I see that all IP addresses have 4 numbers, separated by 3 dots.

I presume that at least the first 3 sets of numbers relate to a specific city and service provider. Am I right?

I'd like to narrow it down a bit further, to learn more about what the first TWO sets of numbers mean. I've googled the issue many ways and am not finding the info I need.

If an example will help, one that I'm wondering about begins with 173.234

I'm presuming that if I find hundreds of spammers at 173.234.123.xxx (and no legit people), then I can presume that anyone using an ip address beginning with 173.234.123 is a spammer?

So what about removing the 3rd set of numbers? Can I also presume that anyone whose IP address begins with 173.234 is a spammer?

Thanks!

I presume that at least the first 3 sets of numbers relate to a specific city and service provider. Am I right?

In IPv4 there are 4 numbers. In IPv6 there are 6. We've run out of addresses, so IPv6 is slowly starting to replace IPv4.

I believe that is called a Class C address. Very few organizations are assigned that space.

The individual numbers are called octets. They can range from 0-255. Actually 0 and 255 are reserved. The very first address and the last address in an assignment generally refer to the network and the last address is the broadcast address for that network. Meaning all the devices on that network respond.

By doing an nslookup on www.askmehelpdesk.com we find that the IP address is: 204.232.179.137

Some may have multiple interfaces such as Google and Yahoo.

You can use one of the whois tools and get this sort of response: Traceroute, Ping, Domain Name Server (DNS) Lookup, WHOIS network 204.232.179.137 (http://network-tools.com/default.asp?prog=network&host=204.232.179.137)

and you find out that the address is re-assigned, so it doesn't belong exclusively to AMHD.

There are specific whois servers that handle the root servers and are thus specific to a region.

One of those specific servers is ARIN: https://www.arin.net/

What complicates things is that certain addresses are private, such as those beginning with 10 and 168.192.x.x and one other set.

These addresses everyone has. The ISP assigns a public address to share. This is the only address that's visible on the internet.

Again what's troublesome is that the address has a lease time so the address you use at home may change weekly, daily or even yearly.

The post number for the address like 204.232.179.137:80 is the same as the URL http://204.232.179.137; for the port number is generally the service type.

For shared IP addresses (e.g. NAT (Network Address Translation) the home/business router can force an external port number to be any internal private IP address and port. So, 204.232.179.137 could be sent to 10.10.0.3:1000 on the internal network.

The JAVA language is able to determine a MAC address. Java Examples - How do I get MAC address of a host? (http://www.kodejava.org/examples/250.html) and the particular MAC address could be placed in a level 2 router as not being allowed to attach to a network.

MAC addresses are supposed to be unique, but there are some exceptions. You can clone MAC addresses. For instance I ould change the MAC address of my PC or possibly my router. Cloning is necessary, for instance, if I had a cable modem and purchased another cable modem.

My new modem would not be able to re-connect unless I contacted my ISP or I assumed the MAC address of the original modem.

As long as each device on a network (hard to explain) 123.123.123.0 through say 123.123.123.7 is a network, for example, has a unique MAC addresses they can communicate.



So, you can have IP addresses that vary with individual and time. That makes it tough.

MAC addresses could uniquely identify an individual or corporation, but basically it's a moving target. The MAC addresses are known by the routers at least for two ends and have to be UNIQUE in each network segment.

I just confused you, right?

The only real ip addresses you can track down are the public static ip addresses. My computers public IP changes every two days. I have a personal web site running from there, but I have to have an update client change it automatically for me. You may be tracking my IP to me, and then bam... it changes. Now some dude in Mozambique gets it.

I think the large corporations are assigned ip's by the FCC or something. Like Google for instance, they have a range of IP's they use for a number of purposes, open dns, web hosting, database hosting, and other purposes. At the same time TWC has ranges of ip addresses that are leased to clients (home users) and then rotated on a constant basis.

For research purposes:

http://www.iana.org/assignments/ipv4-address-space/

IP address - Wikipedia, the free encyclopedia (http://en.wikipedia.org/wiki/IP_address)

I think the large corporations are assigned ip's by the FCC or something.

IP address are assigned by ICAAN to regional agencies. These regional agencies then sell ranges of IPs to ISPs, sometimes directly to large companies. The ISPs then assign IPs to users connecting to the net through their service.

There is no specific assignment of IPs by area other then the regional agencies.

The way an IP is tracked to an area is using routing tables. The world is covered by a network of routers (not your little home broadband routers) that are programmed with tables of where to send packets next. So when you send data from your PC it goes first to your ISP, from there it may be routed all over the world, until it reaches its destination. There is location information in these routers that can help pinpoint a general area. But that's not 100% accurate.

Yes, I'm thoroughly confused now. Let me narrow things down a bit.

I get a lot (scores per month) of spam on another forum I admin (and no legit stuff) from ip addresses beginning with 173.234. After those first two octets there is a variety.

I'm ready to prohibit membership to the forum by anyone with an IP address beginning with 173.234... but I fear that there MAY be a legit person out there.

Do you think I'm safe to do so? How can I find out more about those first two octets of an IP address? Is it possible at all? Is it one of the "regional" ones?

The entire 173.234 block is registered like this:

Nobis Technology Group, LLC NETBLK-NOBIS-TECHNOLOGY-GROUP-08 (NET-173-234-0-0-1)
173.234.0.0 - 173.234.255.255
Ubiquity Server Solutions New York NETBLK-UBIQUITY-NEW-YORK-173-234-0-0 (NET-173-234-0-0-2)
173.234.0.0 - 173.234.3.255

This is is from the Whois search at Arin.net. ARIN is one of the five regional Regional Internet Registry organization I mentioned. So, apparently, NOBIS bought that range of numbers and assigned some of them to Ubiquity. Which is a Nobis subsidiary company.

Nobis' website is:
Nobis Technology Group, L.L.C. (http://www.nobistech.net/)

There appear to be a legitimate hosting company. So its possible one of their clients is doing the spamming. You might want to contact them and present your case. They may be able to pinpoint the offender.

Traceroute one of the full addresses. Post the result here.

Traceroute one of the full addresses. Post the result here.

Next time one comes in I'll do that. All I have now is those first two octets, plus a few other 3rd octets. I gave up long ago trying to document the 4th octet.

Have the websites software gather the MAC address of the user and prohibit based on that.

It's a little better except that connections could come from a local Library or something and the exact user isn't known because all users share a particular public IP address.

As part of a signup process you could require that member ships be created with a primary and secondary email address. The primary address must be sent from the registered domain.
e.g. [email protected] when connected at home that user would be connected to a node such as PPP232.verizon.net. Thus ISP and network are known together.

When someone uses say a [email protected] and the message comes from PPP232.verizon.net then the user isn't really authenticated, but if they had a primary email they would be.

"primary" is the wrong word. I have run into companies that will only allow email from the domain that it originates from.

You will block legitimate addresses if you use the first 2 octets to block address because you have to remember based just on the first 2 octets you are blocking 65,533 hosts or computers(minus network and broadcast).

I would look at the frequency of the hosts and if it is the same hosts that always spam; then you can use your router or firewall to block those hosts using 255.255.255.255 as the subnet mask.

You don't need whois information to know blocking a Class B range would potentially block a lot of valid ip addresses; and most times when you look at whois information; the spam always come from isp ranges because most spammers are not commercial entities with their own hosted range but ordinary users that have malware on their computers; hence the term botnets.