Concrete Banning System

[matsko]

IP banning works however many people across the net share IP Address's. So if you wanted to ban someone off your site (in this case a free membership website) then what would be the best possible way to do so...?

is there anyway to determine more about the user other then just getting the IP adress and the browser information?

this may be stupid, but the only way to ban someone 100% would be to block the MAC address. For security reasons I doubt that you can get that address freely from a php script or GET IT AT ALL...

using cookies is also good however users can clear their cookies, deleting or trapping accounts is good, but then users can register a new account. Email activation works but getting another email address for a malicious user is just a few clicks...

what tricks do you guys sugest? something that hopefully works?

thanks

[F4nat1c]

Well just update the database with a Ban field, and If they're banned, then there's a 1 in the Ban field next to thier username. As long as the only thing they can do on your site without logging in is look, then that should work fine.

[lieut_data]

this may be stupid, but the only way to ban someone 100% would be to block the MAC address. For security reasons I doubt that you can get that address freely from a php script or GET IT AT ALL...

Unless I'm mistaken, the MAC address is on another network level, and isn't something that would ever be available.

The above approaches are all easily overcome -- the only technique I can recommend is to require e-mail verification, and ban common "free e-mail" sites, such as gmail, hotmail, yahoo, etc...

... noting that this might restrict some valid users from accessing your resources.

[matsko]

its a free website, they can just register again with a different email. I said that above...

One smart system would be to have one IP per user, but that is not possible because IP address's are not distinct per computer. Also if you know how to then you can login through a proxy (which will mask your IP address with another one...)

[matsko]

what you said about having the valid email idea is the best solution yet...

it will most likely (by over 50%) prevent users from registering, because I doubt that all users have (non-free) email address's

[L4suicide]

From expirience annoying members are not always malicious and capable.

Try using mis-information. Create a cookie which would stop them from registering new accounts, but when they try give an error message 'Your IP/MAC/email has been banned'

Or visa versa.

I know its not a solid technical solution, but it stops all the little kiddies with issues from causing problems.

[lieut_data]

what you said about having the valid email idea is the best solution yet...

it will most likely (by over 50%) prevent users from registering, because I doubt that all users have (non-free) email address's

Almost everyone has at least one e-mail provided them by their ISP -- this just forces them to use that, or look elsewhere for the resources.

[dodyryda]

banning by ip surely is not the way to go? ISP's frequently assign addresses with dynamic IP's so this is bound to be ineffective

[crmalibu]

Instead of banning the user which gives them immediate feedback that it's time to register a new account, make that account annoying.

Do stuff stuff like make some of their requests error out. Make some take a long time. Do random really annoying things. Make it very unenjoyable. Let your saidstic side come out

[Cups]

Agree.

Make some parts of the page disappear for those you have banned, no input boxes etc kinda readonly view. Only works if they weren't smart enough to copy your form postback addresses of course. Devise a special turing test for them.

[JREAM]

If you require real email accounts to activate make sure to block emails from services like mailinator or it's very easy to make tons of free accounts. There are a few different extensions for those email boxes (3 I think), you could block those off with REGEX.

[sk89q]

I find the best defense to be a psychological one, both on a website, and in real life. Do whatever you can to discourage the behavior. (It's really a question of economics, as you are trying to increase the opportunity cost.) Of course, how feasible that is and the methods that you can use depends on the subject of the website in question.

Using (only) force tends to be like killing a ton of cockroaches with your feet.

[EastCoast]

Instead of banning the user which gives them immediate feedback that it's time to register a new account, make that account annoying.

Do stuff stuff like make some of their requests error out. Make some take a long time. Do random really annoying things. Make it very unenjoyable. Let your saidstic side come out

I like that cunning idea.. a 'stealth' ban in effect

I've previously created flash games for competitions where there were a lot of attempts at hacking the high scores system, and one of the most effective techniques in reducing this was to allow a false score to appear to be in the table to the guilty party (high score table was only displayed to logged in users), but flag as false in the database and not appear to everyone else, so they think they have succeeded and don't expend effort on digging deeper.