Blocking Destructive Users from Websites?

billmarrs asks: "I occasionally need to block a user from using my website because they are abusing the system in some way, but the tools I have to work with for blocking them are easily circumvented. Once I identify them, I can block their IP; but they can just hang-up their modem and dial-in again to get a new IP. I can also stick cookies in their browser to identify them, but they can delete the cookies (or turn them off altogether). Are there other ways to block unwanted users from one's website?"

User accounts

[Boba001]

Sometimes you can get away with a massive ban of a group of IPs.. but if your site gets a lot of hits you end up pissing off normal visitors.

If your problems stem from some kind of forum where the person is posting crap, spamming, etc. you might try requiring people to create a simple account where they need to supply a valid e-mail address.

The disadvantage to that is that having to register for an account is pretty annoying and many users won't sign up for them if they don't visit the site all the time... Other (non-registering) solutions would require you to program some advanced filters on forum posts, or having a limit on how many messages a person can post in X amount of time.

Auto detection may be an answer...

[ayjay29]

If they are using the same pattern, some URL hack, or a bunch of comments posted, or some kind of DOS.

You could write code to detectt this, then block the IP, or use a cookie based method to block them for a short time. If they try different tactics, you could modify the blocker code.

It's hard to tell if this would be a good soultion without knowing the details of what they do.

MAC address?

[Clubber+Lang]

Not much info in your story... but here's the first thought off the top of my head (and consider that I've been up for 30+ hours). Keep track of your pesky guy's MAC address, then block the connection if it matches. No, it's not perfect since it can be changed... but assuming you're dealing with a lame-o script kiddie they might not know better, and you have less of a chance of blocking users who are legit as compared to just blocking a whole chunk of ip addresses.

Here's what I'd do: Check the MAC when you get a request (probably only for certain key pages, but you could do it for all I guess) and if the address matches your banned list, automatically ban that ip address for say... 24 hours. This way you don't accidentally lock out real users for any length of time, and it should at least slow down your pest. Granted this falls apart if your intruder knows how to change the address on your card, but you didn't say how sophisticated this all is and it's better than nothing.

Cheers

Concentrating on good users

[Sir+Runcible+Spoon]

So far everyones contribution is about slapping down the abusers. Another approach is to concertrate on promoting users that add value to your site. People that have had their accounts a long time, made useful posts and haven't consistently got moderated down.

Giving these guys a quick route through the posting process will allow you to slow down new comers to a crawl. If users have been reading your site for sometime then they probably have something useful to say, and it is probably worth speeding them up. I read slashdot for ages before starting to post (not that what I post is always useful).

If a newcomer does have something they really want to say, then they would be prepared to go through the hoops. Perhaps going through the password by email cycle for every post, or answering a selection of blindingly obvious but difficult to automate random questions (e.g. What colour is grass? red, green or blue).