Internal IP???

***Soda_Popinsky*** · March 13th, 2005, 09:04 PM

Hello-

I've sent a bugged email to a scammer, and the bug returned an internal IP address. The scammer is based out of Nigeria. I didn't want to risk them seeing the bug, so instead I directed them to a server with PHP with a hyperlink. They viewed the link three times, and each time it showed an internal IP address. I reviewed the email conversations, and they all came from that IP address as well.

The address is 192.168.x.x, and they sure as hell aren't on my network. How did it return an internal address? The webserver shoudn't see an internal addy!

Maybe I'm missing something. Let me know...
Thanks!

***Irongeek*** · March 13th, 2005, 09:12 PM

Weird, the only way that I know of that you might get an internal IP is with javascript (which I assume you would not use since you one the WAN IP). Did you write the bug yourself, and if so can we see the source? Is it like the ones I have here:

http://www.antionline.com/showthread...hreadid=263046

***Soda_Popinsky*** · March 13th, 2005, 09:44 PM

PHP Code:


&lt;?php



$to = "myemail";



$IP = $_SERVER['REMOTE_ADDR'];

$UA = $_SERVER['HTTP_USER_AGENT'];



$body = "Image viewed by " . $IP . " on " . date("D dS M,Y h:i a");

$subject = "Image has been viewed with a " . $UA;



mail($to, $subject, $body);

?&gt;

I didn't touch javascript, I used PHP for the job. It runs over email like my tut here:
http://www.antionline.com/showthread...hreadid=260660

There's no reason it should be giving me an internal addy. I've been using these for a long time and it's the first time I've seen this.

***Irongeek*** · March 13th, 2005, 09:48 PM

Very weird. You could PM a link to your bug and see what it returns when I hit it from my box behind a NAT router.

***The Duck*** · March 13th, 2005, 09:55 PM

Just a question Soda_Popinsky, What's your success rate in finding a spammers real IP and ISP using this technique? And when you do, do you report them? And if so whats your success rate in actually getting them kicked off their ISP or at least having their ISP telling them not to spam you anymore? I'm guessing you havn't had anymore luck then I have, since I'v been fighting spammers for a very long time and most ISP's tend to ignore me

...

***Soda_Popinsky*** · March 13th, 2005, 10:09 PM

I have some email honeypots set up, but because of the way I've planted their email addresses on the internet I don't really get much spam. It's almost 100% scams, about 15 a day.

I also have jackpot honeypots set up, more on that here:
http://jackpot.uk.net/
http://www.antionline.com/showthread...hreadid=265780

But they don't get much attention. I haven't found a good way to advertise their presence yet. As for pursuing these things, owned servers I can get taken offline almost immediately by contacting their owners or ISP, Scammers- I prefer to convince them to quit their job. Spamming is a hard one to go after.

Check your PM's Irongeek.

***Irongeek*** · March 13th, 2005, 10:16 PM

Well, from the PM you got an IP from my ISP. I'm afraid that shed no light on the subject. By the way, I did some more looking and it seems I’m behind two NAT boxes (my routers wan is 10.x.x.x). I have no idea what's going on, sorry.

**scratchONtheBOX** · March 13th, 2005, 10:24 PM

Originally posted here by The Duck
...since I'v been fighting spammers for a very long time and most ISP's tend to ignore me ...

- The Duck, I share the feeling of being ignored and come to think of it that we had wasted our time just to report such things. BTW, free E-Mail spam filter really is bugging me!

Yo!

***skiddieleet*** · March 13th, 2005, 10:26 PM

I have no idea how they did that. Some people like to brag though. Why not send them another email asking them how they appear to be browsing from a 192.168.x.x address? They probably know how they're doing it, whereas in all likelihood nobody here does. It may sound stupid, but it's still worth a shot

.

***Soda_Popinsky*** · March 13th, 2005, 10:32 PM

I would, but I'd give myself away.

They don't know they're being given the run around yet.

Here's another clue:
The address I received from an email 5 minutes before the notification email is different.

Received: from [83.x.x.x] by x.mail.ukl.yahoo.com via HTTP; Sun, 13 Mar 2005 11:21:29 GMT

The notification email has the 192.168. in the headers and from my PHP remote_addr

X-MM-Mail-From-IP: 192.168.x.x

All previous emails were from 81.x.x.x, 82.x.x.x, 83.x.x.x, however this web bug returned an internal address.

Thread: Internal IP???

Thread Tools

Display

Internal IP???

Posting Permissions