Slashdot Mirror

← Back to Stories (view on slashdot.org)

Blocking Destructive Users from Websites?

Posted by Cliff on from the eliminating-those-who-spoil-it-for-others dept.

billmarrs asks: "I occasionally need to block a user from using my website because they are abusing the system in some way, but the tools I have to work with for blocking them are easily circumvented. Once I identify them, I can block their IP; but they can just hang-up their modem and dial-in again to get a new IP. I can also stick cookies in their browser to identify them, but they can delete the cookies (or turn them off altogether). Are there other ways to block unwanted users from one's website?"

38 comments

  1. You could try ... by VA+Software · · Score: 4, Funny

    ... moderation, meta-moderation, lameness filters, blocking ip-subnets, bitchslaps and putting [] around questionable material.

    I've heard these can be quite effective.

    (Just watch the moderation on this post for proof!)

    --

    ---
    http://slashdot.org/moderation.shtml
    1. Re:You could try ... by Tumbleweed · · Score: 2

      Unfortunately, Slashdot has proved that moderation and meta-moderation don't work with such problems. They help, but they're hardly a 'solution'. And such nonsense as making people wait x minutes before posting again just irritate (as I just now found out).

    2. Re:You could try ... by billmarrs · · Score: 1

      Is mod_bitchslap out for Apache yet?

  2. e-mail address-authenticated logins by Tumbleweed · · Score: 5, Insightful

    E-mail address-authenticated logins are probably the only real answer. Create logins that have to be activated via e-mail address. Shutdown accounts of abusers, and don't allow them to create an account with an e-mail address already in the system. Depending on what's happening with this 'abuse', you might consider creating a 'bozo' class for your logins, wherein the person _thinks_ they're still able to do things, but actually aren't. Let's say the problem is people leaving abusive or stupid messages on a webboard - well, make it so bozo'd users can still read and post messages, but noone else can see their messages but them. Just a thought...

    1. Re:e-mail address-authenticated logins by Anton+Anatopopov · · Score: 2, Insightful
      Better yet, partition the communities into separate groups of users who all agree with each other. Then there would be no acrimony, and the gates-hating linux users could congratulate each other on their choice of OS all day long, while the real world Microsoft users could try and convince each other that Microsoft innovates really good technologies.

      Nobody need ever be challenged by a contradictory thought or opinion...

    2. Re:e-mail address-authenticated logins by billmarrs · · Score: 1

      Oh, I should have mentioned that I already do this. The trouble is that it's so easy to create a new email address at some random web-based email site that it doesn't help much. For a long while I made users trying to use web-based email address (i.e. hotmail.com) go through extra steps of providing more information (address+phone) and an approval step for me before I would let them on the site. I keep an every-increasing list of web-based email domains. My last count was 3,272 domains and still there were always new ones. Also, I really don't have the resources to test the address and phone info, so if it looked good, I'd let them through.

    3. Re:e-mail address-authenticated logins by Anonymous Coward · · Score: 0

      I like this idea. Let's segregate the internet.

    4. Re:e-mail address-authenticated logins by mini+me · · Score: 1

      How about charging a small fee ($1 - $5) for access to the site. If your content is worth it the users will probably pay. The people who also cause trouble can pay, but having to pay every time they get banned might deter them. The unfortunate side is that it may deter the good users too. But at least you'll make a bit of money running your site.

    5. Re:e-mail address-authenticated logins by Tumbleweed · · Score: 2

      I'm not sure how much farther you can go, short of having an approval system of moderation - messages don't go online until approved.

      If the problem is people cursing, then an automatic-censoring program could help, if it's smart enough to check for things like f*ck, etc, different characters inbetween, and all that, but it seems more trouble than it's worth.

      If you've got lots of time, money, and ability, then perhaps an intelligent system that combines IP logging, e-mail address domain logging, username similarities, etc, could be made, but that's an insane level to go to, IMO.

    6. Re:e-mail address-authenticated logins by Anonymous Coward · · Score: 0
      I like this idea. Let's segregate the internet.

      I like this idea too! Everyone who wants to split the internet on the right, everyone who wants it unified on the left.

    7. Re:e-mail address-authenticated logins by Rick+the+Red · · Score: 3, Funny
      you might consider creating a 'bozo' class for your logins, wherein the person _thinks_ they're still able to do things, but actually aren't.

      Excellent suggestion! Instead of kicking them off, put them in the "safe" room. You should be able to fool them with a well-planned trap -- just don't change the look of one page without changing the other!

      This reminds me of a bit of manufacturing equipment I once saw (a plastic injection molding machine, IIRC). There was a control panel with knobs and switches and dials, which the production workers would adjust throughout their shift to maintain certain limits (temperature, pressure, etc.). Every evening the night shift folks would state that the day shifters had it all screwed up, and would set the knobs where they liked them. Every morning the day shifters would say the same about the night shifters and set the knobs back. Neither group knew that the controls on the panel did nothing except make the dials move a bit; the real controls were all hidden inside the panel, where only the production engineers could get at them. Everyone was happy!

      --
      If all this should have a reason, we would be the last to know.
  3. block the hostmask by DragonPup · · Score: 4, Insightful

    resolve the domain name to the hostmask if possible, and ban a range of them, for example, *.ma.pool.crapnet.net

    Yes, it's broad, but works. Or you can call the ISP and complain to them

    -Henry

    --
    "Useless organic meatbag" -HK-47
    1. Re:block the hostmask by innocent_white_lamb · · Score: 1

      resolve the domain name to the hostmask if possible, and ban a range of them,

      And then you discover that three of your "best users" also dial into that same modem pool (or whatever) and then what?

      --
      If you're a zombie and you know it, bite your friend!
    2. Re:block the hostmask by billmarrs · · Score: 1

      Exactly... the worst case scenario (which is also a common scenario) is that the user is from AOL, along with 100s of other users who all appear to share the same IP ranges. *pout*

      I have had some success with blocking IP ranges for cases of unpopular ISPs or cable modem/DSL users who seem to have a static IP. But, this is rare.

    3. Re:block the hostmask by bluGill · · Score: 2

      contact their ISP. Abuse is semi-illegal already, depending on what form it takes. Take legal action if you can.

      The biggest thing you do though is don't ban them directly, just take everyone to a page that says "Do to other uses from your ISP abusing our system you are blocked. Contacting your ISP has not resolved the problem. If you are the abuser go away. If you are an honest user, then switch ISPs, as you are currently paying someone who doesn't care." Some re-wording of that should be done, read it twice and you will get the idea, but my writting skills are not enough to make to readable.

    4. Re:block the hostmask by jpmkm · · Score: 1

      Actually, that might be a best case scenario - banning a big block of AOL users.

  4. User accounts by Boba001 · · Score: 3, Interesting

    Sometimes you can get away with a massive ban of a group of IPs.. but if your site gets a lot of hits you end up pissing off normal visitors.

    If your problems stem from some kind of forum where the person is posting crap, spamming, etc. you might try requiring people to create a simple account where they need to supply a valid e-mail address.

    The disadvantage to that is that having to register for an account is pretty annoying and many users won't sign up for them if they don't visit the site all the time... Other (non-registering) solutions would require you to program some advanced filters on forum posts, or having a limit on how many messages a person can post in X amount of time.

  5. Auto detection may be an answer... by ayjay29 · · Score: 2, Interesting

    If they are using the same pattern, some URL hack, or a bunch of comments posted, or some kind of DOS.

    You could write code to detectt this, then block the IP, or use a cookie based method to block them for a short time. If they try different tactics, you could modify the blocker code.

    It's hard to tell if this would be a good soultion without knowing the details of what they do.

    --
    Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated up.
  6. Non technical solutions work the best. by Anton+Anatopopov · · Score: 3
    Have you considered a restraining order ? Legal action of any kind ? Abusive use of your computing facility (even a website) is illegal. Plain and simple.

    The thing to do is litigate. Follow the money. The abusive user may not have much to lose financially, but his/her ISP sure does.

    Use tools like traceroute to detect the source of the attacks. Then use the arin whois database to find the service provider. Then SUE LIKE CRAZY.

    A lot of people think the Internet is not part of the real world, so they think laws do not apply.

    They are wrong. There is plenty of case law on this subject.

    The point is to stop looking for technical solutions to social problems. They agree to a terms and conditions when they visit your site. Make sure they fulfil their side of the legally binding contract.

    The website I hate has a 'terms of use' which all posters are legally bound by. It even goes so far as to prohibit the use of the wget client. They seem to have a heavyweight legal team there too. And so far, apart from a minor DDOS attack by a jealous rival website, they have not experienced many problems, despite the highly controversial subject matter they seem to deal with.

    So to conclude: Sue their asses off.

    1. Re:Non technical solutions work the best. by entrox · · Score: 1

      You do realize, that adequacy.org is a satire site, do you?

      --
      -- The plural of 'anecdote' is not 'data'.
    2. Re:Non technical solutions work the best. by Anonymous Coward · · Score: 0

      You do realize that Anton Anatopopov is a troll, don't you?

    3. Re:Non technical solutions work the best. by Anton+Anatopopov · · Score: 1
      Of course I realise adequacy is satire. I just find it distasteful. Satire has never made me laugh. I find it pokes fun at weaker members of society, and tends to be a 'gloating' form of humor that the world could well do without.

      I hate adequacy because it represents everything that is wrong with the Gen-X attitude to life. Nothing is sacred, everything exists to have fun made out of it.

      I don't know why you are accusing me of being a troll perhaps you are mistaking me for someone else. Or perhaps you are using the 'slashdot definition' of troll: someone whom I disagree with.

    4. Re:Non technical solutions work the best. by Anonymous Coward · · Score: 0

      Pay no attention to this, dude just wants to troll adequacy. Personal issues . . . (or a linking complex)

  7. Few details about the abuse make it hard to advise by Jerf · · Score: 2

    You don't give any details of the abuse, so it makes it hard to advise specifics.

    However, I'm assuming you're running some sort of service that involves a server you can program. (If this is an EZBoard being abused, which you use but don't control, you're toast.) The key is to ban the behavior, not the user. Exactly how you do that depends on the exact situation.

    If someone's posting too often, make people wait at least n seconds before posting again. If they abuse that, kick the time up. And if they're posting rapid-fire, keep kicking the time up. Look into "exponential decay", it's what you're looking for. Once they cross a threshold, you may choose to ban the IP for a week and delete whatever messages were posted automatically, thus undoing the abuse automatically, which is kinda the key to this whole idea.

    Think outside the "IP ban" box. What you do for other services depends. Ban behavior, not people. It's a little harder at first, but much more reliable.

  8. easily circumvented by mr.ska · · Score: 2
    I've been using spamgourmet.com for virtually all of my e-mail registration needs. If one of my fake e-mail addresses (that forward to my real e-mail address) gets "tagged", I can simply sign up again using another fake one.

    Nice try, but it won't work for long.

    --

    Mr. Ska

    1. Re:easily circumvented by Anonymous Coward · · Score: 0


      I've been using spamgourmet.com

      Wow, that is one of the coolest things I have seen in a while. Thank you very much!

  9. Incredible physics is being moderated up by Anonymous Coward · · Score: 0, Offtopic

    It's really surprising how long some people can persuade moderators that their wildly misleading incorrect post on quantum mechanics is in fact worthy of Einstein and should be moderated up to +3 while ignoring a correct explanation of the real physics

  10. PIII Track by BryanHughes · · Score: 0, Flamebait

    If they have an older Piii (or some of the late Pii's) you could track them by the ID on the processor. It would be interesting to see, but totally immoral. I'm wondering when microsoft is going to add client ID's into IE (such as a permanent id that's added on registration), or have they already? I believe they have a similar tracking feature in Office. Office documents are "tagged" and if you were crazy enough to register with MS, they have your id. Otherwise, if you were crazy to put in your real name at registration, they know who you are. Anyone want to confirm this?

  11. Are you using Apache? by ShaunC · · Score: 2

    Apache allows you to ban a netblock, you don't have to do it on a per-IP basis. For example, if the guy's always coming from 209.14.27.*, you could create a directive for your root directory like:

    (Limit GET POST)
    order deny,allow
    deny from 209.14.27.
    (/Limit)

    (Replace the parentheses with angle brackets, a la HTML.) If you can't tweak httpd.conf, put that in an .htaccess file instead.

    Someone else suggested automating the process, this is a good idea if you can do it. When Nimda first fired up, a friend of mine wrote a Perl script that took the remote IP and added it to the deny directive in .htaccess. He set that script as his 404 error handler for a few days, and anyone who did a Nimda scan was immediately blocked from further access to the site. Of course some legit users who mistyped a link probably wound up blocked, too. I imagine by now he's cleaned out the list, so it was only a temporary inconvenience to real visitors.

    Your solution depends on how aggressive you want to be, and whether or not you care if a few babies get thrown out with the bathwater. Me, I'd just ban the netblock for a couple of weeks. The lusers will find another site to harass, and you can lift the ban.

    Shaun

    --
    Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
  12. MAC address? by Clubber+Lang · · Score: 2, Interesting

    Not much info in your story... but here's the first thought off the top of my head (and consider that I've been up for 30+ hours). Keep track of your pesky guy's MAC address, then block the connection if it matches. No, it's not perfect since it can be changed... but assuming you're dealing with a lame-o script kiddie they might not know better, and you have less of a chance of blocking users who are legit as compared to just blocking a whole chunk of ip addresses.

    Here's what I'd do: Check the MAC when you get a request (probably only for certain key pages, but you could do it for all I guess) and if the address matches your banned list, automatically ban that ip address for say... 24 hours. This way you don't accidentally lock out real users for any length of time, and it should at least slow down your pest. Granted this falls apart if your intruder knows how to change the address on your card, but you didn't say how sophisticated this all is and it's better than nothing.

    Cheers

    --
    Actuaries - making accountants look interesting since 1949
    1. Re:MAC address? by Anonymous Coward · · Score: 0

      Maybe you should learn what MAC address do beofre you utter complete bullshit.

      If you go be his suggestion.. You will block just about everyone who comes to your site, cus.. most of them will prolly have the same MAC address of your Router..(unless you have mutli routers.. in which case it might take a few times before you ban all the Routers MAC address.)

      A better soluction is to use E-Mail verifcation like other mentioned, however, with one modification, do not allow people to use a FreeMail e-mail aadress. Require them to not use *@hotmail, *@yahoo.. etc... and if you find a user is a problem maker, you can ban his e-mail domain to make him never come back.

    2. Re:MAC address? by One+Tonna+Fan+Mail · · Score: 1

      So, if I abused his web site nobody from @verizon.net would ever get to use it again?

  13. That'd be a great idea by pete-classic · · Score: 2

    if there weren't any routers on the internet.

    That's as far as the MAC goes.

    -Peter

    1. Re:That'd be a great idea by Anonymous Coward · · Score: 0

      Use a Java applet to acquire "unique" information about the machine in question. Of course, you'll need to request priviledges that the user will have to grant.

  14. Learn from Slashdot by J'raxis · · Score: 0, Offtopic

    Slashdot has come up with metric buttloads of different ways to block people in their never-ending arms race with the trolls lameness filter and other content-based filters, account banning, IP banning. None of it works right and can be circumvented in about 5,421,234 different ways (rough estimate), but its a start. Theyve been working on it for about three years, but... well, its still a start.

    (Here is the Slashdot source code.)

    --
    Liberty in your lifetime
  15. Concentrating on good users by Sir+Runcible+Spoon · · Score: 2, Interesting
    So far everyones contribution is about slapping down the abusers. Another approach is to concertrate on promoting users that add value to your site. People that have had their accounts a long time, made useful posts and haven't consistently got moderated down.


    Giving these guys a quick route through the posting process will allow you to slow down new comers to a crawl. If users have been reading your site for sometime then they probably have something useful to say, and it is probably worth speeding them up. I read slashdot for ages before starting to post (not that what I post is always useful).


    If a newcomer does have something they really want to say, then they would be prepared to go through the hoops. Perhaps going through the password by email cycle for every post, or answering a selection of blindingly obvious but difficult to automate random questions (e.g. What colour is grass? red, green or blue).

  16. keep it open by boboroshi · · Score: 1

    Browse at 3, 4, or 5.

    In regard to users who abuse the system, one of the things I love about /. is that it's user moderated. The community as a whole decides what is relevant data.

    The logitics of who gest banned is an adders nest to be avoided as well. How is it fairly applied? What is deemed illegal on said boards? How woudl fair notice be given?

    I have similar problems on boards we run, but we've gone for the standoffish side. As soon as we edit a post or start saying which users are valid or not as the owner of the system, we take on a far more expansive regulatory role. And that's not fun.

    --
    // john athayde
    # x@boboroshi.com
    # http://www.boboroshi.com/