We all get the odd spam, depending on the effectiveness of your spam filter of course! Most of them look the same at face value, some text describing the product the spammer is pushing, maybe an image, and a link for you to click on. Take the following spam we have been seeing recently, it looks normal to the naked eye, but hidden beneath the html are some new tricks a spammer is trying out!
These guys will try absolutely anything to get around anti-spam filters. In this case the spammer has decided to do some magic with the link in the spam.
I’ll reproduce what the spammer did with a link to our own Avert Labs website of http://www.avertlabs.com (this is not the link that was spammed) to save you clicking on to any undesirable websites. The link in the spam was in the following format:
http://0×00000cd.227.0000000000000000210.0×000000000074
If you click on it you will be taken to: http://www.avertlabs.com. So how do all these funny looking numbers, characters and dots get me to that website you might ask. Well, the link is actually an IP address (http://205.227.136.116), but instead of writing it in decimal numbers the spammer has opted for a mixture of octal, hexadecimal and decimal numbers with a few extra zeros for good measure. The following table shows the different numbers a spammer could mix to obfuscate the IP address for avertlabs.com.
| Decimal | Octal | Hexadecimal |
| 227 | 0315 | 0xcd |
| 49 | 0343 | 0xe3 |
| 136 | 0210 | 0×88 |
| 116 | 0164 | 0×74 |
This leaves the spammer with many different variations of the link, a few examples are:
http://0315.0343.136.0×74
http://0xcd.227.0210.0×74
http://0xcd.0xe3.136.0164
http://0315.0xe3.0210.0×74
Web browsers understand all the different number systems used here and don’t mind extra zeros so the links work perfectly well no matter what combination of the above you use. So with an arbitrary number of zeros the spammer can create an infinite number of different links.
http://000000000000315.00000343.136.0×0000074
http://0×00000cd.227.0000000000000000210.0×000000000074
http://0×0000000000cd.0×0000000000e3.136.000000000164
http://00000315.0×0000000e3.000000210.0×000000074
http://0×0000cd.0×0000000e3.0×0000088.0×0000000074
This is the latest in a long list of methods we have seen spammers use to obfuscate URL’s in spam. What will they think of next?
January 23rd, 2007 at 1:47 am
What will they think of next?!!!!
January 23rd, 2007 at 7:02 am
Decimal Octal Hexadecimal
205 0315 0xcd
January 23rd, 2007 at 10:29 am
Typo - In the table, decimal 227 should read decimal 205 (to which octal 315 and hexadecimal DC equate). Similarly, decimal 49 should read decimal 227.
I suppose next would be encoded forms of these as well.
January 24th, 2007 at 8:42 am
This has been around for a very long time. I first reported on this in January 2003 in The Spammers’ Compendium (http://www.jgc.org/tsc/) and called it the ‘Enigma’ trick.
John.
January 26th, 2007 at 7:54 am
Hi John,
I know spammers have used Octal and Hex numbers like you show in the ‘Enigma’ trick but I hadn’t seen them mixing all 3 number systems before. The extra zeros made the links looks even more unusual.. well to me anyway!