From: "Geo." 

"waldo kitty"  wrote in message
news:Xns993B9E68C8414me42{at}216.144.1.254...

> localhost - - [02/May/2007:08:42:43 -0400] "GET /windowslinks.html
> HTTP/1.1"
> 200 12642 "-" "Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1; SV1;
> .NET
> CLR 1.1.4322)"
>
> there is absolutely _no_ way for that to be... first of all, there's no
> browser on that box... second of all, it flat out cannot run MSIE... thrid
> of all, it definitely is _not_ running windows of any kind (it
> =can't=!)...
>
> now, how can the origin of spoofed IPs be tracked back?

It's unlikely that it's spoofed, the only way to spoof a TCP connection is
if you spoof as an address that is on the same physical wire you are on so
that you can reply to the response since TCP is not connectionless (you
must establish a 2 way connection).

I suppose you could spoof as a remote address if you are on the same
physical wire as the target as well. But that could be detected with a
sniffer by looking at the ethernet address and seeing if it's the routers
or one of the other machines on the wire.

Geo.

--- BBBS/NT v4.01 Flag-5