How they cover their tracks
Why do spammers hide? Today, most ISP's will not tolerate a spammer.
They are quick to terminate a spammer's account when complaints start coming in.
A spammer wants to preserve access to one single ISP, and not have to keep
signing up with new ISP's when their account gets closed.
Setting up Internet accounts take time, which means lost money.
There are many ways that spammers try to hide their IP addresses.
As spam-fighters figure out these tricks, the spammers figure out even tougher ones to crack.
As I see them, I'll post them here.
Back to Spam Page
Decimal IP Addresses
Ever see an e-mail address that looks like "spammer@123456789"?
What the heck is that number?
It's a legitimate IP address that your system will recognize. It's just in decimal.
To get a human-readable IP address, you need to convert it into hexadecimal,
divide it into four sets of two digits, then convert each set back into decimal (whew!)
The Windows calculator will do base conversions when placed into "scientific" mode.
If you don't want to do this yourself, then try the "Convert Decimal to Hex" tool at
Hexidecimal Addresses are starting to be used as well.
These start with "0x", and the browser knows what to do with that.
Take each pair of characters after the "0x", convert it from hex to decimal,
and place a period between each resulting decimal number. This is the IP address.
Another trick is to use legal URL-formatting tricks to hide the address.
This includes "escaping", usernames, passwords, and redirection.
Escaping encodes the URL with a percent sign followed by a hexidecimal code.
An escaped URL can look like "http://%2E%2E%2E%48%20%18%32%2F%48...".
You can easily decode this by copying it into the location bar of your browser and hitting return.
The status area of your browser will usually show you the translated address.
If you don't want to make your browser go the the URL,
then you can decode the URL with a good old ASCII translation table.
Many of these have decimal, hex, and octal codes for each character.
Usernames and Passwords
Did you know that usernames and passwords can be passed in a URL?
This is typically not encouraged, because it leaves this sensitive information in plain sight for all to read.
It goes like this: "http://username:firstname.lastname@example.org".
Here's how some spammers have taken advantage of this:
Notice the confusing proliferation of "www" addresses.
The one that counts is after the "@" sign, and the others are there just to throw you off the trail.
The use of a numeric IP address after the "@" sign is supposed to confuse you even more.
A more insidious, hard-to-trace, and probably blatently illegal trick is "redirection".
Many search engines now perform redirection when you click on a link resulting from a search.
They do this to keep track of which sites are the most popular.
Spammers have figured out how to use these to get you to their site
by first sending you through these search engines.
What you see is a really complex URL with a few well-known search engines embedded within.
It's harder to dig out the final website URL, but it's possible.
Be sure to report this abuse to all of the search engines involved,
as well as to the ISP hosting the response site.
Another trick I've seen is to create a "relay" page on a "throwaway" web site.
This web site is typically created on one of those free hosting services (like Tripod),
and the spammer doesn't care if it gets shut down eventually.
The web page on this site contains a link to the true web site of the business.
This way, the spammer draws complaints away from the ISP that hosts the real business web site.
Complaints will go to the free ISP, and the relay web site will get shut down.
It's worth the effort to dig into the relay page to find the true webpage address.
There are even some businesses that make it their business to host these relay web sites.
These are tough to get shut down, but they'll eventually go away
with patient and persistant complaints to their ISP.
Often spammers will try to hide their true URL through a combination of these tricks.
Of course, with some well-placed changes, you can make the decrypter dump
the raw HTML to your screen to expose the web site instead.
This requires a little programming experience, however.
If you want to try this, then add a document.write("<textarea>");
right before the decryption routine, and a document.write("</textarea>"); right after it.
This will place a large text box around the resulting code,
and you'll be able to copy the decrypted HTML into a text editor for viewing.
Also, if you see any window.open calls, then replace those with document.write calls.
Remove all but the first argument in these calls,
and the browser will display the URL instead of opening a separate window to it.
Now you can download the page at this exposed URL for inspection.
get the properties of the page, or view the source, or do anything else to trace the web site.
If you can get the URL of the page, then you can download the page to a file instead of loading it into a browser.
This allows you to inspect the file in a text editor, such as Notepad.
If you have an editor that is made specifically for web pages,
then it may be able to load a page directly from a URL.
If not, then create a little file with the following HTML inside of it:
<a href="http://place url here">this</a>
Place the URL that you want to grab in the appropriate spot in the file.
Now, save this file with an ".html" extension, such as "getit.html".
You may have to enclose the whole file name in double quotes to
prevent Notepad from automatically appending a ".txt" extension.
Open the file with your web browser, and you will see a simple link, "this".
Right-click on that link, (or click-and-hold on a Mac) and save the target to a file.
Now you have captured the web page as a file to look at.
With the proliferation of domain registries, spammers have taken advantage of the resulting confusion.
They will register false credentials with those registries who have lax rules or enforcement.
They will also register will foreign registries,
who have a difficult time responding to complaints in a different language.
Verisign has created a fairly good "whois" lookup tool that finds the registry involved.
When you are looking for the owner of a web site,
don't believe the information registered for that site's domain.
Instead, get the IP address for that site, then perform a network lookup on this IP.
This registration has to be genuine, or the ISP involved would not accept it.
is great for taking a web site's domain and displaying all information available about that domain.
Look toward the bottom of the report for the actual owner of the IP address.
There is one spammer who uses a disposable relay web page that contains an executable file for Windows.
This file is doubly-compressed to hide its internal code.
Once Windows decompresses this mess, it ends up with a dialer application.
This application hangs up your modem and redials an offshore phone number.
The resulting charge shows up on your phone bill.
Those with a binary hex editor can figure out what was used to compress this file.
Once decompressed, the web page addresses involved are exposed.
If it's too late and you have charges on your phone bill, see this
Some spammers have taken to providing only a telephone number as a point of contact.
Your only recourse is to complain to the telephone company that is hosting that number.
You can look up this information at
the North American Numbering Plan Administration.
More specifically, first find the state served by an area code in the NANPA list of
Then download the relevant table from their
Code Assignments page.
You will need to match the state, the area code (first three digits), and the exchange (second three digits)
on the table to get the company responsible for serving the phone number.
Now you can search for that company in your favorite search engine to get their web page address.
For 900 numbers, there is a separate