Thanks to SC: [SC's IP address replaced by xxx.xxx.xxx.xxx] ----- I've tuned in late to the riaa/safeweb thing, but I'm chiming in with my bit. Tracing from safeweb is an interesting exercise; the geography is very typical of the internet backbone and the router hops packets take. I wrote a script to mail all possible headers from a connecting browser to myself. I installed it on my server http://xxx.xxx.xxx.xxx:8140, and then connected from Safeweb. This anonymizer uses a caching proxy server, listening for connections on several IPs; it preserves client headers while obviously changing the IP of the originating connection; it preserves many of the originating headers; it adds some new headers. Here's the output: GATEWAY_INTERFACE..........CGI/1.1 REMOTE_ADDR..........64.124.150.136 DATE_LOCAL..........Saturday, 13-Oct-2001 01:22:45 EDT REQUEST_METHOD..........GET QUERY_STRING.......... DOCUMENT_URI........../index.html HTTP_ACCEPT..........image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, */* REMOTE_PORT..........2513 SERVER_ADDR..........142.204.119.75 HTTP_ACCEPT_LANGUAGE..........en-us HTTP_CACHE_CONTROL..........max-age=259200 REDIRECT_STATUS..........200 HTTP_ACCEPT_ENCODING..........gzip SERVER_NAME..........xxx.xxx.xxx.xxx HTTP_X_FORWARDED_FOR..........127.0.0.1 SERVER_PORT..........8140 DOCUMENT_NAME..........index.html HTTP_IF_MODIFIED_SINCE..........Sat, 13 Oct 2001 05:15:44 GMT; length=853 REDIRECT_URL........../ DATE_GMT..........Saturday, 13-Oct-2001 05:22:45 GMT SERVER_PROTOCOL..........INCLUDED HTTP_REFERER..........http://xxx.xxx.xxx.xxx HTTP_USER_AGENT..........Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) HTTP_CONNECTION..........keep-alive REQUEST_URI........../ HTTP_HOST..........xxx.xxx.xxx.xxx:8140 HTTP_VIA..........1.0 anongo.com:3128 (Squid/2.3.STABLE3) The last one in the list is the flavour of proxy they use: Squid/2.3.stable3 And the DNS name of the source box for the HTTP request is anongo.com, which I don't believe showed up in your trace logs. Basically a caching proxy server's header set. The authoritative name servers for anongo.com are ns3.above.net www.anongo.com redirects to Safeweb. The boxes are standard unix/apache with ssl. They have written scripts to replace the originating address header and keep track of the connection, receive requested files to their cache, and then serve from that cache to your browser. The machines would absolutely be configured to do sophisticated logging; there is no free lunch on the net. While they appear to do a nice job, their server logs would be a goldmine. Everyone who uses a commercial web browser agrees to have their information gathered the first time they use that browser - do you want to continue? When you say yes, you mean it! -----