back to net.demon contents page

Stupid URL Tricks

net.demon automatically decodes funny URLs that spammers will use to try and hide their actual address.

This feature is built into all the tools, just paste the entire URL into the tool you want to examine, and net.demon will figure it out for you.

The best thing about this is, you don't need to pull up a seperate tool to do this, it saves you an extra step by being built right in!

---

Examples:

• 209.214.12.258.com

- This is really just a subdomain of 258.com (which had its plug pulled a long time ago)

• http://3625362989/

- This resolves to: u166c45 [216.22.166.45] (forged rDNS but real IP address)

• http://0321.0314.0341.036/768.html

- This is really IP address [209.204.225.30]

• http://208.165.68.130/ftp.206.105.68.101.htm

- Ignores the ftp crap, this is really IP address [208.165.68.130]

• http://172.25.240.139@3519327329/ftp.102.htm

- Trying to be sneaky, the part that LOOKS like an IP address is really part of the authentication
- The real IP address is [209.196.172.97]

• http://ANONYMOUS.COM@983245%3724095782340%398423098234098098213098100025201600/checkthis/index.html

- Don't be scared! The "%39" are just the hex encoding for ascii digits (in this case, 9)
- Ignore the "anonymous.com" part, it's in the authentication field.
- This thing resolves to pfst.com [209.216.19.192] (forged rDNS but a real IP address)

• http://3469889520/3982739872389498232432432/2398732987983289273/3889293282930923923/1/

- This is just IP address [206.210.79.240]

---

References:

RFC 1034 - domain names, concepts and facilities
RFC 1035 - domain names, implementation and specification

Copyright 1998 - net.demon software (tm)