How Hexadecimal IP Addresses Help Spammers Evade Detection

By Bill Toulas / September 19, 2020

Spammers are known to try a wide range of tricks to achieve better inbox delivery rates. Spam mail that ends up on the spam folder isn’t doing much for them, and finding ways to go through filters isn’t simple at all. For example, Google is deploying sophisticated AI tools to detect malicious messages and is now rolling out new anti-spam platforms.

So, whenever spam groups find something that works, it’s a breakthrough - at least for as long as it takes for spam filters to adjust. The most recent breakthrough of this kind is the use of hexadecimal IP addresses to evade detection and ensure spam delivery to people’s inbox.

Related: Google Claims Gmail Can Now Detect 99.9% of Malicious Document Attachments

IP addresses are typically written and displayed in human-readable notations like “,” for example. However, this is not the only way you can write them without affecting their functionality. Hexadecimal is one of the possible ways to write an IP address, converting each decimal number to hexadecimal, which is a representation of numbers using a base of “16” - hence the name.

According to this numeral system, one may use ten decimal numbers and six symbols to represent any value, and this is a lean approach because you end up with something short. The web browser undertakes the job of converting hex to something useful, so functionally, no problems are introduced.

Related: Google to Tackle Spam Mail With Gmail Logo Verification for Senders

What this conversion does is to actually add a layer of obfuscation to the URL. So, essentially, URLs that have been blacklisted for spam can now send emails without raising any flags.

According to a Trustwave report, the first spammers who took advantage of this simple yet clever trick send pill-themed messages. If you’ve recently received any messages that promote pills for cholesterol, anti-inflammatory, metabolism boosters, brain health, etc., they are part of this campaign. To ramp up their detection avoidance game, the actors have their messages hop through a series of affiliate link services.

fake pharma diagram

Source: Trustwave

If any of these links are clicked, the victim is taken to recently-registered domains that attempt to convince the visitors to buy the fake drugs. Thanks to third-party gateway integration, the payment will go through, but nothing will ever be shipped to the buyer. T

he volume of this spam has risen since July this year and will most likely continue growing until anti-spam systems begin including hexadecimal IP addresses in their detection scheme.

spam volume

Source: Trustwave

The trick of hexadecimal hashing for obfuscation has been used in the malware space, too, with the SunCrypt ransomware applying the conversion to encrypted files, and CypherIT applying it to its malicious scripts. Seeing it on IP addresses is somewhat novel, but the cover is now blown.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari