From: "Geo" 

"Mike N."  wrote in message
news:r2n63255ff8fqq33f98et32l208ch6smb1{at}4ax.com...

>    There can be several cases of false 'green lighting'.  One is from a
> Corp user behind a Pix firewall.  They will always get a 'pass' signal
> because the local firewall prevents spoofing.  Another is that some NAT
> implementations always blindly convert the source address to a local
> address before sending to the WAN.   We'd need to test the 99% case
> (linksys) to see what works.

OIC, the packet would have a source address of x.x.x.x but the data part
would have 192.168.254.x so it would appear spoofed, and if the internal
subnet is real IP addresses but natted then there is no way to tell a false
positive. What if we create a spoofed packet and a not spoofed packet and
compare them (perhaps besides the real address the data in the packet
should also carry a unique key to identify the specific client as the same
between the two packets and for some security against the site being
spoofed)

>    The relatively easy case is ActiveX, but this would cover only Windows
> and IE.

I think that would cover at least 90% of the people browsing to the site so
plenty good enough for a start. What about the fact that W2K has raw
sockets but XP doesn't, does that present any problems?

Geo. (hasn't presented any problems for the bad guys but they rooted the machines)

--- BBBS/NT v4.01 Flag-5