March 13th, 2005, 08:04 PM
I've sent a bugged email to a scammer, and the bug returned an internal IP address. The scammer is based out of Nigeria. I didn't want to risk them seeing the bug, so instead I directed them to a server with PHP with a hyperlink. They viewed the link three times, and each time it showed an internal IP address. I reviewed the email conversations, and they all came from that IP address as well.
The address is 192.168.x.x, and they sure as hell aren't on my network. How did it return an internal address? The webserver shoudn't see an internal addy!
Maybe I'm missing something. Let me know...
March 13th, 2005, 08:12 PM
March 13th, 2005, 08:44 PM
$to = "myemail";
$IP = $_SERVER['REMOTE_ADDR'];
$UA = $_SERVER['HTTP_USER_AGENT'];
$body = "Image viewed by " . $IP . " on " . date("D dS M,Y h:i a");
$subject = "Image has been viewed with a " . $UA;
mail($to, $subject, $body);
There's no reason it should be giving me an internal addy. I've been using these for a long time and it's the first time I've seen this.
March 13th, 2005, 08:48 PM
Very weird. You could PM a link to your bug and see what it returns when I hit it from my box behind a NAT router.
March 13th, 2005, 08:55 PM
Just a question Soda_Popinsky, What's your success rate in finding a spammers real IP and ISP using this technique? And when you do, do you report them? And if so whats your success rate in actually getting them kicked off their ISP or at least having their ISP telling them not to spam you anymore? I'm guessing you havn't had anymore luck then I have, since I'v been fighting spammers for a very long time and most ISP's tend to ignore me ...
March 13th, 2005, 09:09 PM
I have some email honeypots set up, but because of the way I've planted their email addresses on the internet I don't really get much spam. It's almost 100% scams, about 15 a day.
I also have jackpot honeypots set up, more on that here:
But they don't get much attention. I haven't found a good way to advertise their presence yet. As for pursuing these things, owned servers I can get taken offline almost immediately by contacting their owners or ISP, Scammers- I prefer to convince them to quit their job. Spamming is a hard one to go after.
Check your PM's Irongeek.
March 13th, 2005, 09:16 PM
Well, from the PM you got an IP from my ISP. I'm afraid that shed no light on the subject. By the way, I did some more looking and it seems Iím behind two NAT boxes (my routers wan is 10.x.x.x). I have no idea what's going on, sorry.
March 13th, 2005, 09:24 PM
- The Duck, I share the feeling of being ignored and come to think of it that we had wasted our time just to report such things. BTW, free E-Mail spam filter really is bugging me!
Originally posted here by The Duck
...since I'v been fighting spammers for a very long time and most ISP's tend to ignore me ...
March 13th, 2005, 09:26 PM
I have no idea how they did that. Some people like to brag though. Why not send them another email asking them how they appear to be browsing from a 192.168.x.x address? They probably know how they're doing it, whereas in all likelihood nobody here does. It may sound stupid, but it's still worth a shot .
March 13th, 2005, 09:32 PM
I would, but I'd give myself away. They don't know they're being given the run around yet.
Here's another clue:
The address I received from an email 5 minutes before the notification email is different.
The notification email has the 192.168. in the headers and from my PHP remote_addr
Received: from [83.x.x.x] by x.mail.ukl.yahoo.com via HTTP; Sun, 13 Mar 2005 11:21:29 GMT
All previous emails were from 81.x.x.x, 82.x.x.x, 83.x.x.x, however this web bug returned an internal address.