IP address tracking

Started by jhb8426, May 11, 2012, 08:24:55 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

jhb8426

May 11, 2012, 08:24:55 PM
Can someone explain the difference, or how it occurs that message IPs and error IPs differ?

View IPs used by billybob
Most recent IP address:    74.128.123.139
IPs used in messages:    74.128.123.139
IPs used in error messages:    166.249.132.233, 166.249.141.154, 166.249.141.56, 166.249.144.14, 173.245.64.83, 184.45.53.41, 184.45.56.54, 74.128.123.139, 74.132.48.199

This account normally comes in on the 74.128.123.x address, an ISP. Yet the errors are tracked on a number of IPs. The 166.249.x.x is Verizon. The 184.45.x.x is BellSouth.

The problematic one is 173.245.64.83. This is a dedicated hosting service we've blocked for their entire block because it's an anon proxy source for spammers.

View IPs used by Susan_Spammer
Most recent IP address:    173.245.76.194
IPs used in messages:    (None)
IPs used in error messages:    173.245.76.194

The guy swears he's never used an anon proxy to connect. We've unblocked the range for now. We've seen this more than once for a range of user accounts.

Thanks.

Arantor

#1
May 11, 2012, 08:30:07 PM
A user's IP address is absolutely no guide to identifying a user.

User IP addresses change over time where the ISP issues a new IP address as the request passes through their network, some ISPs can even issue a new IP address with every single page, though most don't.

Did your user ever post via a mobile for example? That would give them a very different IP address. Or indeed just a different routing via the ISP in the process, doesn't have to be a proxy (or it could simply be a proxy that the ISP uses internally)

It's really not a good barometer - and when IPv6 rolls out the problem is only going to get worse.
Holder of controversial views, all of which my own.

jhb8426

#2
May 11, 2012, 10:05:03 PM
OK. I am aware of DSL/DHCP IP changes. In my own case, qwest/centurylink gives me a new one multiple times a day, but it's always in their range. But some of these seem way out of the norm. In some cases we see quite constant addressing for extended periods.

nend

#3
May 11, 2012, 10:08:23 PM
Centurylink ip addresses timeout within 5 minutes on most modem setups. What I mean here is the modem will actually release its connection if it is not used for 5 minutes. That is how my modem is set up anyways. So I can have multiple IP addresses throughout the day.  ;)

Arantor

#4
May 11, 2012, 10:10:14 PM
So they're posting from a different place. Maybe they're posting via mobile. Maybe they're at work instead of being at home, or vice versa. Maybe it's the public library.

There are all sorts of explanations for different ranges. It's also possible that the range has recently been transferred in terms of ownership, seeing how IPv4 is quickly running out.
Holder of controversial views, all of which my own.

jhb8426

#5
May 12, 2012, 01:15:15 AM
OK, after further questioning the guy finally says, "Oh Yeah, I was using a proxy server that day. Probably forgot to disconnect."

Looks like problem solved.

thanks.
Print
Go Up Pages1
User actions
Advertisement: