Help | Site Map
| Text size: - +
(Answer) (Category) SpamCop FAQ : (Category) General information about SpamCop : (Category) Non-SpamCop information :
How do you decode the munged URLs often found in spam?

Example: http://%4a%55%53%54%49%43%45@%33%35%31%37%37%31%32%39%30%35/

There are three things you need to know about to decode these URLs. They're not actually bogus; they're just made hard to read.

% encoding is normally used to encode characters that aren't legal in URLs; the spammers encode all (or at least some of) the characters, including the legal ones, to make them hard to read.

Each character is represented as a '%' followed by a two digit hex number, which corresponds to the ASCII code for the character. e.g. %4a is J

for your URL this gives us:

http://JUSTICE@3517712905/

Everything before the last @ sign in the URL is authentication information, which is ignored by most servers for most pages anyway. For the purposes of identifing the host, we can chop this off to get

http://3517712905/

This refers to the root page / on host IP 3517712905.

This large number is the IP address of the host, but written as one large decimal number rather than four smaller numbers as is normally the case. To convert it we first need to convert to hex, which gives us

D1AC0A09

Then we break this into two digit pieces:

D1.AC.0A.09

and convert to decimal:

209.172.10.9

SpamCop's hosttracker will do the same thing, and if you receive a SpamCop report for a URL, you can click the "see how SpamCop tracked this" link to see the steps it took.
When an e-mail is encoded @ 64 bits the HTML code is not tracked by spamcop bot: the code appear as if it was encoded @ 7 bits and no HTML tags are found. What can be done then?
[Append to This Answer]