|
|
Posted by Gordon Burditt on 03/02/07 23:54
>I've got a website coded in PHP, and a malicious person is
>posting fake spam messages to a low-security forum that I've coded.
I've got news for you: those are *REAL* SPAM.
>My forum code simply reads the POST data and in good faith
>posts the message to the forum and records the IP of the poster.
>Here is what is happening. Bogus messages are being posted
>always of roughly the same type or message, often with
>bogus URLs in them, and the IP address that I am recording
>is always random i.e. spoofed.
For TCP connections, it's very, very difficult to spoof an IP unless
you've taken over or can relay through the machine WITH that IP,
in which case in a very real sense, the IP is *not* spoofed, it's
accurate, although it's not going to help you figure out where to
send the SWAT team or target missiles to get the spammer.
What makes you think that there aren't millions of infected PCs as
part of the same botnet that all are sending the same spam?
>What I would like to do is to have the web server keep the
>connection open long enough to ascertain that the real
>IP of the spoofer is, or at least to ascertain that the HTTP
>request is more than one packet. Is it possible to do either
>of these from PHP?
It takes multiple TCP packets just to establish a connection.
Define "real IP". The IP address of the machine in the botnet is
likely the realest IP address you'll get without a subpoena, and
even then it will be difficult.
Navigation:
[Reply to this message]
|