Strange URL Configuration: domain.com at 12345

Stephen Carville carville at ugsolutions.com
Mon May 29 18:38:48 UTC 2000


This is called a dword representation.  A quick way to convert these
values is to use ping:

# ping 1078106110
PING 1078106110 (64.66.151.254): 56 data bytes
64 bytes from 64.66.151.254: icmp_seq=0 ttl=240 time=179.3 ms
64 bytes from 64.66.151.254: icmp_seq=1 ttl=240 time=146.0 ms 

Some spammers will add 2^32 to the dword to make it even more obscure
but this only works with Internet Explorer.  (Hey it's a _feature_ :-)

The follwing explains briefly how and why this works.

http://www.nwi.net/~pchelp/obscure.htm

Tilman Schmidt wrote:
> 
> At 06:26 29.05.00 +0000, Ron Parker wrote:
> >I received spam today with a response url:
> >
> >     http://www.rankingtothetop.com@1078106110/
> >
> >Funny thing is, this works!  My questions:
> >
> >1. How does this work (i.e., I enter this into my browser and the page
> >comes up).
> 
> The part after the @ determines the server. If this is a decimal number
> many resolvers interpret it as a numeric IP address. The part before
> the @ is just sent along as the username in the HTTP request and
> probably ignored by the server.
> 
> >2. How do I decipher this to find out what the IP is for this site (or
> >real domain name) or ISP so I can complain about the spam.
> 
> 1078106110 = 0x404297FE = 0x40.0x42.0x97.0xFE = 64.66.151.254
> 
> A reverse lookup yields SERVFAIL consistently, and I suspect this is
> intentional, given the names of the servers for the reverse domain:
> 
> 151.66.64.in-addr.arpa.  5d16h47m13s IN NS  NS.SITEPROTECT.COM.
> 151.66.64.in-addr.arpa.  5d16h47m13s IN NS  NS2.SITEPROTECT.COM.
> 
> whois.arin.net says the address belongs to:
> 
> Hostway Corporation (NETBLK-HOSTWAY-03)
>     216 W. Jackson Blvd. Suite 325
>     Chicago, IL 60610
>     US
> 
>     Netname: HOSTWAY-03
>     Netblock: 64.66.128.0 - 64.66.159.255
>     Maintainer: HSWY
> 
>     Coordinator:
>        Network, Administrator  (AN94-ARIN)  noc at HOSTWAY.NET
>        312-782-7875
> 
> Hope that helps.
> 
> --
> Tilman Schmidt          E-Mail: Tilman.Schmidt at sema.de (office)
> Sema Group Koeln, Germany       tilman at schmidt.bn.uunet.de (private)



More information about the bind-users mailing list