this post was submitted on 28 Apr 2025
155 points (98.7% liked)

Technology

69449 readers
3793 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
L4s@hackingne.ws
155
Turning the Tables: How to Make Spammers Reveal Their Own IP Address (codefoundry.de)
submitted 1 day ago by Kory@lemmy.ml to c/technology@lemmy.world
20 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] conorab@lemmy.conorab.com 21 points 1 day ago (1 children)

The idea of having them send an e-mail to an address containing their IP is clever, however you need to authenticate that the person who sent the e-mail is either somebody who queried your site, or somebody that got the address from somebody who queried your site or else you could just figure out how to generate that base64 yourself and impersonate somebody else’s IP address which could have catastrophic results if you then fed these IPs into something like a block list and suddenly you’ve blocked Microsoft/Office 365. To be fair, I doubt anybody is going to try and reverse engineer one person’s code to then figure out how to impersonate who sent spam, but if this became a widely distributed program you could just pull off Github then it would be more concerning.

A couple ways to solve this:

  1. Sign the information before encoding it in Base64 so you can verify it came from your site and wasn’t just spoofed. This has the upside of being stateless since you don’t need to keep a record of every e-mail you’ve generated but comes with the disadvantage of spending CPU time signing the text which could be exploited as a DDoS.
  2. Spit out a random e-mail address and record which e-mail address was given to each IP. Presumably you wouldn’t hold on to this list forever since IPs change owners frequently and so an IP that was malicious 1 month ago could be used by a completely different person now and so you can trim this list down once a month to avoid wasting disk space. You’d probably also want to keep some amount of these requests in memory (maybe 10Mb or so) to avoid ruining your IOPS.

All this said, I think your time is better spent with the using unique e-mail aliases as the author suggested but with 2 changes: 1) use aliases which are not guessable to prevent somebody from making it look like somebody else was hacked (e.g. me+googlecom@ gets compromised, but the spammer catches on and sends from me+microsoftcom@ instead to throw off the scent) and 2) don’t use me+chickenjockey@, use chickenjockey@ or else the spammer can just strip “+chickenjockey” from the address to get the real e-mail address.

[–] exasperation@lemm.ee 4 points 1 day ago (2 children)

Spit out a random e-mail address and record which e-mail address was given to each IP.

The author mentions it's a violation of GDPR to record visitors' IP addresses. I'm not sure that's correct, but even so, it could be possible to make a custom encoding of literally every ipv4 address through some kind of lookup table with 256 entries, and just string together 4 of those random words to represent the entire 32-bit address space, such that "correct horse battery staple" corresponds to 192.168.1.100 or whatever.

[–] conorab@lemmy.conorab.com 2 points 23 hours ago

Ah you’re right about the GDPR part in the article! My bad. Signing might be the best bet in that case since it avoids storage IF you were to try and implement this kind of system.

[–] obviouspornalt@lemmynsfw.com 2 points 23 hours ago

What you've described is often referred to as a rainbow table and is generally not considered to be GDPR compliant:

https://skymonitor.com/why-hash-dont-anonimize-an-ip-address-and-what-this-affects-gdpr/