Riddle me this ...

D. Hugh Redelmeier hugh-pmF8o41NoarQT0dZR+AlfA at public.gmane.org
Sat Apr 1 22:22:51 UTC 2006 

| From: Paul King <pking123-rieW9WUcm8FFJ04o6PK0Fg at public.gmane.org>

| I recently got a spam that had a link whose host was: http://1121829475/
| 
| This actually led to an Internet site (http://www.lttnetsolutions.com/). Is this 
| supposed to be the new format for ipv6? nslookup gives its IP as 66.221.194.166.
| 
| That has got to be the strangest URL I have seen.

Linux man pages are a bit embarrassing.  They don't accurately
describe what the code does or is supposed to do.  This should be
described in inet_addr(3) but it isn't.  Go to a BSD manual or the
Single UNIX(R) Secification:

http://www.opengroup.org/onlinepubs/007908799/xns/inet_addr.html

    Values specified using dot notation take one of the following forms:

    a.b.c.d
	When four parts are specified, each is interpreted as a byte of
	data and assigned, from left to right, to the four bytes of an
	Internet address.

    a.b.c
	When a three-part address is specified, the last part is
	interpreted as a 16-bit quantity and placed in the rightmost two
	bytes of the network address. This makes the three-part address
	format convenient for specifying Class B network addresses as
	128.net.host.

    a.b
	When a two-part address is supplied, the last part is interpreted
	as a 24-bit quantity and placed in the rightmost three bytes of
	the network address. This makes the two-part address format
	convenient for specifying Class A network addresses as net.host.

    a
	When only one part is given, the value is stored directly in the
	network address without any byte rearrangement.

    All numbers supplied as parts in dot notation may be decimal, octal,
    or hexadecimal, as specified in the ISO C standard (that is, a leading
    0x or 0X implies hexadecimal; otherwise, a leading 0 implies octal;
    otherwise, the number is interpreted as decimal).

If I were dictator, I'd require the a.b.c.d form.  All others are so
rarely used that they are confusing.  And I'd require each component
to be decimal.

Spammers use these obscure forms to disguise what they are doing.

Ping treats this number as an IP address too, and reports which one in
the dotted quad form:

    $ ping 1121829475
    Warning: no SO_TIMESTAMP support, falling back to SIOCGSTAMP
    PING 1121829475 (66.221.194.99) from 192.139.70.107 : 56(84) bytes of data.

Interestingly, "dig -x 1121829475" does the wrong thing:
    $ dig -x 1121829475
    ...
    ;; QUESTION SECTION:
    ;1121829475.in-addr.arpa.       IN      PTR
    ...

The correct QUESTION SECTION would be:
    ;99.194.221.66.in-addr.arpa.    IN      PTR
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml

More information about the Legacy mailing list