Coders, just wanted to give you a heads up about this... As many of you know, 80-90% of public proxies add a parameter called "X-Forwarded-For: [IP_Address]" where [IP_Address] is your real IP address. Most major websites check for the presence of this extra header. If they determine that the header is present, usually they will add an extra captcha, or pull some other weird trick. Recently I noticed a certain website (that will remain nameless) that checks for the presence of the X-Forwarded-For header. It appears that it goes a step further and determines if the header contains a local IP address (like 10.X.X.X, 192.168.X.X, etc..) and if it does not contain a local IP address, then it counts the action against the IP address present in the header, and not against the IP address that actually sent the request. So for example, if I sent this: Code: POST /submit.php (Other Headers) X-Forwarded-For: 192.168.5.32 The website will detect that the X-Forwarded-For supplied IP address is a local address, and will count the allowed number of actions against the actual IP address. BUT What if I send this packet? Code: POST /submit.php (Other Headers) X-Forwarded-For: 126.96.36.199 The website will detect that the X-Forwarded-For supplied IP address is a real address, and will try to be slick, and count the allowed number of actions against the supplied IP. The trick, obviously, is to send that header, but to use a fake IP address. That way, you don't need any proxies, and you essentially have an unlimited amount of requests. Cool, huh? Some tips: Make sure this works. Extensive testing is required to verify that the website is accepting the spoofed IP address. Some websites will actually block you immediately if it detects the X-Forwarded-For header Be careful with this. If the administrator discovers what you've done, they probably won't play nice. Consider doing this on a VPS/VPN or a SOCKS proxy that won't create the header. Good luck, coders!