Proofpoint: Internal IP Address in Campaign Details

Carlos Rios
Carlos Rios
  • Updated

Question

Why are internal IP addresses shown in the Phishing reports?

Answer

We log the IP address of the user that clicked on the phishing campaign. This allows the Phishing Administrator to identify the network the user was connected to when the phishing attack was successful. Phishing usually shows the externally routable IP of the user and the reverse DNS name (via mouse-over).  However, if the user's web proxy is configured to disclose the X-Forwarded-For IP address in the HTTP request, we will display the internal IP (NAT'd IP) of the device that clicked the link. In this case, the Phishing Administrator should re-configure their internal proxy server to mask the internal IP address.

Note: In some cases the geographic map may display clicks from internal IP addresses in the center of the default map view (Texas).