Unusual http in spam mail?

forgotmyname

I was rolling someones computer back from windows 10 to 7 and helping them have a sortout and block some spam.

They have lots, mostly 1 liners with buy this or get something free, a couple had their first name. Either linked to proper URLs or IP addresses directly.

But a few had http....://....0xd84b3e07 (without the full stops) I have not attempted
to try them yet.



Think HexDecimal format but im stumped on producing a URL or IP from it? Anyone?

Thanks.

esuhl

Maybe that part of the URL is a unique identifier for the user, so the spammers know who clicked the link in the email?

So long as the domain is there, I guess (I'm no expert) that the server could interpret the rest of the URL as it liked (using the hex value as a parameter, rather than pointing to a specific web page).

tronator

forgotmyname wrote: »

I was rolling someones computer back from windows 10 to 7 and helping them have a sortout and block some spam.

They have lots, mostly 1 liners with buy this or get something free, a couple had their first name. Either linked to proper URLs or IP addresses directly.

But a few had http....://....0xd84b3e07 (without the full stops) I have not attempted
to try them yet.



Think HexDecimal format but im stumped on producing a URL or IP from it? Anyone?

Thanks.

https://www.miniwebtool.com/ip-address-to-hex-converter/

AndyPix

The hex string you entered converts to ip address : 0.216.75.62

tronator

AndyPix wrote: »

The hex string you entered converts to ip address : 0.216.75.62

More like 216.75.62.7

The "0x" at the beginning only describes that the following is hexadecimal.

AndyPix

Of course it does

My bad

forgotmyname

esuhl wrote: »

Maybe that part of the URL is a unique identifier for the user, so the spammers know who clicked the link in the email?

So long as the domain is there, I guess (I'm no expert) that the server could interpret the rest of the URL as it liked (using the hex value as a parameter, rather than pointing to a specific web page).

That is the URL and yes the spam mails do have unique ID strings that will identify them. It did seem a little odd that so many emails had that same URL but appeared to come from different email senders. I didnt want to ask and pry.

forgotmyname

Anyone have a clue as to who that IP address belongs to or is is one where they share it out and the characters after point towards the site or page that collects the users data?

All the emails did have 4 - 6 characters after the 3e07.

And yep i had forgotten about the 0x just meaning hex. Thanks.

AndyPix

ip resolves to saldo.nbaarchives.net

And it seems like they don't want to be traced .. Whodathunkit ??

http://whois.icann.org/en/lookup?name=saldo.nbaarchives.net

forgotmyname

42c96cd3 = 66.201.108.211 (vietfoot.net) ?
Another one registered in Panama.

I asked the awkward question and it seems they had debts which they hid from and said the email address they are getting the spam on is one they used for the credit cards.
Whilst the debt collectors were chasing them they would receive emails with offers for cheap items like TV's and consoles etc.

They wondered if the debt collectors were responsible because the emails also have their name?
But its an AOL account and im pretty sure they had a security breach where emails and account details were compromised. So mayb the the name and email were linked from that?

forgotmyname

They received 60 spam emails yesterday. I checked a few with URLs and the same HEX address pops up a lot, but a few others also popup.

They all seem to be registered in PANAMA.

So glad i use a different email for virtually everything. If that happened to me i could just close the email and move onto another one.

They have they banking etc on the same email address, they are going to start shifting stuff across and do not like my method of lots of accounts.

Got them to have 3 so better than nothing, one for sensitive data like banking etc, one for family and another for forums etc.