views:

40

answers:

2

On my website I would like to be able to ban some users for good,

  • I could filter IP address, but the user can use another IP address, or more dangerous with some providers like AOL : you can have a user using a floating IP address, so ban an IP could lead to ban wrong users.
  • I could filter email address, but obviously, one can open another very easily,
  • I could use a kind of javascript browser signature, but ... yes user can change the browser or its implied signature.
  • I cannot use credit card identification because my website is free.

So, I guess there is no definitive solution, but could you tell me what works pretty well for you ?

A: 

You are asking for a reliable means of authentication. If you solved this with 100% accuracy you might win the Nobel Prize. Since you cannot use credit cards, I recommend going with email addresses.

(by the way The correct term for "floating" IP addresses is dynamic IP address. The other kind of IP address is static IP address.)

Dynamic IP: IP address changes Static IP: IP address stays the same

IP bans can get pretty long and as you are already aware, you can start banning the wrong people over time. I recommend you go with an email ban with bot protection. This way, people can setup another account, but its time consuming and most people won't bother. Even the rare go-getters who created a second email and account would be far less in # than spammers who most certainly will not use Static IP addresses. I imagine the IP problem will only get worse as IPv6 gains in popularity, thereby creating far more public IP addresses available in the pool for spam bots to cycle through.

P.Brian.Mackey
If you're worried about dynamic IP users (which would be almost all residential users) you can set an expiration on IP bans, in terms of weeks/months, which is typical of cable. But realistically, what is the likelihood that your demographic would involve different people happening upon the same IP lease? It's something to consider, i suppose if you're actually a large corporation, or if your website targets a local audience.
andyortlieb
A: 

I'm posting this answer for completeness.

There is a solution that is used by industries to prevent fraud which involves creating a fingerprint for a computer using third party Flash cookies and ActiveX controls. I recently had to integrate a solution onto a client website. Iovation was the provider we used.

I didn't believe it would work (especially if I turned off Javascript etc), but it actually does provide a very effective way of identifying individual computers. These computers are then linked to 'bad' accounts (via this third party). It's pretty powerful tool once the network is built up. It's used by the online gaming industry a lot.

Some people feel this type of product is sneaky and doesn't respects the user's privacy. Perhaps, but that's a whole other discussion.

By the way it's a subscription based product, and expensive I believe.

Ciaran Archer
Neat product, of course a user could simply swap computers. One can potentially get their friends/family banned too. This seems very similar to the way Microsoft bans hacked Xbox's.
P.Brian.Mackey
Yep. Well the system allows 'exceptions' which sorts out the family / friend thing. You can also link more than one machine to an account. It's pretty powerful.
Ciaran Archer