yeah, unless you count a proxy as "faked", it's pretty safe to be real. Allthough, I'm really not into this technical stuff, but I always thought that most cgi-scripts are kind of vulnerable in that way because of http's statelessness, i.e. you could spoof a request from a certain IP and have a script executed. You wouldn't get the output, of course, but the script would run and get the spoofed IP as the client. As I said, I don't really know if that's true, I just got the impression from reading a little into the whole thing - anyone care to clear that up?