Page 1 of 3 123 LastLast
Results 1 to 10 of 21

Thread: Internal IP???

  1. #1

    Internal IP???


    I've sent a bugged email to a scammer, and the bug returned an internal IP address. The scammer is based out of Nigeria. I didn't want to risk them seeing the bug, so instead I directed them to a server with PHP with a hyperlink. They viewed the link three times, and each time it showed an internal IP address. I reviewed the email conversations, and they all came from that IP address as well.

    The address is 192.168.x.x, and they sure as hell aren't on my network. How did it return an internal address? The webserver shoudn't see an internal addy!

    Maybe I'm missing something. Let me know...

  2. #2
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Weird, the only way that I know of that you might get an internal IP is with javascript (which I assume you would not use since you one the WAN IP). Did you write the bug yourself, and if so can we see the source? Is it like the ones I have here:


  3. #3
    PHP Code:



    $body "Image viewed by " $IP " on " date("D dS M,Y h:i a");
    $subject "Image has been viewed with a " $UA;

    I didn't touch javascript, I used PHP for the job. It runs over email like my tut here:

    There's no reason it should be giving me an internal addy. I've been using these for a long time and it's the first time I've seen this.

  4. #4
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Very weird. You could PM a link to your bug and see what it returns when I hit it from my box behind a NAT router.

  5. #5
    Join Date
    Apr 2004
    Just a question Soda_Popinsky, What's your success rate in finding a spammers real IP and ISP using this technique? And when you do, do you report them? And if so whats your success rate in actually getting them kicked off their ISP or at least having their ISP telling them not to spam you anymore? I'm guessing you havn't had anymore luck then I have, since I'v been fighting spammers for a very long time and most ISP's tend to ignore me ...
    I am the uber duck!!1
    Proxy Tools

  6. #6
    I have some email honeypots set up, but because of the way I've planted their email addresses on the internet I don't really get much spam. It's almost 100% scams, about 15 a day.

    I also have jackpot honeypots set up, more on that here:

    But they don't get much attention. I haven't found a good way to advertise their presence yet. As for pursuing these things, owned servers I can get taken offline almost immediately by contacting their owners or ISP, Scammers- I prefer to convince them to quit their job. Spamming is a hard one to go after.

    Check your PM's Irongeek.

  7. #7
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Well, from the PM you got an IP from my ISP. I'm afraid that shed no light on the subject. By the way, I did some more looking and it seems Iím behind two NAT boxes (my routers wan is 10.x.x.x). I have no idea what's going on, sorry.

  8. #8
    Senior Member
    Join Date
    Jan 2005
    Originally posted here by The Duck
    ...since I'v been fighting spammers for a very long time and most ISP's tend to ignore me ...
    - The Duck, I share the feeling of being ignored and come to think of it that we had wasted our time just to report such things. BTW, free E-Mail spam filter really is bugging me!

    \"Life without FREEDOM is no life at all\". - William Wallace
    MyhomE MyboX StealtH (loop n. see loop.)

  9. #9
    Elite Hacker
    Join Date
    Mar 2003
    I have no idea how they did that. Some people like to brag though. Why not send them another email asking them how they appear to be browsing from a 192.168.x.x address? They probably know how they're doing it, whereas in all likelihood nobody here does. It may sound stupid, but it's still worth a shot .

  10. #10
    I would, but I'd give myself away. They don't know they're being given the run around yet.

    Here's another clue:
    The address I received from an email 5 minutes before the notification email is different.
    Received: from [83.x.x.x] by x.mail.ukl.yahoo.com via HTTP; Sun, 13 Mar 2005 11:21:29 GMT
    The notification email has the 192.168. in the headers and from my PHP remote_addr
    X-MM-Mail-From-IP: 192.168.x.x
    All previous emails were from 81.x.x.x, 82.x.x.x, 83.x.x.x, however this web bug returned an internal address.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts