Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Strange URL Configuration: domain.com@12345

0 views
Skip to first unread message

Ron Parker

unread,
May 29, 2000, 3:00:00 AM5/29/00
to
I received spam today with a response url:

http://www.rankingtothetop.com@1078106110/

Funny thing is, this works! My questions:

1. How does this work (i.e., I enter this into my browser and the page
comes up).
2. How do I decipher this to find out what the IP is for this site (or
real domain name) or ISP so I can complain about the spam.

Thanks, much.

-ron

--
Ron Parker
Software Creations http://www.scbbs.com
TradeWinds Publishing http://www.intl-trade.com
TradePoint Los Angeles http://www.tradepointla.org
SiteDirector Security Server http://livepublish.scbbs.com
Civil War Online Library http://civilwar.scbbs.com

Tilman Schmidt

unread,
May 29, 2000, 3:00:00 AM5/29/00
to
At 06:26 29.05.00 +0000, Ron Parker wrote:
>I received spam today with a response url:
>
> http://www.rankingtothetop.com@1078106110/
>
>Funny thing is, this works! My questions:
>
>1. How does this work (i.e., I enter this into my browser and the page
>comes up).

The part after the @ determines the server. If this is a decimal number
many resolvers interpret it as a numeric IP address. The part before
the @ is just sent along as the username in the HTTP request and
probably ignored by the server.

>2. How do I decipher this to find out what the IP is for this site (or
>real domain name) or ISP so I can complain about the spam.

1078106110 = 0x404297FE = 0x40.0x42.0x97.0xFE = 64.66.151.254

A reverse lookup yields SERVFAIL consistently, and I suspect this is
intentional, given the names of the servers for the reverse domain:

151.66.64.in-addr.arpa. 5d16h47m13s IN NS NS.SITEPROTECT.COM.
151.66.64.in-addr.arpa. 5d16h47m13s IN NS NS2.SITEPROTECT.COM.

whois.arin.net says the address belongs to:

Hostway Corporation (NETBLK-HOSTWAY-03)
216 W. Jackson Blvd. Suite 325
Chicago, IL 60610
US

Netname: HOSTWAY-03
Netblock: 64.66.128.0 - 64.66.159.255
Maintainer: HSWY

Coordinator:
Network, Administrator (AN94-ARIN) n...@HOSTWAY.NET
312-782-7875

Hope that helps.

--
Tilman Schmidt E-Mail: Tilman....@sema.de (office)
Sema Group Koeln, Germany til...@schmidt.bn.uunet.de (private)

Stephen Carville

unread,
May 29, 2000, 3:00:00 AM5/29/00
to
This is called a dword representation. A quick way to convert these
values is to use ping:

# ping 1078106110
PING 1078106110 (64.66.151.254): 56 data bytes
64 bytes from 64.66.151.254: icmp_seq=0 ttl=240 time=179.3 ms
64 bytes from 64.66.151.254: icmp_seq=1 ttl=240 time=146.0 ms

Some spammers will add 2^32 to the dword to make it even more obscure
but this only works with Internet Explorer. (Hey it's a _feature_ :-)

The follwing explains briefly how and why this works.

http://www.nwi.net/~pchelp/obscure.htm

Lawrence Chan

unread,
May 29, 2000, 3:00:00 AM5/29/00
to
Hello,

How would the resolver know to read only the stuff to the right the @ sign
and to ignore the rest of the URL? Apparently it works, but does it work on
all TCP/IP machines? Is it legal in RFC sense?

Lawrence Chan
lc...@montevino.com

________________________________________________________


doctah rimalz wrote:

> [14:42:12] root@vanity:~/ > ping 1078106110


> PING 1078106110 (64.66.151.254): 56 data bytes

> 64 bytes from 64.66.151.254: icmp_seq=0 ttl=246 time=50.5 ms
>
> ...that's how I decipher them.

Tilman Schmidt

unread,
May 29, 2000, 3:00:00 AM5/29/00
to
At 12:01 30.05.00 +0800, Lawrence Chan wrote:
[quoting repaired]
> > > >
> > > > http://www.rankingtothetop.com@1078106110/

> > > >
> > > >1. How does this work (i.e., I enter this into my browser and the page
> > > >comes up).
> > >
> > > The part after the @ determines the server. If this is a decimal number
> > > many resolvers interpret it as a numeric IP address. The part before
> > > the @ is just sent along as the username in the HTTP request and
> > > probably ignored by the server.
>[...]

>How would the resolver know to read only the stuff to the right the @ sign
>and to ignore the rest of the URL?

The resolver never sees anything but the stuff to the right of the @ sign.
It's the browser's task to parse the URL and pass only the host name to the
resolver. And the host name in the above URL is 1078106110. Syntactically
www.rankingtothetop.com is the username, never mind that it looks like a
domain name to you and me.

> Apparently it works, but does it work on
>all TCP/IP machines? Is it legal in RFC sense?

The obfuscation with the @ sign and the username that looks like a domain
name is legal in the RFC sense and will work on any machine that correctly
parses URLs. The IP address encoded as a single 32 bit decimal number is
not RFC conformant but an artefact of how the most popular resolvers
process numeric addresses, so there may well exist machines, or rather
programs, where it doesn't work. But spammers don't care for that. They
go for the majority.

Kevin D. Quitt

unread,
May 30, 2000, 3:00:00 AM5/30/00
to
On 29 May 2000 21:05:54 -0700, "Lawrence Chan" <webm...@montevino.com>
wrote:


>Hello,


>
>How would the resolver know to read only the stuff to the right the @ sign
>and to ignore the rest of the URL?

It doesn't ignore it. It passes it to the server. URLs can contain a
username and password (IE doesn't do this right - are you surprised?).

And the host name can be hex, octal, or decimal.

--
#include <standard.disclaimer>
_
Kevin D Quitt USA 91351-4454 96.37% of all statistics are made up
Per the FCA, this email address may not be added to any commercial mail list


0 new messages