March 21, 2007Can you “spoof” an IP Address?
The server logs report IP Addresses used to visit this site. My comment/spam process has started logging the IP address as reported by the server. My question is this: is it possible to spoof that data? Meaning, is it possible that the IP addresses that are recorded by this process are wrong?
Comments (4)
• • • • • • • • •
The IP address can’t be “wrong”, since it is required for delivering the server response. However, it may not be the user’s actual IP if NAT is used. There’s X_FORWARDED_FOR, which contains the actual IP in such cases, and which is used extensively by advanced spam filters like Akismet.
Comment by damnian — March 21, 2007 @ 12:30 pm
Thanks, damnian, it wasn’t long after I asked the question that I was reminded of the basic principals of TCP/IP packet delivery.
So it seems that the IP address will be real (even if forwarded). So when I see multiple comments come into my blog on exactly the same post and failing for exactly the same reason, but are a few seconds apart… it’s probably two (or more) compromised or “zombie” computers doing the dirty work.
Comment by dave.rathbun — March 23, 2007 @ 8:11 am
Well, these is always “the proxy factor”… See, if a user uses an “elite” or “highly anonymous” proxy, their IP is hidden and the proxies IP address is shown instead, this to usually what hackers do when they aren’t stealing your wifi
A good way to combat proxy usage is to test the IP address for connectivity on common proxy ports, this can be a slow process so its best to set timeout limits and fork the process.
In any software that allows users to interact, proxies are a developers worst nightmare in my opinion.
Comment by Afterlife(69) — April 18, 2007 @ 4:55 pm
I guess it depends on what you are trying to do. In my case the initial question was based on analysis I was doing on the comment log that I keep for my blog. I have added some custom features (that you no doubt experienced while posting your comment
) in an attempt to reduce the comment load. I review all of the comments, even those flagged by Akismet. So I was very interested in reducing that load.
During my review process I found that there were comments being attempted within minutes or even seconds of each other on the same post_id that failed for the same reason but were from different IP addresses. So I was wondering if they were truly from different systems, or from a single system that was spoofing their IP.
Comment by dave.rathbun — April 19, 2007 @ 8:45 am