Below is a sample URL from a piece of spam I received. Note it may of wrapped due to line length. It decodes (thanks to www.samspade.org) as follows: http://996.682.889.0-aasrdh-gouri-nyry.htm@3285397365/pc/member/i000lll/?redirect=www.envy.nu/554%554%54%554%554%554%698%698%/trial/join/index.html has some illegal encoded characters in it, but decodes to something like http://996.682.889.0-aasrdh-gouri-nyry.htm@3285397365/pc/member/i000lll/?redirect=www.envy.nu/554U4TU4U4U4i8i8%/trial/join/index.html This means you connect using normal web http and authentication info 996.682.889.0-aasrdh-gouri-nyry.htm to host 3285397365 and fetch /pc/member/i000lll/?redirect=www.envy.nu/554U4TU4U4U4i8i8%/trial/join/index.html 3285397365 is just another way of writing the IP address 195.211.47.117 The URL is accessible as http://195.211.47.117/pc/member/i000lll/?redirect=www.envy.nu/554U4TU4U4U4i8i8%/trial/join/index.html (login as 996.682.889.0-aasrdh-gouri-nyry.htm if needed) and is hosted by 195.211.47.117 ---Matthew *********** REPLY SEPARATOR *********** On 5/3/01 at 10:14 AM priya subramanian wrote: >going by what is said below, we tried it with websense >with version 4.2.3 with checkpoint firewall. the >decimal no. and also the binary no. gets converted to >the ip and get blocked by websense. > >could anyone pl suggest some other alternative. > >Priya > >--- Robert Shea <robert.sheaat_private> wrote: >> >> In addition to decimal addresses, and appending the >> port number... this >> works against many systems like this (just depends >> on how they match) >> http://trustedsite.com@actual-target-site >> >> so say cnn.com is allowed, but www.hitlist.com is >> not >> cnn.comat_private">http://cnn.comat_private >> and of course mixing >> http://cnn.com@2704981249:80 >> >> Some systems (it should be noted, that I have not >> tested the one in >> question) will match the first domain "cnn.com" and >> move on, ignoring the >> rest... >> Robert >> >> % >> %>You can sometimes add :80 to the end of a url >> http://www.yahoo.com:80 >> %>You can also use the ip address of the webserver >> %http://xxx.xxx.xxx.xxx >> %>Maybe even add a :80 to the end of the ip url. >> %>There is also a way to convert the ip address into >> a number >> %string, I have >> %>to go talk to some >> %>people to remember how to do that one, but email >> me back so >> %that I remember. >> %>Tony >> % >> %Converting to a numeric value is done by >> 'pretending' that the >> %dotted quad is a >> %base 256 number. Thus the first byte is multiplied >> by >> %256*256*256, the second by >> %256*256 the third by 256 and the last is not >> multiplied at >> %all. Add these up and >> %then try and connect to it using that number. >> % >> %66.38.151.10 >> %= 66 * 256 * 256 * 256 >> %+ 38 * 256 * 256 >> %+ 151 *256 >> %+ 10 >> %= 1109825290 >> % >> %Can then connect to this as http://1109825290 >> apparantly >> %that'll skip past a >> %number of validators which check against IP and >> 'name' >> % >> %(Or you could just use an IP-to-DWORD calculator >> such as that on >> %http://www.fichtner.net/tools/ip2dword/ >> %More info: http://www.pc-help.org/obscure.htm ) >> % >> %-- >> %Ed Rolison >> %System Administrator >> > >> ATTACHMENT part 2 application/x-pkcs7-signature >name=smime.p7s > > > >____________________________________________________________ >Do You Yahoo!? >For regular News updates go to http://in.news.yahoo.com c
This archive was generated by hypermail 2b30 : Thu May 03 2001 - 19:10:38 PDT