Mollom

The content author's IP address (not the hostname) needs to be included with many of Mollom's API calls. This parameter is optional, but it can drastically improve Mollom's results. When someone moderates or edits a piece of content, the client should send Mollom the original poster's IP address, not the moderator's. If the original author's IP address isn't known, the author IP address should be left unspecified.

Sending Mollom the right IP address is key, and often non-trivial. Care needs to be taken to do it right. In most situations, the visitor's IP is available in the REMOTE_ADDR HTTP variable. However, when running behind a reverse proxy (such as Squid), the REMOTE_ADDR HTTP variable will contain the reverse proxy's IP address and the visitor's IP address will be in the HTTP_X_FORWARDED_FOR HTTP header instead. It is important to send the visitor's IP address and not that of the reverse proxy. Similarly, when running on a cluster setup, you might have to use the HTTP_X_CLUSTER_CLIENT_IP HTTP header to get the right IP address.

Note that both HTTP_X_FORWARDED_FOR and HTTP_X_CLUSTER_CLIENT_IP can be spoofed by spammers; you should not send these headers unless they are guaranteed to come from a reverse proxy. To see example PHP code, please consult the ip address() function in includes/bootstrap.inc of Drupal 6 and beyond. You'll see that Drupal does not use the HTTP_X_FORWARDED_FOR or HTTP_X_CLUSTER_CLIENT_IP HTTP headers unless a Drupal site administrator has explictly enabled Drupal's reverse proxy configuration setting. We believe that an explicit conguration setting is the best way to prevent spoofing attacks.