Internal IP???

http://yahoo.weblogsinc.com/entry/2498506749651474/

The scammer is on Yahoo! email, my php script is hosted on Lycos. This may have been very odd circumstances...

According to that link and others, Yahoo and Lycos are partnering up for games and messaging. The webserver I'm using and the email he's using are both based out of .uk (lycos.co.uk and yahoo.co.uk)

Is it possible that Yahoo.co.uk changes hyperlinks to something like http://proxy.yahoo.co.uk?addy=http:/...hyperlink/bug, then sends the result to the viewer with the proxy? If so, and depending on the network, is it possible that the proxy never had to leave the network to get to the webhost I'm on, giving my script an internal IP address???

It's a pretty crazy idea... It's all I can think of. I'm going to register for an account to see how it handles it, and if I can replicate the circumstances.

The email he's using may be yahoo.co.uk but he's still not reading it from yahoo.co.uk, he's on his box wherever. And your bug picks up his ip, not the email server's correct?

I was thinking earlier, he may have a local email server that he checks using the local ip, but then it occurred to me that you would still get his internet ip from the bug, or would you? I guess since it's a yahoo account then yes, but I don't know. So those 8*.x.x.x addresses are proxies or what? And what are you going to do if you get an ip that you do or don't know is his?

Quote:

---

And your bug picks up his ip, not the email server's correct?

---

If he clicks the link in the email, and a browser opens up- I have his IP. However, my theory was that yahoo may have changed the link to redirect through a proxy (sortof like a frameset, proxify?) however I registered an account with yahoo.co.uk and this isn't the case. My theory is shot down because it gave me my correct IP address.

Quote:

---

I was thinking earlier, he may have a local email server that he checks using the local ip, but then it occurred to me that you would still get his internet ip from the bug, or would you?

---

It could be that he is downloading his email over POP3 or something, however in the end it's just a hyperlink and it should open his browser. In fact, I got his User Agent too:
Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)

Plus this header:
Received: from [83.x.x.x] byx.mail.ukl.yahoo.com via HTTP; Sun, 13 Mar 2005 11:21:29 GMT

Tells me that he's using the web interface to send receive emails. They very well could be proxies, but I'll save them anyways if I feel like making a formal complaint of some sort.

sounds like he is using a proxy. I mean the guy is a spammer, Im sure he is somewhat cautious to hide his true IP address.

A proxy would be my guess too..

Why don't you just check the weblogs? Or are these not available?
These definitely should contain his/her Internet IP.

Have a look at the user comments at http://nl3.php.net/getenv.
Seems you're not the first to encounter this.

Quote:

---

my php script is hosted on Lycos.

---

- Soda_Popinsky, hello! One question, what if somehow, these people were wise enough to trace your script (the source) and could probably doing a reverse tracing with you right now? I mean, come to think of the idea that these scammers (in one point) knew the work-around in web servers and such.

I don’t like to think of the situation this way but I am also interested about this concept of tracing the bad guys using your own tools, but I could not figure out any ideas aside from the scammers maybe using multiple proxy for anonymity (just like what the other AO guys are thinking).

And about the thread link here for Irongeek’s tut, I’ve also been reading about tracing/tracking website visitors but most of the ideas I had read is using third-party web analyzer doing the job for you, but your tut, as well as Soda_Popinsky’s, really is helpful for webmasters and other analyst to use it in good ways.

Going back to the topic, mostly scripts for web pages (specifically javascript) could only return the IP of proxy (if it exist), right? But in this case, for the e-mail bugger, returning a local IP add is a BIG challenge to be answered.

BTW, guys, I cannot test your tuts right now, since I don’t have resources to do so (properly configured web server, honeypot, etc.), but I am eager to learn more of this when I go back home. Maybe I’ll continue and go on reading some of the links you had provided.

Hope you solve the local IP dilemma thing soon.

Yo!

Quote:

---

sounds like he is using a proxy. I mean the guy is a spammer, Im sure he is somewhat cautious to hide his true IP address.

---

With an IP like that, he would be confusing every device between myself and him and his requests would end up in lala land.

Quote:

---

A proxy would be my guess too..

Why don't you just check the weblogs? Or are these not available?
These definitely should contain his/her Internet IP.

Have a look at the user comments at http://nl3.php.net/getenv.
Seems you're not the first to encounter this.

---

I see some posts about getting their internal IP intentionally, but I don't see one about my problem... I'm probably missing it, but I'm going to try one of their stronger scripts that will get the IP with the proxy.

Quote:

---

One question, what if somehow, these people were wise enough to trace your script (the source) and could probably doing a reverse tracing with you right now? I mean, come to think of the idea that these scammers (in one point) knew the work-around in web servers and such.

---

If they did, they would have to deal with Lycos security, and in the end they will have my transparent email address and nowhere to go ;)

It's not all that unusual for an internal address to appear in a mail header,
if, like me, you haven't figured out how to configure sendmail to rewrite
it as your public address.

Code:

---

Return-Path: <[email protected]>
Received: from norm.shentel.net (acer.localdomain [127.0.0.1])
        by acer.localdomain (8.11.6/8.11.6) with ESMTP id j2F7AOx11458
        for <rcgreen@localhost>; Tue, 15 Mar 2005 02:10:24 -0500
Received: from marlin.shentel.net (marlin.shentel.net [204.111.11.42])
        by norm.shentel.net (8.13.1/8.13.1) with ESMTP id j2F75Sak013871
        for <[email protected]>; Tue, 15 Mar 2005 02:05:28 -0500
Received: from eforward3.name-services.com (eforward3.name-services.com [63.251.83.52])
        by marlin.shentel.net (8.12.11/8.12.11) with ESMTP id j2F75RW8008157
        for <[email protected]>; Tue, 15 Mar 2005 02:05:27 -0500
Received: from seahorse.shentel.net ([204.111.11.44]) by eforward3.name-services.com with Microsoft SMTPSVC(5.0.2195.6747);
        Mon, 14 Mar 2005 23:04:30 -0800
Received: from acer.localdomain (ha96s593.d.shentel.net [204.111.98.81])
        by seahorse.shentel.net (8.12.11/8.12.11) with ESMTP id j2F75P7C018584
        for <[email protected]>; Tue, 15 Mar 2005 02:05:26 -0500
Received: from rcgreen (rcgreen [192.168.0.1])
        by acer.localdomain (8.11.6/8.11.6) with SMTP id j2F76Bx11408
        for <[email protected]>; Tue, 15 Mar 2005 02:06:12 -0500
Message-ID: <000d01c5292d$5ecd30e0$51626fcc@rcgreen>
Reply-To: "Randy C. Green" <[email protected]>
From: "Randy C. Green" <[email protected]>
To: <[email protected]>
Subject: a mail test
Date: Tue, 15 Mar 2005 02:05:28 -0500
MIME-Version: 1.0
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1437
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
X-OriginalArrivalTime: 15 Mar 2005 07:04:30.0578 (UTC) FILETIME=[3BF00520:01C5292D]
X-UIDL: /HD"!;[V"!DIT"!iJH!!
X-SpamBouncer: 2.0 beta RC5 (01/31/05)
X-SBScore: 0 (Spam Threshold: 20) (Block Threshold: 5)
X-SBClass: OK
Status: 

check the headers on this.

---

It's a minor blemish, and doesn't affect the delivery of the mail.
You can still see where it is really coming from.
:cool:

Quote:

---

Originally posted here by rcgreen
It's not all that unusual for an internal address to appear in a mail header,

---

Correct. But that's not Soda's problem. Seems he's picking up the internal address in his php script with $_SERVER{'REMOTE_ADDR'}.

So what does this mean? Is the spammer a moron who doesn't know
how to configure his outgoing mail server, or a genius for spoofing
the address?
:cool: