How do Spammers encode or obfuscate HTTP links (URLs)?


This article applies to:

  • Trustwave MailMarshal (SEG)

Question:

How do spammers encode or obfuscate HTTP links (URLs)?

Causes:

Spammers encode or obfuscate URLs in different ways to bypass spam filtering or mask spamming activity.

Procedure:

Spammers insert encoded characters into URLs to bypass spam filtering or mask spamming activity. A basic understanding of binary, octal, decimal and hexdecimal  number systems and how to convert from one system to another is assumed in the following examples. The following techniques and examples explain how spammers can encode URLs with the number systems. 

Decimal Encoding:

Internet Explorer interprets an IP address that is encoded to a single decimal number as an actual IP address. For example, you can encode the loopback address, http://127.0.0.1/, using the decimal numbering system. 

  1. Convert each octet (each part of the IP address) into binary. Remember to pad each binary number on the left (most significant bit, or MSB) with zeroes to give you 8 bits.

    127 = 01111111
    0 = 00000000
    0 = 00000000
    1 = 00000001  

  2. Join all the binary numbers together:

    01111111000000000000000000000001

  3. Convert the result to decimal, yielding:

    2130706433

  4. Insert the result into the URL or in a link. Your browser will interprets the following as 127.0.0.1.

    http://2130706433/ 

Octal Encoding:

  1.  Convert each octet of the IP address into octal. Remember to pad each octal number on the left with a zero. In each case the MSB (leftmost) digit needs to be 0.

    127 = 0177
    0 = 0
    0 = 0
    1 = 01

  2. These octal numbers can now be used in the URL, and the browser will interpret as 127.0.0.1:

    http://0177.0.0.01/  

Hex Encoding

  1. Convert the IP address to decimal. See result from the previous decimal encoding example.
  2. Convert the decimal result from the decimal encoding  example to hexadecimal.
    Decimal 2130706433 = Hex 7F000001
  3. Insert 0x in front of the number.
  4. Create the URL, yielding:

    http://0x7F000001/

ASCII Value encoding

Since individual characters in the URL can be represented by their equivalent ASCII decimal or hex value, the encoded characters can be applied to some or all of the characters in the URL. These ASCII encoded addresses cannot be used directly in the browser URL locator, but your browser decodes these obfuscated links correctly if used in a HTML page or HTML Spam message. For example, you can encode the URL for the Trustwave website, http://www.trustwave.com/, in the following progression to create a highly obfuscated URL:

  • In ASCII, the 'w' character can be represented by its hex value of %77 or its decimal value of &#119:

    http://%77%77&#119.trustwave.com/

  • The http part of the link can be encoded:

    ht%74p://w%77w.trustwave.com/

  • It is possible to apply the ASCII encoding on IP addresses already encoded in Octal, Decimal or Hexadecimal. For example, combining hex encoding with ASCII encoding, and applying to 127.0.0.1, can give the following highly obfuscated URL:

    ht%74p://0%787F0%300001/

 

Notes:

You can use the Microsoft Windows Calculator in Scientific mode to translate Decimal, Hex, Octal, and Binary.

This article was previously published as:
NETIQKB45792

Last Modified 5/1/2020.
https://support.trustwave.com/kb/KnowledgebaseArticle10537.aspx