In 2004, I received an email that appeared to come from a well-known, legitimate company inviting me to click on various links and look at their current offers and promotions. It caught my eye in part because a friend was working for that company at the time and because the links on the page pointed to a totally different domain. More than that, the links had an unusual format. Here are five examples of that:

Several features emerge when these URLs are compared. The first component of each hostname is different but other components are identical. Running dig on each of these showed that they mapped to two IP addresses, also used by the name http://track.soak-up-the-sun.com. The most likely explanation for the use of multiple hostnames is to prevent anti-spam software from recognizing the hosts.

The server-side script has a very distinctive name, _c.jpegg, which the casual observer might take for a JPEG file. Two other URLs in the email message had scripts called _o.jpegg and _r.jpegg. There would ...