IP spoofer problem

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Hi all,

I've got a website coded in PHP, and a malicious person is
posting fake spam messages to a low-security forum that I've coded.
My forum code simply reads the POST data and in good faith
posts the message to the forum and records the IP of the poster.
Here is what is happening. Bogus messages are being posted
always of roughly the same type or message, often with
bogus URLs in them, and the IP address that I am recording
is always random i.e. spoofed.

What I would like to do is to have the web server keep the
connection open long enough to ascertain that the real
IP of the spoofer is, or at least to ascertain that the HTTP
request is more than one packet. Is it possible to do either
of these from PHP?


Re: IP spoofer problem

Varn wrote:
Quoted text here. Click to load it

No, it's not possible in PHP.  However, they probably aren't using a
spoofed IP address, anyway.  Most of these use anonymous proxies - of
which there are a bunch all over the world.

You may be better off parsing the message for URL's - if there are more
than one or two reject the message.  It might help.

Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.

Re: IP spoofer problem

Quoted text here. Click to load it

I've got news for you:  those are *REAL* SPAM.

Quoted text here. Click to load it

For TCP connections, it's very, very difficult to spoof an IP unless
you've taken over or can relay through the machine WITH that IP,
in which case in a very real sense, the IP is *not* spoofed, it's
accurate, although it's not going to help you figure out where to
send the SWAT team or target missiles to get the spammer.

What makes you think that there aren't millions of infected PCs as
part of the same botnet that all are sending the same spam?

Quoted text here. Click to load it

It takes multiple TCP packets just to establish a connection.

Define "real IP".  The IP address of the machine in the botnet is
likely the realest IP address you'll get without a subpoena, and
even then it will be difficult.

Re: IP spoofer problem

On Fri, 02 Mar 2007 23:54:24 -0000, gordonb.26cis@burditt.org (Gordon Burditt)

Quoted text here. Click to load it

If its like what I'm seeing:
Probably because its obvious from the posts appearing.
I've been seeing what sounds very much like this on a number
of forums I manage lately. The posts look manually controled
but computer generated. i.e. it looks like someone sitting at a desk
controling a semi-smart bot.

While its hard to track a connection back I understand it can be done.
I too would like to know how as I can see this problem exploding if
there isnt a fast and widespread response.

Would this take something like ethereal or other tool - perhaps
pinging away?

If there are known anonymising proxies does anyone maintain a list - those
at least could easily be blocked on almost all forums.

Using captcha is an ugly temporary stopgap at best and when it breaks shortly
everyone is going to be Ssoooooo shocked. Relying on that is worse than no
use at all. Pattern matching software that could OCR those has been around
since way before the early days of corel-draw.

Resignation and tutting wont get the job done.
Every problem has a solution.
Solutions to the problem are sought.

Re: IP spoofer problem

Varn wrote:

Quoted text here. Click to load it

If it's an automated spam, you may have to install one of those things
with the wiggly jpeg letters & numbers to be re-typed by a live human. I
know someone who had to install something like that, I think it was a
simple plugin sort of deal. Sorry I'm not more specific.

Re: IP spoofer problem

Paul Furman kirjoitti:
Quoted text here. Click to load it

You're talking about the Turing test, aka. Captcha:

"En ole paha ihminen, mutta omenat ovat elinkeinoni." -Perttu Sirvi÷
spam@outolempi.net | Gedoon-S @ IRCnet | rot13(xvzzb@bhgbyrzcv.arg)

Re: IP spoofer problem

Kimmo Laine wrote:

Quoted text here. Click to load it

CAPTCHA is not a Turing test, since a Turing test doesn't allow / tolerates
cheating. A CAPTCHA is trivially solved by a computer by forwarding it to a
human, letting him calculate the answer for you, and backforwarding the

Site Timeline