Slashdot Mirror

I guess some mean people might do this:

http://www.pc-help.org/obscure.htm

How to Obscure Any URL
How Spammers And Scammers Hide and Confuse
Last Updated Sunday, 13 January 2002

Since this page was first written in 1999, Internet Explorer and Netscape have both begun dealing with URLs differently, particularly in versions 6 and above. Some of the examples here will no longer work with those browser versions.

The URL (Universal Resource Locator) of the page you are now viewing is http://www.pc-help.org/obscure.htm.

It is also http://3468664375/obscure.htm. Go ahead and click on that link. It'll take you right back to this very page.

The weird-looking address above takes advantage of several things many people don't know about the structure of a valid URL.

There's a little more to Internet addressing than commonly meets the eye; there are conventions which allow for some interesting variations in how an Internet address is expressed.

These tricks are known to the spammers and scammers, and they're used freely in unsolicited mails. You'll also see them in ad-related URLs and occasionally on web pages where the writer hopes to avoid recognition of a linked address for whatever reason. Now, I'm making these tricks known to you. Read on, and you'll soon be very hard to fool.

(Note: Depending on your browser type and its version, some of the oddly-formatted URLs on this page may not work. Also if you're on a LAN and using a proxy [gateway] for Internet access, many of them are unlikely to work. Also, fear not; this page does not exploit the "Dotless IP Address" vulnerability of some IE versions.)

How It's Done

Here it is again: http://3468664375/obscure.htm

First take note of the "@" symbol that appears amid all those numbers. In actual fact, everything between "http://" and "@" is completely irrelevant! Just about anything can go in there and it makes no difference whatsoever to the final result. Here are two examples:

http://www.pc-help.org/obscure.htm

http:///^&*()_+`-={}|[]:;@www.pc-help.org/obscure.htm

Go ahead and use the links. If they work at all with your browser, you'll be back to this page again.

This feature is actually used for authentication. If a login name and/or password is required to access a web page, it can be included here and login will be automatic.

Example: http://www.whatever.com/secret/eyesonly.htm

But if the page requires no authentication, the authentication text is in effect ignored by both browser and server.

This presents interesting possibilities for confusing the unsuspecting user. How about this one:

http://3468664375/obscure.htm

If you didn't know better, you might think this page were at playboy.com!

By the way, the @ symbol can be represented by its hex code %40 to further confuse things; this works for the IE browser, but not for Netscape. (Thanks to The Webskulker for this.)

All right, so what about that long number after the "@"? How does 3468664375 get you to www.pc-help.org?

In actual fact, the two are equivalent to one another. This takes a little explaining so follow me carefully here.

The first thing you need to know (most Net users know this), is that Internet names translate to numbers called IP addresses. An IP address is normally seen in "dotted decimal" format. www.pc-help.org translates to 206.191.158.55. So of course, this page's address can be expressed as: http://206.191.158.55/obscure.htm.

Numeric IP addresses are generally unrecognizable to people, and not easily rememberd. That's wh

I guess some mean people might do this:

http://www.pc-help.org/obscure.htm

How to Obscure Any URL
How Spammers And Scammers Hide and Confuse
Last Updated Sunday, 13 January 2002

Since this page was first written in 1999, Internet Explorer and Netscape have both begun dealing with URLs differently, particularly in versions 6 and above. Some of the examples here will no longer work with those browser versions.

The URL (Universal Resource Locator) of the page you are now viewing is http://www.pc-help.org/obscure.htm.

It is also http://3468664375/obscure.htm. Go ahead and click on that link. It'll take you right back to this very page.

The weird-looking address above takes advantage of several things many people don't know about the structure of a valid URL.

There's a little more to Internet addressing than commonly meets the eye; there are conventions which allow for some interesting variations in how an Internet address is expressed.

These tricks are known to the spammers and scammers, and they're used freely in unsolicited mails. You'll also see them in ad-related URLs and occasionally on web pages where the writer hopes to avoid recognition of a linked address for whatever reason. Now, I'm making these tricks known to you. Read on, and you'll soon be very hard to fool.

(Note: Depending on your browser type and its version, some of the oddly-formatted URLs on this page may not work. Also if you're on a LAN and using a proxy [gateway] for Internet access, many of them are unlikely to work. Also, fear not; this page does not exploit the "Dotless IP Address" vulnerability of some IE versions.)

How It's Done

Here it is again: http://3468664375/obscure.htm

First take note of the "@" symbol that appears amid all those numbers. In actual fact, everything between "http://" and "@" is completely irrelevant! Just about anything can go in there and it makes no difference whatsoever to the final result. Here are two examples:

http://www.pc-help.org/obscure.htm

http:///^&*()_+`-={}|[]:;@www.pc-help.org/obscure.htm

Go ahead and use the links. If they work at all with your browser, you'll be back to this page again.

This feature is actually used for authentication. If a login name and/or password is required to access a web page, it can be included here and login will be automatic.

Example: http://www.whatever.com/secret/eyesonly.htm

But if the page requires no authentication, the authentication text is in effect ignored by both browser and server.

This presents interesting possibilities for confusing the unsuspecting user. How about this one:

http://3468664375/obscure.htm

If you didn't know better, you might think this page were at playboy.com!

By the way, the @ symbol can be represented by its hex code %40 to further confuse things; this works for the IE browser, but not for Netscape. (Thanks to The Webskulker for this.)

All right, so what about that long number after the "@"? How does 3468664375 get you to www.pc-help.org?

In actual fact, the two are equivalent to one another. This takes a little explaining so follow me carefully here.

The first thing you need to know (most Net users know this), is that Internet names translate to numbers called IP addresses. An IP address is normally seen in "dotted decimal" format. www.pc-help.org translates to 206.191.158.55. So of course, this page's address can be expressed as: http://206.191.158.55/obscure.htm.

Numeric IP addresses are generally unrecognizable to people, and not easily rememberd. That's wh

I guess some mean people might do this:

http://www.pc-help.org/obscure.htm

How to Obscure Any URL
How Spammers And Scammers Hide and Confuse
Last Updated Sunday, 13 January 2002

Since this page was first written in 1999, Internet Explorer and Netscape have both begun dealing with URLs differently, particularly in versions 6 and above. Some of the examples here will no longer work with those browser versions.

The URL (Universal Resource Locator) of the page you are now viewing is http://www.pc-help.org/obscure.htm.

It is also http://3468664375/obscure.htm. Go ahead and click on that link. It'll take you right back to this very page.

The weird-looking address above takes advantage of several things many people don't know about the structure of a valid URL.

There's a little more to Internet addressing than commonly meets the eye; there are conventions which allow for some interesting variations in how an Internet address is expressed.

These tricks are known to the spammers and scammers, and they're used freely in unsolicited mails. You'll also see them in ad-related URLs and occasionally on web pages where the writer hopes to avoid recognition of a linked address for whatever reason. Now, I'm making these tricks known to you. Read on, and you'll soon be very hard to fool.

(Note: Depending on your browser type and its version, some of the oddly-formatted URLs on this page may not work. Also if you're on a LAN and using a proxy [gateway] for Internet access, many of them are unlikely to work. Also, fear not; this page does not exploit the "Dotless IP Address" vulnerability of some IE versions.)

How It's Done

Here it is again: http://3468664375/obscure.htm

First take note of the "@" symbol that appears amid all those numbers. In actual fact, everything between "http://" and "@" is completely irrelevant! Just about anything can go in there and it makes no difference whatsoever to the final result. Here are two examples:

http://www.pc-help.org/obscure.htm

http:///^&*()_+`-={}|[]:;@www.pc-help.org/obscure.htm

Go ahead and use the links. If they work at all with your browser, you'll be back to this page again.

This feature is actually used for authentication. If a login name and/or password is required to access a web page, it can be included here and login will be automatic.

Example: http://www.whatever.com/secret/eyesonly.htm

But if the page requires no authentication, the authentication text is in effect ignored by both browser and server.

This presents interesting possibilities for confusing the unsuspecting user. How about this one:

http://3468664375/obscure.htm

If you didn't know better, you might think this page were at playboy.com!

By the way, the @ symbol can be represented by its hex code %40 to further confuse things; this works for the IE browser, but not for Netscape. (Thanks to The Webskulker for this.)

All right, so what about that long number after the "@"? How does 3468664375 get you to www.pc-help.org?

In actual fact, the two are equivalent to one another. This takes a little explaining so follow me carefully here.

The first thing you need to know (most Net users know this), is that Internet names translate to numbers called IP addresses. An IP address is normally seen in "dotted decimal" format. www.pc-help.org translates to 206.191.158.55. So of course, this page's address can be expressed as: http://206.191.158.55/obscure.htm.

Numeric IP addresses are generally unrecognizable to people, and not easily rememberd. That's wh

if you goto the Windows Live.com site (hxtp://safety.live.com) to stop this malicious program/worm the MS site uses a malicious cookie exploit against you, if you deny the exploit you cant get to the site to get help

its like a Hospital saying "we have to break your leg so we can fix your arm"
they should be ashamed

with MSN network, we (large corp) banned all of their MSN domains as this is a security risk and as its intentionally deceptive on their part we had to classify it as malicious due to the intent

here (with analysis)
news report here

of course MS still use it and the surfers still have no idea its occuring, though if you block their servers you soon find out how many times they try.

never mind trusting the user, its the server and the company that does it that people cant trust

http://stj.msn.com/br/om/js/s_code.js
thats actually flagged by anti-spyware programs as a threat
you know ?, from the same company that was involved in the verisign wildcard redirect webbug, and you think Doubleclick is bad,

and they want you to bookmark their site ? , iam more likely to add them to the firewall, the thing isnt even finished yet and already Microsoft want to track and bug your everymove as if cross site cookie exploits are not enough.

Trust is a bitch to regain, anything to do with MSN is a privacy and security risk (see where msie goes to first (only once) after a fresh install on windows) and should be treated with same contempt as they have for you

anything MS do on the web is cold, hence they "dont get it"

--$

Think of the awesome client-side applications people will be able to come up with now that they are no longer restricted by pesky cross-domain security policies!

like this ?, except they dont need a browser flaw, just a few hidden 302 redirects, only phsically blocking the server with a firewall or hosts file can protect you, oh and it works on every browser and every platform that supports server redirects
and its still in use to this day

i was redirected via a 302 to this site

http://msid.msn.com/mps_id_sharing/redirect.asp?vi rtualearth.msn.com/Default.aspx

why ? because Microsoft are up to their old cookie stealing exploits

read here

Microsoft solved reading other domains cookies years ago, they still do it now on a lot of their sites, whats funny is they have one department making an internet browser that has security restrictions on cookie usage yet in another department they are thinking up ways to get round the security restrictions they put in place

whats the betting on their Microsoft/MSN cookies will be able to cross domains by default ? seeing as everybody wised up to their exploit game perhaps they are seeking other ways to compromise peoples privacy, advertising aint worth shit without that all important user tracking

you usually judge people based on their previous actions and with MS having such a piss poor record on security and privacy with obviously teams of programmers dedicated to getting round security restrictions (unless this exploit and those GUID servers was mysteriously unintentional) i wouldnt trust those fuckers with telling the time, never mind my security or privacy

with their GUID server and attempts to make cookies cross domains [bugtraq] bypassing any security restrictions the browser has implemented, nice huh

the answer is to just block all MSN sites, why micorosft are allowed to produce an OS and then re-direct users to its homepage by default (and average user doesnt know how to change their homepage), how anti-trust/competitives hasnt pulled them on it shows you what they can get away with

msn.com

and here's why

msn.com

and here's why

MSN search is blocked at our firewall due to its classification as a privacy threat (all MSN domains are blocked)

not that anyone uses MSN services out of choice anyway

It appears that a particularly crafted request may confuse ASP.Net and allow access to otherwise protected directories.

If a web server receives a request for a particular URL (e.g._http://server/somedirectory/filename), the 'somedirectory/filename' part has to be mapped to a particular file located on the server. This translation has been the source of many "directory traversal" bugs. The IIS unicode exploit is probably the most famous one.

After our original posting of this diary, a few users pointed to the following articles which provide more details then provided by Microsoft's advisory:
(Thanks to Chaouki & Daniel)

www.heise.de/security/news/meldung/51730 (german)
http://www.derkeiler.com/Mailing-Lists/NT-Bugtraq/ 2004-09/0068.html
blogs.devleap.com/rob/archive/2004/10/02/1803.aspx (italian)
www.k-otik.com/news/10052004.ASPNETFlaw.php (french)

It appears that by switching a '/' character in the URL with '\' or '%5C', the canonicalization routine will be confused. So if the URL: http://www.example.com/secure/file.apx is password protected, using the either of the following URLs will bypass the restriction: http://www.example.com/secure\file.apx http://www.example.com/secure%5Cfile.apx

In addition to the slash/back-slash confusion, one reader reports that inserting a space will bypass the URL restriction as well: http://www.example.com/%20/secure/file.apx (had no chance to validate this method so far)

URL Obfuscation

Handler and star SANS instructor Ed Skoudis compiled a comprehensive list of various URL obfuscation methods used in phishing schemes and spam. Some of these methods do not work with all browsers (e.g. the %01 issue in older Internet Explorer versions). In order to preserve the tricky details of some of these methods, we setup a page which includes just the URL methods without our usual header and footer:isc.sans.org/presentations/urlobfuscation.p hp (to view as source: isc.sans.org/presentations/urlobfuscation.txt ).

Jan Reilink wrote to point us to this page with more details about URL obfuscation and decoding:www.pc-help.org/obscure.htm .

Hmm, I think 3639551843 would be an even cooler way of remembering that.

That's dword notation btw, conversion instructions are found here.

They have, at least to the point of cutting the spammers off from their source of income, with limited success (which is to say, only slightly more success than finding the spammer).

Wouldn't that solve the problem?

Not necessarily. First, how do you contact the site? Via false WHOIS data? Many domain names are only there for one spam run, at under $10/ea they're throwaways. Second, some spam uses obfuscated URLs. Going after non-existent parties is a waste of time and going after innocent parties just adds to the noise. Despite Micro$oft's recent belated browser patch to close this phishing hole, a majority of the browsers in use worldwide are still open to this exploit. Third, some spam only points to an IP address (you don't need a domain name to serve up a website). By the time you figure out who 'owns' that IP, they're gone.

If unsolicited spam was sent with out the approval of the site make the site owner track them down or pay the fine...

Assuming that the site owner can be found, and assuming that they are innocent, why make them pay the fine? There are tens of thousands of sites which make use of affiliate marketing programs (drive traffic to my site and you get $x flat rate or a $x percentage, see Commission Junction for thousands of them). It is near-standard to have a policy that spamming for affil dollars means immediate cutoff and no pay, but first you have to figure out who they are and report them, or ma and pa site does, with the inherent problems above, meaning it is still a cash cow for spammers. I expect your suggestion would be opposed by the likes of Amazon.com (who use, even filed a patent on, such affiliate marketing).

Please shoot holes in this idea if you see em...

I would, but I'm Canadian, eh?

Read and learn - it's pretty evil, actually.

Don't take their word for it. Searching for msn msid cookie or any similar terms will turn up plenty of pages which explain it as well.

In fact, leaders of the open-source community have acted responsibly and swiftly to end the DDoS attacks -- just as we continue to act swiftly to address IP-contamination issues when they are aired in a clear and responsible manner

See, there's another reason to support open-source. They're working to correct IP contamination! Next time I see an IP address like 66.35.506.150, I'll know where to turn (especially if this helpful page goes away).

Maybe they are dropping it because users wont accept advertising in their email client (OE did for 1 version but was quickly dropped perhaps people complained?) but if its on the web (in a browser) they can advertise all they like (look at the mess that what they call hotmail now)
then they can get advertisers to focus on associating users email accounts with user names and all that lovely personal information (courtesy of your "msn wallet(TM)" and "msn passport(TM)", tie that to your machines GUID and msn's cookie stealing exploits (notice hotmail.com does not exist anymore and is now a msn subdomain) and voila , you have WindowsXP 2004 marketing machine where you are not the customer any longer, you are the product and you will even hand over 299$ (cost of XP) for the privilege while assigning all your IP rights to them and their "partners".

Microsoft isnt a software company, its a marketing company that creates software.

not that it will affect me or you but you have to feel sorry for the sheep that have no idea whats going on.

cheers

http://www.pc-help.org/privacy/ms_guid.htm

or here

or here

As for msid.msn.com:

Learn more about it...

Or just run a search for msid.msn.com and cookie(s) and notice what comes back.

after reading this you will understand why many people block it, negates all cookie security

http://www.pc-help.org/privacy/ms_guid.htm

be afraid

Here's a link that lists how some spammers attempt to hide their real identities. This isn't necessarily exactly what the root server query guy was talking about, or maybe it is? Either way, it is very enlightening. Some slashdotters even occasionally try to hide a goatse link this way.

--sex

You see that msnbc link ? seems innocent huh

when you click it though you are actually sent to msn in order to transfer your cookie from any of msn's domains which includes hotmail (any of the *.msn.com domains) in order to track you personally (if you use hotmail notice hm is actually a subdomain of msn)

so while you click on the story link of

www.msnbc.com/news/814100.asp&0dm=-23ET [msnbc.com]
you are actually sent to here

http://msid.msn.com/mps_id_sharing/redirect.asp?ww w.msnbc.com/news/create_p1.asp?URL=www.msnbc.com/n ews/814100.asp&0dm=-23ET

why ? so they can steal your hotmail/msn cookie and transfer it to the msnbc domain and track you across any of microsofts domains (hence the msid = microsoft id or guid), this gets round all browser cookie privacy limitations that browser manufacturers (including mozilla/msie/ns) implementation so websites cannot read cookies from other domains and is a blatent privacy breach,
whats happening is msid server is reading your cookie and passing it to the create_p1.asp page via a GET which then creates a new cookie with your old cookie values then finally redirects you to the story complete with transfered cookies contents, clever but not clever enough for those that spot it

of course all this cookie sharing happens in the blink of an eye so the average user doesnt see it (dont believe me look at the 302 redirect headers sent when you click the msnbc link) and has no idea they have actually visited msn.com in order to steal their msn cookie

more information about this exploit can be found here
http://www.pc-help.org/privacy/ms_guid.htm

http://online.securityfocus.com/news/83

i really wish that the /. would not link to msnbc stories as every reader is being exposed to this no matter what browser they use

of course if you block msid.msn you cannot access the msnbc site , basically if you wont let msn track you they wont let you in the site

yeah im anon cos who iam doesnt matter

You see that msnbc link ? seems innocent huh

when you click it though you are actually sent to msn in order to transfer your cookie from any of msn's domains which includes hotmail (any of the *.msn.com domains) in order to track you personally (if you use hotmail notice hm is actually a subdomain of msn)

so while you click on the story link of

www.msnbc.com/news/814100.asp&0dm=-23ET
you are actually sent to here

http://msid.msn.com/mps_id_sharing/redirect.asp?ww w.msnbc.com/news/create_p1.asp?URL=www.msnbc.com/n ews/814100.asp&0dm=-23ET

why ? so they can steal your hotmail/msn cookie and transfer it to the msnbc domain and track you across any of microsofts domains (hence the msid = microsoft id or guid), this gets round all browser cookie privacy limitations that browser manufacturers (including mozilla/msie/ns) implementation so websites cannot read cookies from other domains and is a blatent privacy breach,
whats happening is msid server is reading your cookie and passing it to the create_p1.asp page via a GET which then creates a new cookie with your old cookie values then finally redirects you to the story complete with transfered cookies contents, clever but not clever enough for those that spot it

of course all this cookie sharing happens in the blink of an eye so the average user doesnt see it (dont believe me look at the 302 redirect headers sent when you click the msnbc link) and has no idea they have actually visited msn.com in order to steal their msn cookie

more information about this exploit can be found here
http://www.pc-help.org/privacy/ms_guid.htm

i really wish that the /. would not link to msnbc stories as every reader is being exposed to this no matter what browser they use

of course if you block msid.msn you cannot access the msnbc site , basically if you wont let msn track you they wont let you in the site

yeah im anon cos who iam doesnt matter

This page explains how to decode various methods of disguising an IP address, including the one that you have mentioned.

This sounds like the ongoing lawsuit Lockdown Corp filed against independant Keith Little for the negative review of their security software package called Lockdown 2000. There's a group helping Keith fight back.

That link redirects to http://msid.msn.com/mps_id_sharing/redirect.asp?ww w.msnbc.com/news/create_p1.asp?URL=www.msnbc.com/n ews/695943.asp which doesn't work because my HTTP filter blocks accesses to msid.msn.com for privacy reasons.

http://www.pc-help.org/privacy/ms_guid.htm has more info about msid shenanigans.

Ok after a bit of investigation i found

http://www.pc-help.org/privacy/ms_guid.htm

i want the first microsoftcansuck.com domain off the line :)

Microsoft does some funny redirection with cookie placement in order to get centralized MSN cookies placed and logged while still not tripping their own privacy feature in IE6.

Info here.

...and if M$ had hired Doubleclick to pass everyone through doubleclick.net first, before sending them to any other MS-owned website, it'd also somehow be a Good Thing?!

What I wanna know: Is there an msid.msn.com cookie set on boot/install these days?

Next time you install W98, boot to raw DOS. Poke around the filesystem with a hex editor and examine the cookies. You'll find one set for whatever username and workgroup you entered at install time, pointing to our old friend http://msid.msn.com.

Under W98/IE4, deleting these files, rebooting, and re-entering Windows, the cookie data was restored automatically, even though this box had never been connected to any network.

Disclaimer: I wasn't able to reproduce this today on a W98SE/IE5 box. I know I did it under 98, because I ranted about it on Slashdot last year when the GUID-leak stories came out.

Can anyone confirm/deny this type of behavior on XP?

They've been doing this shit for a long time.

A DejaGoogle search revealed tracking through msid.msn.com as far back as 1997.

I think my "cookie kept coming back" had something to do with RegWiz, which created such a cookie before you even registered? (And in my case, even though I hadn't registered :)

So today they generate and use an MSID instead of the HWID. It's still all about tracking.

Speaking for myself, I firewalled msid.msn.com a few years ago and never missed it.

Somebody mod this down. It's a stealth goatse.cx link.

For people who don't know how that works, check out this site. It tells you all about how to obscure any URL.

I have my own browser which makes it very easy to debug things like this. Not only does it never follow redirects and naver take cookies, but it makes it easy to examine the raw data returned by every HTTP transaction. I also use Linux Netscape 4.72, and have cookies enabled there all the time.

I discovered that expedia and msnbc have common GUIDs in my Netscape cookies file, and furthermore the expedia site uses the same triple-redirection technique shown on the pc-help.org article. It routes through expedia.msnbc.com and then back to expedia.com after attaching the GUID to the URL.

- Robert Munafo