How to Obscure Any URL
                 How Spammers And Scammers Hide and Confuse
                  Last Updated Thursday, 28 October 1999
  ------------------------------------------------------------------------

The URL (Universal Resource Locator) of the page you are now viewing is
http://www.nwi.net/~pchelp/obscure.htm.

It is also
http://3513587746@3466536962/%7ep%63h%65l%70/o%62s%63ur%65%2e%68t%6D. Go
ahead and click on that link. It'll take you right back to this very page.

The weird-looking address above takes advantage of several things many
people don't know about the structure of a valid URL.

There's a little more to Internet addressing than commonly meets the eye;
there are conventions which allow for some interesting variations in how an
Internet address is expressed.

These tricks are known to the spammers and scammers, and they're used
freely in unsolicited mails. You'll also see them in ad-related URLs and
occasionally on web pages where the writer hopes to avoid recognition of a
linked address for whatever reason. Now, I'm making these tricks known to
you. Read on, and you'll soon be very hard to fool.



How It's Done

Here it is again:
http://3513587746@3466536962/%7ep%63h%65l%70/o%62s%63ur%65%2e%68t%6D

First take note of the "@" symbol that appears amid all those numbers. In
actual fact, everything between "http://" and "@" is completely irrelevant!
Just about anything can go in there and it makes no difference whatsoever
to the final result. Here are two examples:

http://doesn'tmatter@www.nwi.net/~pchelp/obscure.htm

http://!$%^*()_-+={[}]|\:;,@www.nwi.net/~pchelp/obscure.htm

Go ahead and use the links. You'll be back to this page again. I've added
bookmarks so you won't lose your place.

This feature is actually used for authentication. If a login name and/or
password is required to access a web page, it can be included here and
login will be automatic.

Example: http://username:password@www.whatever.com/secret/eyesonly.htm

But if the page requires no authentication, the authentication text is in
effect ignored by both browser and server.

This presents interesting possibilities for confusing the unsuspecting
user. How about this one:

http://www.playboy.com@3466536962/~pchelp/obscure.htm

If you didn't know better, you might think this page were at playboy.com!

All right, so what about that long number after the "@"? How does
3466536962 get you to www.nwi.net?

In actual fact, the two are equivalent to one another. This takes a little
explaining so follow me carefully here.

The first thing you need to know (most Net users know this), is that
Internet names translate to numbers called IP addresses. An IP address is
normally seen in "dotted decimal" format. www.nwi.net translates to
206.159.40.2.

Numeric IP addresses are generally unrecognizable to people. That's why we
use names for network locations in the first place.

Merely using an IP address, in its usual dotted-decimal format, in place of
the name is commonly done and can be quite effective at leaving the human
reader in the dark.

But there are other ways to express that same number. The alternate formats
are:

   * "dword" - meaning double word because it consists essentially of two
     binary "words" of 16 bits; but it is expressed in decimal (base 10);
   * "octal", meaning it's expressed in base 8; and
   * "hexadecimal" hexa=6 + deci=10 (base 16).

The dword equivalent of 206.159.40.2 is 3466536962. Its octal and
hexadecimal equivalents are also illustrated below.

Why obscure names in the first place? Most often it's because by
publicly-available registration records, the owners of domain names can
often be identified. Even if the owner isn't traceable by that record, his
service provider is. The last thing any scammer or spammer wants is to be
found by his victims, or to have his service provider alerted to his
abuses.

Below, I explain how you can get an IP address for any name, how to convert
a dotted-decimal IP address to the dword format, and how the octal and hex
formats work.

Okay, so what about the rest of the URL? Let's look yet again at that weird
address I first showed you:

http://3513587746@3466536962/%7ep%63h%65l%70/o%62s%63ur%65%2e%68t%6D

It's beginning to make some sense, isn't it? But what's all that gibberish
on the right? Here's how that works:

Individual characters of a URL's path and filename can be represented by
their numbers in hexadecimal form. Each hex number is preceded by a "%"
symbol to identify the following two numbers/letters as a hexadecimal
representation of the character. The practical use for this is to make it
possible to include spaces and unusual characters in a URL. But it works
for all characters and can render perfectly readable text into a complete
hash.

In my example, I have interspersed hex representations with the real
letters of the URL. It simply spells out "/~pchelp/obscure.htm" in the
final analysis:

%7e p %63 h %65 l %70 / o %62 s %63 ur %65 %2e %68 t %6D
 ~  p  c  h  e  l  p  / o  b  s  c  ur  e   .   h  t  m

The letters used in the hex numbers can be either upper or lower case. The
"slashes" in the address cannot be represented in hex; nor can the IP
address be rendered this particular way. But everything else can be.



Hexadecimal Character Codes

Hex character codes are simply the hexadecimal (base 16) numbers for the
ASCII character set; that is, the number-to-letter representations which
comprise virtually all computer text.

To find the numeric value for an ASCII character, I often use a little
batchfile I wrote for the purpose years ago; and then if I want the hex
equivalent I usually do the math in my head. It just requires familiarity
with the multiples of 16 up to 256.

For most people, the conversion is probably best done with a chart. The
best ASCII-to-hex chart I have ever seen is on the website of Jim Price:
http://www.jimprice.com/jim-asc.htm. Jim explains the ASCII character set
wonderfully well, and provides a wealth of handy charts.

I can't improve on Jim's excellent work! Print out Jim's ASCII-to-hex chart
and you're in business. If Jim's site ever disappears, let me know and I'll
do a chart of my own.



In Sum

URLs can be obscured at least three ways:

  1. Meaningless or deceptive text can be added after "http://" and before
     an "@" symbol.
  2. The domain name can be expressed as an IP address, in dotted-decimal,
     dword, octal or hexadecimal format.
  3. Characters appearing after the IP address can also be expressed as
     hexadecimal (base 16) numbers.

Below, I provide the whole scoop on the IP address formats.



IP Addresses

IP addresses are most commonly written in the dotted-decimal format. A
valid dotted-decimal IP number has up to 4 numeric segments, each separated
by a period. The numbers must range from 0 to 255.

Translation of a network name to its IP address is usually done in the
background by your network software, invisible to the user. Given a name,
your browser queries a name server, a machine somewhere on the Net which
performs this basic network addressing function; it thereby obtains the
numeric IP address and then uses that address to direct its requests to the
right computer, somewhere out there on the Net.

There is a standard utility which allows the user to perform these name
server lookups directly and see the results. It's called NSLOOKUP.

A wide variety of nslookup utilites is available on the Net, often for free
download. Some provide a graphical interface under Windows, but the
original and most basic nslookup is run from a textual command line. One
such command-line utility is included in my free Network Tracer. Please
download it if you're interested.

Place NSLOOKUP.EXE in your Windows directory and you can use it from a DOS
window. A simple nslookup query is structured as follows:

nslookup [name or IP address] [name server]

A name server has to be specified, either by name or IP address. If you
don't know a name server address for your own ISP (it can usually be found
in your Dial-Up Networking setup), use this one: 198.41.0.196

A valid query for my ISP's web server address would be:

nslookup www.nwi.net 198.41.0.196

Here's what that command puts out in response, with my comments:

nslookup www.nwi.net 198.41.0.196  <-- Here's the command you typed in
Server:  ns.netsol.com             <-- The name server you utilized
Address:  198.41.0.196             <-- This is the name server's IP address

Non-authoritative answer:          <-- This means a name server other than the one you queried is the actual source of the record.
Name:    sundance.nwinternet.com   <-- The "real" name of www.nwi.net
Address:  206.159.40.2             <-- This is what you came here for: the IP address of www.nwi.net
Aliases:  www.nwi.net              <-- www.nwi.net is an alias -- not the primary name given to that address, but a valid one.

It's a powerful utility; it can find names for known addresses, addresses
for known names, and a variety of other information relevant to an Internet
address. But doing some of the fancier things with NSLOOKUP is difficult if
you're not already technically savvy. For the technically inclined, there
is a manual; and several examples of its use can be found in TRACE.BAT, the
primary component of my Network Tracer.

If you're determined to avoid the DOS command line, and want a tool that
will do most of the thinking for you, I recommend NetScanTools, a
reasonably-priced network utility toolbox. It's available as a 30-day
shareware demo and a bargain at just $25. NetScanTools is not merely an
address-lookup utility; it can do a great many things. For a Windows user
trying to comprehend the nuts and bolts of the Net, it's a whole world of
discovery.

You can also do your name server lookups with a web browser. There are
nslookup "gateways" scattered around on the Web. One such gateway is at:
http://www.interlog.com/~patrick/cgi/nslookup.cgi



Converting An IP Address to Dword Format

I could create a math lesson about this, and tell you all about bits and
bytes and base 16. But it's not really necessary. Anyone with a Windows
system has a handy calculator that makes it simple to convert decimal
numbers to hex, and to find the dword equivalent of any dotted-decimal IP
number. You should find it by selecting Start ... Programs ... Accessories
... Calculator. It will look like this:

                                  [Image]
                or, in Scientific mode, it looks like this:
                                  [Image]

You'll need it in Scientific mode for this purpose.

Let's start with the IP address for this site's web server: 206.159.40.2.
We want to obtain the hex equivalent for each of the 4 numbers separated by
dots.Enter the first IP number, 206. Now select the button on the upper
left which says Hex:

                                  [Image]
            The number will now display as hexadecimal value CE:
                                  [Image]

Write this hex value down! Now, select the Dec button to go back to decimal
mode; clear the entry with the C or CE button, and you're ready to enter
the next IP number. Do each one the same way as above. When you get to the
last number, you'll find it's the same in hex: 2. Write it down as 02.
Always add a leading zero to single-digit results.

Now put them all together and you should have this hexadecimal value:
CE9F2802

It will always be an 8-digit number.

Clear the calculator and place it in Hex mode. Enter the hex number:

                                  [Image]
  Now select the Dec button, and the dword equivalent will be the result:
                                  [Image]

And there it is; that same number I used in the trick URL I first showed
you: 3466536962.

Reversing the process will bring you back to the dotted-decimal address.
Convert the dword number to hex, then each of the 4 pairs of hex numbers to
decimal.

There's another way to do this which is very simple math, but I find it
takes just as long to do manually. Multiply the numbers of the IP address
by the following fixed values (which are powers of 256), then add the
results:

                206  x    16777216  (2563)  =     3456106496
                159  x       65536  (2562)  =       10420224
                 40  x         256  (2561)  =          10240
                  2  x           1  (2560)  =              2
                                                  ----------
                                                  3466536962

Now, there is a further step that can make this address even more obscure.
You can add to this dword number, any multiple of the quantity 4294967296
(2564) -- and it will still work. This is because when the sum is converted
to its basic digital form, the last 8 hexadecimal digits will remain the
same. Everything to the left of those 8 hex digits is discarded by the IP
software and therefore irrelevant.

Thus, the following URLs will also work:

http://7761504258/~pchelp/obscure.htm
http://16351438850/~pchelp/obscure.htm
http://231099803650/~pchelp/obscure.htm

I know of no DOS or Windows program made specifically to do a dword
conversion. But there's a handy script on Matthias Fichtner's website which
will quickly convert any IP address to its dword value and vice-versa:
http://www.fichtner.net/tools/ip2dword/.



Octal IP Addresses

As if all this weren't enough, an IP address can also be represented in
octal form -- base 8.

The URL for this page with its IP address in octal form looks like this:
http://0316.0237.050.02/~pchelp/obscure.htm
Go ahead, try it. You'll be right back here once again..

Note the leading zeroes. They're necessary to convey to your browser the
fact that this is an octal number. Any number of leading zeroes can be
added to any or all of the numbers in the address. For example:
http://000316.000000237.000050.0000000002/~pchelp/obscure.htm

Naturally, arbitrary authentication text can also be added to an octal
address. Example:
http://www.sleazy-ad.com@000316.000000237.000050.0000000002/~pchelp/obscure.htm

I'll spare you a detailed description of octal conversion. Most people can
probably figure it out, and those who can't, can always use the nifty
URLomatic at www.samspade.org. It will reveal the IP address of a dword- or
octal-formatted URL, as well as to decode hex character codes.

This link to the URLomatic will completely decipher my original example
address.

Many thanks to Dan, who read this page and directed me to those great tools
at samspade.org. Check it out!



Hexadecimal IP Addresses

You thought that was all? Well, so did I, until one Daniel Doèekal informed
me otherwise. There is yet another obscure way to express an IP address.

Remember that hexadecimal number we calculated above? That number
(CE9F2802) can be expressed as an IP address in this manner:
0xCE.0x9F.0x28.0x02

The "0x" designates each number as a hex quantity.

The dots can be omitted, and the entire hex number preceded by 0x:
0xCE9F2802

And, additional arbitrary hex digits can be added to the left of the "real"
number: 0x9A3F0800CE9F2802

Some browsers (Netscape 3.x and 4.x for instance) won't work with hex IPs;
but for IE users, this page's URL can be:
http://0xCE.0x9F.0x28.0x02/~pchelp/obscure.htm
or:
http://0xCE9F2802/~pchelp/obscure.htm
or:
http://0x9A3F0800CE9F2802/~pchelp/obscure.htm



It's Not Over Yet

Ah, you thought you had it all nailed down? Well, it's mix-and-match time!

Believe it or not, the following URL, which uses hex, decimal and octal
numbers in the IP address, actually works:
http://0xCE.159.050.0x02/~pchelp/obscure.htm

This mixed-format address also works with bogus authentication text:
http://spam-world.net@0xCE.159.050.0x02/~pchelp/obscure.htm

For Netscape users, omitting the hex is necessary, but decimal and octal
can be mixed: http://spam-world.net@0316.159.050.2/~pchelp/obscure.htm

Thankfully, the wonderful URLomatic at samspade.org deals with these
mixed-up IPs just fine.


  ------------------------------------------------------------------------

                                   Home