Clicking that link may not lead where you think

For example, here's a link that looks like it would take you to the family-oriented Disney site: http://www.disney.com@216.92.149.183.

But if you click this link, Disney isn't where your browser takes you. Instead, you see my personal Web page, BrianLivingston.com. To a Web browser, the Internet Protocol (IP) address 216.92.149.183 works exactly the same as a site's spelled-out name.

Fortunately, there's nothing racy on my Web page. But "scam links" that look like the one above are often used by adult-oriented services, get-rich-quick promoters, and spam e-mailers to obscure who they really are.

Scam links work because the words that appear between the "http://" and the "@" aren't acted on by most Web sites.

Using an "@" sign does, in fact, serve a legitimate purpose in some Web addresses. It allows surfers to quickly log into a site that requires a username and a password.

For example, say a fictitious site, JustAnExample.com, requires the username "Fred" and the password "123." In this case, you could automatically log into the site by clicking the following link: http://Fred:123@www.JustAnExample.com.

Unless there's a legitimate login purpose, extraneous characters in a Web address are probably being used to conceal a site's true purpose.

Why would a Web site try to obscure its identity? Because many people who receive spam about a Web site want to know who's behind the site so they can complain.

If the site used its real URL, it would be easy to check who originally registered the name. Typing, for example, CNET.com into a search engine called the Universal Whois reveals the address and phone number of CNET Networks. (Some people do provide false data, but at least you get to see what aliases they gave in such cases.)

Typing an IP address into the Universal Whois, however, doesn't necessarily show who registered a site. For example, submitting the IP address 216.92.149.183 reveals the name of the Web hosting company that hosts my site, Pair Networks, but not my name, Brian Livingston.

Since even this much information could identify the operators of a Web site, some tricksters do even more to confuse things.

A Web address, for instance, can be covered up using percent signs and two-character strings that are equivalent to letters. The following URL seems to lead to the search engine Ask.com, but it's just another synonym for my personal page: http://www.ask.com@Bri%61%6ELiv%69%6E%67%73%74%6F%6E.com.

In this case, a string of text like "Bri%61%6E" means the same thing to a browser as "Brian," and so forth.

If you submit one of these "percent sign" addresses to the Universal Whois, it chokes with a "no match" error message.

So how do you find out who's really behind a suspicious-looking address before you blindly go there?

Computer consultant Keith Little has become an expert on obscured Web addresses by setting up a Web fact sheet on the problem.

One of Little's top recommendations is to use the so-called Sam Spade Tools, a free service maintained by programmer Steve Atkins.

If you're faced with a mysterious address obscured using codes (like my "Bri%61%6E" example above), paste the address into Spade's "Obfuscated URLs" search box. This reveals that "BrianLivingston.com" is the real name behind the dodge.

If the address is an IP number, it's best deciphered using Spade's "Address Digger" search box instead.

Once you've determined the real URL by either of these means, you can search for its owner using Universal Whois. Or, for more technical detail, use Host Tracker, a service provided by SpamCop, an anti-spam group.

If a funny-looking Web address turns out to be legitimate, fine. Otherwise, look before you leap.

Consumer advocate Brian Livingston appears at CNET News.com every Friday. Do you know of a problem affecting consumers? Send info to tips@BrianLivingston.com. He'll send you a book of high-tech secrets free if you're the first to submit a tip he prints.