Print version (in a new window)

WebWarper / Frequently Asked Questions (F.A.Q.) / Web-publishers' questions

Does WebWarper prevent from anonymous postings on my site? How to determine IP of a visitor which posts messages via WebWarper?

WebWarper does not block posting messages in forums, guest books, e-mail systems, etc. In case of posting messages via WebWarper, the original server "considers" that the sender's IP address (REMOTE_ADDR) is the IP of webwarper.net server, as in a case of using anonymizers.

However, unlike anonymizing services, WebWarper sends the original visitor's IP address to the server in x-forwarded-for HTTP request header. (It relates to posting messages only, i.e. to accessing the server by POST method. The original IP is not sent while usual viewing pages, i.e. while accessing the server by GET method.)

In other words, WebWarper behaves as a usual, non-anonymous proxy while posting messages. The server script, implementing a forum or a guest book, "sees" the proxy IP address (IP of the webwarper.net server in this case) instead of the visitor's IP address, but can get the original visitor's address from x-forwarded-for header.

Moreover, WebWarper adds a signature, containing the original IP, while posting messages. As a result, the visitor's IP address is published at a forum or a guest book in the open form. It makes WebWarper very inconvenient tool for spammers who want to publish any illegal messages. See the question ""When I post something to the forum, a text with my IP is added to my message. Is it possible to block this?" in this regard.

Web publishers, who need to determine visitor's IP correctly (for example, to ban it), should use the following algorithm:

IP= x-client-ip request header
if this header does not exists, then IP= x-forwarded-for request header
if one of these 2 headers exists, then:
    find the first comma in the IP string
    if the comma is found, then remove the end part of IP starting from this comma
        (IP can contain several proxies, separated by comma, used to access
        the site, and the original address is specified in the begin)
else (IP is not found yet)
    IP= remote sender's address (REMOTE_ADDR)

This algorithm looks in the following way in PHP language:

$clientIP= $_SERVER['HTTP_X_CLIENT_IP'];
if (!$clientIP) $clientIP= $_SERVER['HTTP_X_FORWARDED_FOR'];
if ($clientIP) {
    $clientIP= explode(",", $clientIP);
    $clientIP= $clientIP[0];
}
if (!$clientIP) $clientIP= $_SERVER['REMOTE_ADDR'];

In Perl language:

$clientIP= $ENV{'HTTP_X_CLIENT_IP'};
$clientIP= $ENV{'HTTP_X_FORWARDED_FOR'} unless $clientIP;
$clientIP=~s/^(\d+\.\d+\.\d+\.\d+).*/$1/gs;
$clientIP= $ENV{'REMOTE_ADDR'} unless $clientIP;

If the site uses this algorithm, then WebWarper service, and also usual (non-anonymous) proxy servers, do not block correct identification of visitors' IP.

Please keep in mind that a spammer can use one of anonymizers, different than WebWarper. See, for example:

• http://www.samair.ru/proxy/
• http://www.freeproxy.ru/en/

Even the algorithm listed above will not help to determing the visitor's IP in this case. There is no effective protection agains powerful anonymizers, such as SOCKS proxy.

To contents