By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
438,747 Members | 2,011 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 438,747 IT Pros & Developers. It's quick & easy.

IP spoofer problem

P: n/a
Hi all,

I've got a website coded in PHP, and a malicious person is
posting fake spam messages to a low-security forum that I've coded.
My forum code simply reads the POST data and in good faith
posts the message to the forum and records the IP of the poster.
Here is what is happening. Bogus messages are being posted
always of roughly the same type or message, often with
bogus URLs in them, and the IP address that I am recording
is always random i.e. spoofed.

What I would like to do is to have the web server keep the
connection open long enough to ascertain that the real
IP of the spoofer is, or at least to ascertain that the HTTP
request is more than one packet. Is it possible to do either
of these from PHP?

Thanks.

Mar 2 '07 #1
Share this Question
Share on Google+
4 Replies


P: n/a
Varn wrote:
Hi all,

I've got a website coded in PHP, and a malicious person is
posting fake spam messages to a low-security forum that I've coded.
My forum code simply reads the POST data and in good faith
posts the message to the forum and records the IP of the poster.
Here is what is happening. Bogus messages are being posted
always of roughly the same type or message, often with
bogus URLs in them, and the IP address that I am recording
is always random i.e. spoofed.

What I would like to do is to have the web server keep the
connection open long enough to ascertain that the real
IP of the spoofer is, or at least to ascertain that the HTTP
request is more than one packet. Is it possible to do either
of these from PHP?

Thanks.
No, it's not possible in PHP. However, they probably aren't using a
spoofed IP address, anyway. Most of these use anonymous proxies - of
which there are a bunch all over the world.

You may be better off parsing the message for URL's - if there are more
than one or two reject the message. It might help.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Mar 2 '07 #2

P: n/a
>I've got a website coded in PHP, and a malicious person is
>posting fake spam messages to a low-security forum that I've coded.
I've got news for you: those are *REAL* SPAM.
>My forum code simply reads the POST data and in good faith
posts the message to the forum and records the IP of the poster.
Here is what is happening. Bogus messages are being posted
always of roughly the same type or message, often with
bogus URLs in them, and the IP address that I am recording
is always random i.e. spoofed.
For TCP connections, it's very, very difficult to spoof an IP unless
you've taken over or can relay through the machine WITH that IP,
in which case in a very real sense, the IP is *not* spoofed, it's
accurate, although it's not going to help you figure out where to
send the SWAT team or target missiles to get the spammer.

What makes you think that there aren't millions of infected PCs as
part of the same botnet that all are sending the same spam?
>What I would like to do is to have the web server keep the
connection open long enough to ascertain that the real
IP of the spoofer is, or at least to ascertain that the HTTP
request is more than one packet. Is it possible to do either
of these from PHP?
It takes multiple TCP packets just to establish a connection.

Define "real IP". The IP address of the machine in the botnet is
likely the realest IP address you'll get without a subpoena, and
even then it will be difficult.

Mar 3 '07 #3

P: n/a
Varn wrote:
Hi all,

I've got a website coded in PHP, and a malicious person is
posting fake spam messages to a low-security forum that I've coded.
My forum code simply reads the POST data and in good faith
posts the message to the forum and records the IP of the poster.
Here is what is happening. Bogus messages are being posted
always of roughly the same type or message, often with
bogus URLs in them, and the IP address that I am recording
is always random i.e. spoofed.
If it's an automated spam, you may have to install one of those things
with the wiggly jpeg letters & numbers to be re-typed by a live human. I
know someone who had to install something like that, I think it was a
simple plugin sort of deal. Sorry I'm not more specific.
Mar 3 '07 #4

P: n/a
Paul Furman kirjoitti:
Varn wrote:
>Hi all,

I've got a website coded in PHP, and a malicious person is
posting fake spam messages to a low-security forum that I've coded.
My forum code simply reads the POST data and in good faith
posts the message to the forum and records the IP of the poster.
Here is what is happening. Bogus messages are being posted
always of roughly the same type or message, often with
bogus URLs in them, and the IP address that I am recording
is always random i.e. spoofed.

If it's an automated spam, you may have to install one of those things
with the wiggly jpeg letters & numbers to be re-typed by a live human. I
know someone who had to install something like that, I think it was a
simple plugin sort of deal. Sorry I'm not more specific.
You're talking about the Turing test, aka. Captcha:
http://en.wikipedia.org/wiki/CAPTCHA

--
"En ole paha ihminen, mutta omenat ovat elinkeinoni." -Perttu Sirviö
sp**@outolempi.net | Gedoon-S @ IRCnet | rot13(xv***@bhgbyrzcv.arg)
Mar 3 '07 #5

This discussion thread is closed

Replies have been disabled for this discussion.