Video Screencast Help
Security Response

Dotted Decimal URL Obfuscation

Created: 10 May 2011 19:38:34 GMT • Updated: 23 Jan 2014 18:21:10 GMT • Translations available: 日本語
Sammy Chu's picture
0 0 Votes
Login to vote

Spamming with dotted decimal URL (a dotted decimal URL refers to the four-byte IP address notation as a sequence of four decimal numbers separated by dots) is one of the most often seen URL-obfuscation techniques employed by spammers. Unfortunately, to the computer, an IP address is just a 32-bit binary number, and a dotted decimal is just one out of the many numeral systems for IP address expression. With this flexibility in interpretation, spammers have developed a new way to obfuscate their URLs; they start converting their dotted decimal URLs into different numeral systems.

Below are some of the IP address numeral system obfuscation techniques Symantec has observed of spammers. (All of the samples below are just different numeral representations of the IP address for Symantec.com)

An IP address converted to hexadecimal format. (Hexadecimal is a base-16 numeral system.)

An IP address converted to dotted hexadecimal format.

An IP address converted to dotted octal format. (Octal is a base-8 numeral system.)

A combination of Hexadecimal and Octal

Previously, spammers only took advantage of hexadecimal obfuscation in their attacks.

However for the past few days, the number of “hexadecimal and octal” combination-obfuscation attacks have increased drastically.   

Fortunately or unfortunately for the average email user, most Web browsers or email applications will translate these numeral encodings; furthermore, dotted decimal URLs are often associated with virus attacks. For this reason, end users should, as usual, not click on links to Web sites they are not familiar with.

Here are some best practices to try and limit the impact of spam attacks.

  • Be selective about the Web sites where you register your email address.
  • When entering personal or financial details online, ensure the Web site has SSL encryption (look for https, a padlock, or a green address bar).
  • Avoid clicking on suspicious links in email or IM messages as these may be links to spoofed Web sites. We suggest typing Web addresses directly in to the browser rather than relying upon links within your messages.
  • Always be sure that your operating system is up-to-date with the latest updates, and employ a comprehensive security suite. For details on Symantec’s offerings of protection, visit http://www.symantec.com.
  • Do not open unknown email attachments. These attachments could infect your computer.
  • Do not reply to spam. Typically the sender’s email address is forged, and replying may only result in more spam.
  • Do not fill out forms in messages that ask for personal or financial information or passwords. A reputable company is unlikely to ask for your personal details through email. When in doubt, contact the company in question through an independent, trusted mechanism, such as a verified telephone number, or a known Internet address that you type into a new browser window. Do not click or cut and paste from a link in the message.
  • Do not buy products or services from spam messages.
  • Do not open spam messages.
  • Do not forward any virus warnings that you receive through email. These are often hoaxes.

Thanks to Dylan Morss for contributed content.