An interesting take on how they pulled it off in 2008 and may be doing it now:
BLUE STATE DIGITAL: Is it the linchpin of the Obama campaign's foreign donor scandal?
Monday, October 08, 2012
On 30 October 2008, I wrote about a bizarre idiosyncrasy I discovered in the Obama fundraising website, which was designed by a company named Blue State Digital.
Ace of Spades reminded me of this outfit today when it noted a strange cleanup performed by the Obama campaign >>>
Will the innovations never cease? Yesterday I described several, eh, unique capabilities pioneered by the Obama campaign in the area of campaign contributions.
Among them, failure to do even basic credit-card validation; accepting untraceable prepaid credit cards... [etc.]
Anyhow, an anonymous tipster mentioned that checking out the source code of the Obama donation website... would reveal some interesting logic. Specifically that IP addresses of the donors can be easily spoofed through a hidden field in the form. The tipster's guess was (and I concur) that the Obama campaign is recording the spoofable IP address... not the real IP address as delivered by the web server.
It's web security 101, folks. Because IP addresses map back to the original source network (your ISP, your company, etc.), the web server's log-file records the actual source IP address of the request. They certainly don't record anything that the requester provides as the genuine address.
Put simply, there's no reason to include a hidden form field for IP address. It is there for one reason alone: IP forgery -- forging the computer addresses of donations to disguise their true sources.
The net result is that IP addresses recorded in this manner can't truly be resolved to a real location. Genius!
Just chalk it up to yet another startling innovation from the minds of the most creative geniuses on Earth. When it comes to accepting money from all comers, that is.