Welcome to WebmasterWorld Guest from 188.8.131.52
Forum Moderators: ergophobe
I'm getting some registrations from spammers who don't have IP addresses and I figured it would be easier to block all users with no IP than blocking each of these usernames one by one.
Are there many legitimate users that won't have an IP address for good reasons?
In fact, they wouldn't even be able to view your site or any other -- They could not receive anything from the servers. The HTTP protocol cannot work if no IP address is provided at the TCP/IP level.
I thought it was really strange, too. I don't know if it makes any difference but I assume they're using a bot to send requests to my registration script rather than actually visiting my website through a browser.
I added some PHP code to collect their IP address and then I banned all users who don't have an IP which essentially are just the few spammer registrations.
But now they started signing up with IP addresses so I added functionality to allow me to ban the IP addresses they're using.
Anyway, whether they do or dont have an IP I should be able to control their access now. Still, it is kind of wierd that the script wasn't capturing their IP. Here's the script:
if (!empty($_SERVER['HTTP_CLIENT_IP'])) //check ip from share internet
elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) //to check ip is pass from proxy
[edited by: jatar_k at 4:06 pm (utc) on Dec. 17, 2008]
[edit reason] added code [/edit]
Is the script I found missing something or are they masking their IP somehow?
I also don't understand how they're able to register since I have additional code that doesn't add new users to the database unless they have an ip address. In fact, I also have an include in all of my pages that doesn't even allow access to my site if no IP is detected.
Do you think they're bypassing my registration script and somehow sending a query directly to my database?
And avoid using permanent bans to ips.
PS: The bug in your code, is that someone could setup the HTTP_CLIENT_IP or HTTP_X... header vars on purpose (which some space chars) in which case your code returns an invalid IP.
Again, it is impossible to use HTTP if a sending client doesn't send a valid and correct IP address in outgoing TCP/IP packets because as a result, server replies cannot be routed back to the sender. The IP address is added by the sender's TCP/IP stack, and any packet with an invalid or incorrect sender IP address cannot be replied-to. The TCP/IP protocol is the lower-level protocol upon which HTTP connections depend, and HTTP cannot work if improper TCP/IP packets are received.
die("Your access to our website has been disabled.");
Yet still they are able to register. I'm inserting their ip address into my database at the time of registration and sometimes their spam signups show an IP and sometimes it doesnt which is hard to believe considering the code above should be preventing them from even viewing my website.
Any other ideas? Thanks again for your help.