tags:

views:

62

answers:

5
+3  Q: 

Creative account confirmation without the use of emails

I employ email validation to grant people full use of the site. The trouble is, sometimes these emails get spam-boxed, or never arrive, so I get many people complaining that they cannot confirm their account.

Was wondering if there are other (creative) ways to offer secondary validation option to users who didnt get the validation. Its a free site, so I dont want to ask for credit cards, or mobile #s.

The purpose of this is to make abuse of the site less rampant, since we ban a lot of people, and they come back with dozens of accounts to prove something. Spam/robot registrations are not an issue (right now).

A: 

Basically what you're looking to do is separate the humans from the robots. There are two primary ways to do this:

1) Require users signing up to check boxes and type a word spelled out in an image captcha. These are usually very difficult tasks for a computer to complete.

2) Allow users to sign-up using their account from a different site such as OpenID or Google assuming that anyone who has one of these accounts is a real person.

I recommend combining both methodologies.

Good luck!

Rob S.  2010-10-12 22:37:32
No, thats not what Im doing. Im separating users, from random pissed off idiots who got banned from the site, and now will register 20 accounts, to spam with profanity and etc. I added email confirmation so they actually have to create new email accounts, but I dont wanna alienate legit users who might not get the confirmation email.
Yegor  2010-10-12 22:51:07
A: 

There are unlimited ways of doing this.

  1. You mention mobiles and free, but if you have access to a SMS-gateway, you can receive SMS-messages for free (but might need to pay some sort of monthly subscription though). But show a dynamically generated code the the current user. Store this code in "his session" and do an ajax check each 15-30 sec to see if the sms-code was received by the gateway. If so, accept the account and let them registrate. This would requiere the gateway + your users to have a personal mobile. Enough about mobiles...

  2. Make a question or more that is randomly generated. Use pictures/tokens instad of tekst so that the user has to press the correct image in correct order to perform some sort of answer.

    Could be like a jackpot-machine with 3 cells where the images are randomly placed and generated inside dynamic named files, so that robots cant analyse the names to guess the right answer.

  3. You mention e-mails to be easy to spoof. Yes indeed, but what if the emails would come lets say each week containing some sort of "important info" that the user would need to read/use on the website to continue. Once the account hasnt been used for a certain time (lets say 3 month, kill it)... and you could also say to have a "free account" you must accept that we send you 1 mail pr. month that you need to activate within 1 week. If you dont, we are free to close/delete your account details.

... and many more

I dont know what you want to "protect", but if its for gaming, then dont let the gamers have "extra levels/weapons" until they have provided a certain amount of these codes OR paid for access OR validated by phone or something.

Thats my first 3 ideas, I think the possibilities are unlimited. The main issue here is, make it too hard to validate yourself and the users go away unless your site is REALLY worth it.

You might think of the much used "Free forever (but limited)" approach way of selling stuff these days on the net. The users can make as many accounts they want, but the licens is still only "single/small/basic". Once you get more experienced, you get more features or you might just upgrade by paying... at this time you know WHO is real and WHO isnt.

My point is, dont over protect. Just design with the mind of spammers will always find a way in, no matter how good you protect it. Those giving up first are your real users/customers.

I would rather spend time on making this product/website/game so great that EVERYONE wants to pay for an account after a while.

Lastly from real life... there are COMPANIES in China with kids employeed to play World of Warcraft with one purpose. Harvest virtual gold and sell it on Ebay to other western players who pays with real dollars. Its not allowed according to the gamelicens and their accounts/gameslicenses are constantly getting banned. But it gives them so much income so they have calculated with this and they just buy new licences and continue.

So if EVEN Blizard(WoW creators) doesnt have enough power/money to keep fakes out of the game, how do you expect to do much better? :o)

Usefull answer?

BerggreenDK  2010-10-12 23:16:20
btw. if its for a free online game, where accounts will make you a larger army or something... try rethinking the process or game structure. Something people might have to do for a while before they can get "outside" in the battle, a certain level they must accuire to be able to battle others or give away start up bonus or what ever the reason might be for your trouble.
BerggreenDK  2010-10-12 23:24:12
No its not a game. Its a social site based around a subject. People get banned for being too profane, or breaking the rules. They come back with a sole purpose to cause havoc and swear at people who banned them.
Yegor  2010-10-13 00:35:46
what if you let yourself inspirer by the "rules" from this forum then?
BerggreenDK  2010-10-15 00:22:31
eg. no points = no way you can edit other people etc. What I think here is something about, when your account is less than... lets say 14 days, every new post will need admin attention (if from banned IP's, which you dont tell the user)
BerggreenDK  2010-10-15 00:22:58
My idea is like this: let the user post as usual and show them the "normal page output" in their browser, but filter it from everyone elses screen. Then mark this message and let it go through an admin phase. If the contents are "ok" then make a simple Admin tool to validate and show the users comments. This way the angry person gets their frustration out and they might not try so hard to get back. And all the other users will not see the jerks response. Still, you'll have some admin work, but the angry ones might try less hard with more new accounts.
BerggreenDK  2010-10-15 00:28:59
+2  A: 

What we started doing recently was letting members send us an email to a special email address. We give them a hash code, and all they have to do is put that code somewhere in the subject or the body of the email, and send it to us. We have a cron job running in the background that gets those emails, parses the subject/body looking for the hash, and if found activates the account.

It doesn't work 100%, because some ISPs also block their users from sending us emails, but no solution would work 100%.

mellowsoon  2010-10-12 23:49:24
+1  A: 

Based on your comment in Rob S.' answer, it sounds more like you want to identify situations where the same browser is creating multiple accounts rather than confirm that what's at the other end is human.

Dropping a cookie in the user's browser can be very helpful in finding the repeat offenders, especially those not savvy enough to clear their cookies or visit while in private mode. Some forum software like vBulletin does this and can notify the administrators when it happens.

Another alternative might be browser fingerprinting, which is where you use a bunch of the information provided in the HTTP exchange. An example of this is the EFF's Panopticlick.

Blrfl  2010-10-13 00:13:56
I like the alternative method. Could just md5 the string... and compare people based on it. Should give a fairly accurate representation if its the same person or not. I already have cookie IDing, and it doesnt work for most abusers. neither does IP banning, since they use proxies.
Yegor  2010-10-13 00:38:41
A: 

Just got a "fun" new way to annoy your banned people a bit.

once you ban them (I guess you close the account and ban the IP). Then log their browser agent string with their IP and screen resolution.

If there is a match when showing the website to them. Just remove the registration link/page. Dont even show the link to the page, as it might piss them off. Dont explain why its gone. Just keep it gone, eg. for 3 weeks or 2 month.

That way they dont have a cookie on the browser to remove, they cant find the registration so they cant know WHY they cant make a new account.

Secondly, if on a school or something (dont know how old they are), the other existing users will still be able to login to their accounts as its ONLY registration that has been removed. Not login.

How about that? is that clever enough?

BerggreenDK  2010-10-15 00:36:03

related questions

Would you override ScriptControl or BaseValidator for an async ASP.NET validator control?
Handling HttpRequestValidationException gracefully and ASP.net AJAX compatible?
How to Dynamically Generate String Validation?
Validate email address in Javascript?
Data Validation Design Patterns
Strong Validation in WPF
How to evaluate an IP?
Validating a HUGE XML file
Validate (X)HTML in Python
ValidationRule To Enforce Unique Name
Checking if userinput is a valid URI in XUL
XML Parser Validation Report
Email SMTP validator
MVC - where to implement form validation (server-side)?
How do you remove invalid hexadecimal characters from an XML-based data source prior to constructing an XmlReader or XPathDocument that uses the data?
How to check set of files conform to a naming scheme
What's the best way to implement field validation using ASP.NET MVC?
How do I validate xml against a DTD file in Python
What's the best way to validate an XML file against an XSD file?
Problem databinding an ASP.Net AJAX toolkit MaskedEditExtender
Validating posted form data in the ASP.NET MVC framework
Best method for varchar date validation in Sybase (T-SQL)?
How important is W3C XHTML/CSS validation when finalizing work?
How far should one take e-mail address validation?
ASP .Net Custom Client-Side Validation