not.)

From: Jochen Bern (
Date: Wed Jun 02 1999 - 16:35:27 CDT

Short synopsis of the question: We received spam with a strange URL;
> Dissecting the URL, I condensed it into:
> http://3626046468/
> [...] I can do a 'ping
> 3626046468', which seems to interpret the "hostname" as a decimal
> 4-byte integer representing the IP#, i.e., I effectively ping
> - which seems to be unresponsive. Netscape, however,
> ends up on the webserver (!?

Solution: Improve mastery of mouse when doing cut+paste, or doublecheck
        what you do. :-} I accidentally pinged

        362604646 (dec) = 159CE866 (hex) = 15.9C.E8.66 = (dec)

        rather than
        3626046468 (dec) = D8211404 (hex) = D8.21.14.04 = (dec)

        Did I mention that I have a diploma in business math? !-S

Other possibilities:
> It is possible to embed javascript in a URL. Have you looked
> at the thing with a regular editor?

        That's why I experimentally reduced it to just "http://3626046468/"
        - not much room for such nasties in there, even if it were base64d
        Java bytecode. ;-)

        1> There are no stupid questions ... outside of game shows that is ;-)

        Don't challenge me on that. :-)))

        2> Summarize that one -- I have seen it quite a bit on use net as
        2> well - at first I thought it may have been some sort of IP
        2> address format that could be resolved, but any mathematical
        2> calculations don't cut it.

        FWIW, the other "camouflage techniques" used in the URL as I
        received it were
        a) Percent escapes (e.g., "%30" instead of "0" - note that
           30 (hex) is the ASCII code of "0") and
        b) A userid mixed in (i.e., http://something@3626046468/some/path/),
           though I assume that this userid actually gets logged in the
           WWW server logs, allowing the spammer to gauge "success" of
           every single spam campaign.

        3> FWIW - Spammers sometime use octal values by preceeding each
        3> octet with a leading ZERO ("0").

        "0x" for hex equally works. (Just tried the famous 0xdeadbeef. ;-)

Thanks to:
        Ian MacPhedran
        Tim Pointing
        Rich Lafferty
        Chad Price
        Trevor Paquette
        Harvey Wamboldt
        Frank Sorenson
        Bruce Bowler
        Todd Herr
        Tom Cowan
        Michael Maciolek
        Burch Seymour RTPS
        Dale Hsu
        Michael Kalus
        Chris Eslinger
        Rik Schneider
        Eric D. Pancer
        James Ford
        Matthew Stier
        Drew Watson
        Charlie Mengler
        Mike Fletcher
        Bryan Blackburn
        Graydon Dodson
        Brion Leary
        ... and probably quite a lot still to come.

Thanks again,
                                                                J. Bern

  /\  /""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""\
 /  \/| P.O. box 1203 | Ham: \/\
/ J. \ (Accepting PGP, MIME, SUNAttachments) | D-54202 Trier | DD0KZ/  \
\Bern/ finger       | Email autoreply  \  /
 \  /\ | on subject '##'  /\/
  \/  \____________________________________________________________/

This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:13:20 CDT