How Spammers Obscure Their Address

Have you ever encountered a Web page address that looked like this: http://20695733268/?

Yes? It was featured prominently in spam you got? Well, of course.

And of course you thought that spammers are so stupid they cannot even type a numerical URL right. Out of curiosity, you followed the link nonetheless -- and it worked!

Why Spammers Need Obscured URLs

Why do spammers use such obscure URLs instead of their normal, easy to remember alphanumeric form (in which the URL above would read http://about.com/)? They do not want you to remember them. They do not even want you to know them.

If they used regular notation for URLs, they could easily be identified via a whois query that lists who owns a domain name. This is why they try to hide by applying all kinds of tricks to their domain name.

Why Obscured URLs Work

As you probably know, when you type a domain name (like "about.com") in your browser's address field and press enter, the browser translates that easy to remember name into a series of numbers called an IP address. The IP address for "about.com" is "209.143.212.20", for example.

Your browser does not only translate the usual domain names to IP addresses, it can also translate other strings to the same IP address. One example is "20695733268", which also turns out to become "209.143.212.20" as well. There are a number of tricks you play on a domain name and still have the Web browser translate it to the same IP address (although some modifications do not work with all browsers).

Reverse-Engineering Obscured URLs

If your browser can translate the obscure URLs used by spammers into IP addresses that make sense, you can do that, too. Then you can get the domain name corresponding to the IP address, and you can complain to the spammer's ISP.

All you need is a scientific calculator (the one built into Windows will do fine) and the detailed discussion of obscured URLs on this site: http://3513587746@3484559912/o%62s%63ur%65%2e%68t%6D. Or was that http://www.pc-help.org/obscure.htm?

If you are not interested in the maths behind the spammers' tricks, and if you think computers are better mathematicans than you anyway, you can let your command line do the engineering for you. Select Run... from the Start menu and type "cmd" followed by return to get a DOS prompt. Type "nslookup " followed by the obscured URL.

To reverse-engineer the URL from the beginning, you would type: "nslookup 20695733268", press return and in a matter of seconds you should get not only the IP address, but also the domain name.

If you do not have nslookup, you can get a copy for Windows 3.1x or 95 or for Windows 95, 98, ME, NT or 2000 from Trumphurst. On a Mac, you can use DNS Lookup in very much the same way. And if you run any kind of Unix (including Mac OS X), use "nslookup" from your terminal program.