This question has been bugging me for some time. I always picture launching my site, and some dirt bag coming on and uploading porno or spamming profanity. So I decide I don't want him using my site, I ban his account and ban his ip in my cpanel, but what if he is using a proxy and just keeps making new accounts to harass me? What can I possibly do to prevent this horrible outcome?
views:
80answers:
5
+2
A:
Well, if it's not problematic for normal users, you could block IPs/IP ranges which are known proxies. However, if any of your regular customers are behind one of those proxies, this won't work.
In general, however, unless you require registration with some form of hard-to-duplicate linked information (such as a validated phone number, credit card number, et cetera), it's going to be hard to prevent proxying from a determined user.
Amber
2010-04-02 07:21:02
so basically I cannot really ban anyone lol? I am just worried about someone who is proxying who abuses my site. I would have to just keep banning ips, then sometimes ban regular users? How do large sites deal with this?
Scarface
2010-04-02 07:30:16
Remember, that when banning IPs, you are banning all the users behind that IP address. For example, companies often have just one external IP which all employees share. Secondly, it's only a minority of us that have static IP addresses. The malicious user's IP will change sooner or later. If you start banning IP addresses, you'll just end up with lots of angry, innocent users.
Kim L
2010-04-02 07:41:15
another really good point, so once again, the only way I can handle this is by deleting the user account and banning their username, and taking a real email?
Scarface
2010-04-02 07:46:27
I noticed youtube didn't even take email and they allow video uploads which is huge.
Scarface
2010-04-02 07:46:54
Most truly large sites just go with the concept that it takes far less time for one of their moderators to deal with a problematic account than it does for a user to create another account and be problematic on it - thus in the long run the site wins the efficiency war. This can break down if an organized group attempts to be problematic, but that's pretty much a no-win scenario.
Amber
2010-04-02 09:00:35
thanks for the comment Dav
Scarface
2010-04-05 02:11:45
+1
A:
You can't really. You could set a cookie which defines him as malicious user, but it's trivial to remove such cookies.
The question is, what does it require for one to upload files on your site? Make people register, have them enter a valid email address. Send a verification to the email address before activating the account. If someone behaves inappropriately, then ban his email address. This way the person always need a new working email address for registering.
Kim L
2010-04-02 07:21:17
Unfortunately creating new e-mail addresses is even easier than finding a proxy. You'd need to limit registration to domains for which it's reasonably difficult to get new addresses (ISP addresses, work addresses, etc) but I doubt there's a list available.
Matti Virkkunen
2010-04-02 07:27:50
yeah good point, I wanted it to be really easy to sign up like this site to entice users to use, but I suppose by allowing uploads I really should implement that technique. Thanks Kim. @MATTI, You are probably right, but it is somewhat of a deterrent.
Scarface
2010-04-02 07:29:26
I'm sorry, but if it's a person who's determined to deface your site, having to come up with new e-mail addresses is not a deterrent.
Matti Virkkunen
2010-04-02 07:45:43
well then I don't know lol, this seems like a problem that cannot really be solved in a decent manner. What do you suggest, just deleting accounts over and over?
Scarface
2010-04-02 07:58:13
I don't have any better suggestions than what Dav already listed. You'll need something that's difficult to get (phone number, credit card number, etc), but unfortunately people are usually reluctant about giving out that kind of information.
Matti Virkkunen
2010-04-02 08:00:49
A:
It sometimes helps looking at other applications that might have the same problem, see how they fixed it. Those other applications might be:
- Forum web sites
- eMail applications
- Blogs
- StackOverflow
... and now you'd notice a pattern, the stuff you want to avoid has a name: "Spam", and the people doing it are called "Spammers". How are those people handled on the sites that are exposed to such problems? I kind of like StackOverflow's bag of tricks.
Cosmin Prund
2010-04-02 09:35:59
+1
A:
HI,
Just rephrasing what "Cosmin Prund" said. Put up an option in your site, where a User can mark any content as inappropriate, and for accountability, put up some easy way of specifying the reason why the content is inappropriate(a simple drop box with various options will do). Now, if your users really like your site, they would mark all the porno and spam content. All you need to do is simply delete the marked content after a quick review. You can also make a policy wherein, if the content posted by a user has been marked as inappropriate in, say 100 different instances, block that account. Keep the unblocking part at your discretion.
Its just like the "Spam" button provided by email service providers to identify spam messages.
Hope this helps :)
vamyip
2010-04-02 10:12:43
+1
A:
If this is really a big problem for you, you could do some sort of UUID based security with the help of the User Agent and other client sent variables.
I have seen a recent POC (can't remember the address), saying that with javascript browser detection and php user sent variables, you can create a UUID to identify your users.
EDIT : Found it, the script is called Panopticlick, it does a fingerprint identification of the user based on plugins available, fonts available, user agent, time zone, and screen size. From their say :
Your browser fingerprint appears to be unique among the 777,809 tested so far.
Currently, we estimate that your browser has a fingerprint that conveys at least 19.57 bits of identifying information.
Of course this is not totally secure, as the user can easily spoof this information, but you can use it to create a gray list, so that if a user matches the UUID of your banned ip, you present him with a login screen, or a captcha, or any sort of added security you need.
rnaud
2010-04-02 10:33:59