Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Security

Blocking Destructive Users from Websites? 38

Posted by Cliff from the eliminating-those-who-spoil-it-for-others dept.
billmarrs asks: "I occasionally need to block a user from using my website because they are abusing the system in some way, but the tools I have to work with for blocking them are easily circumvented. Once I identify them, I can block their IP; but they can just hang-up their modem and dial-in again to get a new IP. I can also stick cookies in their browser to identify them, but they can delete the cookies (or turn them off altogether). Are there other ways to block unwanted users from one's website?"
This discussion has been archived. No new comments can be posted.

Blocking Destructive Users from Websites? More

Blocking Destructive Users from Websites?

Comments Filter:

  • You could try ... (Score:4, Funny)

    by VA Software ( 533136 ) on Wednesday November 07, 2001 @02:19AM (#2531498) Homepage
    ... moderation, meta-moderation, lameness filters, blocking ip-subnets, bitchslaps and putting [] around questionable material [goatse.cx].

    I've heard these can be quite effective.

    (Just watch the moderation on this post for proof!)

  • e-mail address-authenticated logins (Score:5, Insightful)

    by Tumbleweed ( 3706 ) on Wednesday November 07, 2001 @02:20AM (#2531501)
    E-mail address-authenticated logins are probably the only real answer. Create logins that have to be activated via e-mail address. Shutdown accounts of abusers, and don't allow them to create an account with an e-mail address already in the system. Depending on what's happening with this 'abuse', you might consider creating a 'bozo' class for your logins, wherein the person _thinks_ they're still able to do things, but actually aren't. Let's say the problem is people leaving abusive or stupid messages on a webboard - well, make it so bozo'd users can still read and post messages, but noone else can see their messages but them. Just a thought...
    • Better yet, partition the communities into separate groups of users who all agree with each other. Then there would be no acrimony, and the gates-hating linux users could congratulate each other on their choice of OS all day long, while the real world Microsoft users could try and convince each other that Microsoft innovates really good technologies.

      Nobody need ever be challenged by a contradictory thought or opinion...

    • Oh, I should have mentioned that I already do this. The trouble is that it's so easy to create a new email address at some random web-based email site that it doesn't help much. For a long while I made users trying to use web-based email address (i.e. hotmail.com) go through extra steps of providing more information (address+phone) and an approval step for me before I would let them on the site. I keep an every-increasing list of web-based email domains. My last count was 3,272 domains and still there were always new ones. Also, I really don't have the resources to test the address and phone info, so if it looked good, I'd let them through.
      • How about charging a small fee ($1 - $5) for access to the site. If your content is worth it the users will probably pay. The people who also cause trouble can pay, but having to pay every time they get banned might deter them. The unfortunate side is that it may deter the good users too. But at least you'll make a bit of money running your site.
      • I'm not sure how much farther you can go, short of having an approval system of moderation - messages don't go online until approved.

        If the problem is people cursing, then an automatic-censoring program could help, if it's smart enough to check for things like f*ck, etc, different characters inbetween, and all that, but it seems more trouble than it's worth.

        If you've got lots of time, money, and ability, then perhaps an intelligent system that combines IP logging, e-mail address domain logging, username similarities, etc, could be made, but that's an insane level to go to, IMO.
    • I've been using spamgourmet.com [spamgourmet.com] for virtually all of my e-mail registration needs. If one of my fake e-mail addresses (that forward to my real e-mail address) gets "tagged", I can simply sign up again using another fake one.

      Nice try, but it won't work for long.

    • you might consider creating a 'bozo' class for your logins, wherein the person _thinks_ they're still able to do things, but actually aren't.

      Excellent suggestion! Instead of kicking them off, put them in the "safe" room. You should be able to fool them with a well-planned trap -- just don't change the look of one page without changing the other!

      This reminds me of a bit of manufacturing equipment I once saw (a plastic injection molding machine, IIRC). There was a control panel with knobs and switches and dials, which the production workers would adjust throughout their shift to maintain certain limits (temperature, pressure, etc.). Every evening the night shift folks would state that the day shifters had it all screwed up, and would set the knobs where they liked them. Every morning the day shifters would say the same about the night shifters and set the knobs back. Neither group knew that the controls on the panel did nothing except make the dials move a bit; the real controls were all hidden inside the panel, where only the production engineers could get at them. Everyone was happy!

  • block the hostmask (Score:4, Insightful)

    by DragonPup ( 302885 ) on Wednesday November 07, 2001 @02:24AM (#2531508)
    resolve the domain name to the hostmask if possible, and ban a range of them, for example, *.ma.pool.crapnet.net

    Yes, it's broad, but works. Or you can call the ISP and complain to them

    -Henry
    • resolve the domain name to the hostmask if possible, and ban a range of them,

      And then you discover that three of your "best users" also dial into that same modem pool (or whatever) and then what?
      • Exactly... the worst case scenario (which is also a common scenario) is that the user is from AOL, along with 100s of other users who all appear to share the same IP ranges. *pout*

        I have had some success with blocking IP ranges for cases of unpopular ISPs or cable modem/DSL users who seem to have a static IP. But, this is rare.

      • contact their ISP. Abuse is semi-illegal already, depending on what form it takes. Take legal action if you can.

        The biggest thing you do though is don't ban them directly, just take everyone to a page that says "Do to other uses from your ISP abusing our system you are blocked. Contacting your ISP has not resolved the problem. If you are the abuser go away. If you are an honest user, then switch ISPs, as you are currently paying someone who doesn't care." Some re-wording of that should be done, read it twice and you will get the idea, but my writting skills are not enough to make to readable.

  • User accounts (Score:3, Interesting)

    by Boba001 ( 458898 ) <lance@mcnearney.net> on Wednesday November 07, 2001 @04:26AM (#2531673) Homepage
    Sometimes you can get away with a massive ban of a group of IPs.. but if your site gets a lot of hits you end up pissing off normal visitors.

    If your problems stem from some kind of forum where the person is posting crap, spamming, etc. you might try requiring people to create a simple account where they need to supply a valid e-mail address.

    The disadvantage to that is that having to register for an account is pretty annoying and many users won't sign up for them if they don't visit the site all the time... Other (non-registering) solutions would require you to program some advanced filters on forum posts, or having a limit on how many messages a person can post in X amount of time.
  • If they are using the same pattern, some URL hack, or a bunch of comments posted, or some kind of DOS.

    You could write code to detectt this, then block the IP, or use a cookie based method to block them for a short time. If they try different tactics, you could modify the blocker code.

    It's hard to tell if this would be a good soultion without knowing the details of what they do.

  • Non technical solutions work the best. (Score:3)

    by Anton Anatopopov ( 529711 ) on Wednesday November 07, 2001 @06:58AM (#2531924)
    Have you considered a restraining order ? Legal action of any kind ? Abusive use of your computing facility (even a website) is illegal. Plain and simple.

    The thing to do is litigate. Follow the money. The abusive user may not have much to lose financially, but his/her ISP sure does.

    Use tools like traceroute to detect the source of the attacks. Then use the arin whois database to find the service provider. Then SUE LIKE CRAZY.

    A lot of people think the Internet is not part of the real world, so they think laws do not apply.

    They are wrong. There is plenty of case law on this subject.

    The point is to stop looking for technical solutions to social problems. They agree to a terms and conditions when they visit your site. Make sure they fulfil their side of the legally binding contract.

    The website I hate [adequacy.org] has a 'terms of use' which all posters are legally bound by. It even goes so far as to prohibit the use of the wget client. They seem to have a heavyweight legal team there too. And so far, apart from a minor DDOS attack by a jealous rival website, they have not experienced many problems, despite the highly controversial subject matter they seem to deal with.

    So to conclude: Sue their asses off.

    • You do realize, that adequacy.org is a satire site, do you?
  • You don't give any details of the abuse, so it makes it hard to advise specifics.

    However, I'm assuming you're running some sort of service that involves a server you can program. (If this is an EZBoard being abused, which you use but don't control, you're toast.) The key is to ban the behavior, not the user. Exactly how you do that depends on the exact situation.

    If someone's posting too often, make people wait at least n seconds before posting again. If they abuse that, kick the time up. And if they're posting rapid-fire, keep kicking the time up. Look into "exponential decay", it's what you're looking for. Once they cross a threshold, you may choose to ban the IP for a week and delete whatever messages were posted automatically, thus undoing the abuse automatically, which is kinda the key to this whole idea.

    Think outside the "IP ban" box. What you do for other services depends. Ban behavior, not people. It's a little harder at first, but much more reliable.
  • Apache allows you to ban a netblock, you don't have to do it on a per-IP basis. For example, if the guy's always coming from 209.14.27.*, you could create a directive for your root directory like:

    (Limit GET POST)
    order deny,allow
    deny from 209.14.27.
    (/Limit)

    (Replace the parentheses with angle brackets, a la HTML.) If you can't tweak httpd.conf, put that in an .htaccess file instead.

    Someone else suggested automating the process, this is a good idea if you can do it. When Nimda first fired up, a friend of mine wrote a Perl script that took the remote IP and added it to the deny directive in .htaccess. He set that script as his 404 error handler for a few days, and anyone who did a Nimda scan was immediately blocked from further access to the site. Of course some legit users who mistyped a link probably wound up blocked, too. I imagine by now he's cleaned out the list, so it was only a temporary inconvenience to real visitors.

    Your solution depends on how aggressive you want to be, and whether or not you care if a few babies get thrown out with the bathwater. Me, I'd just ban the netblock for a couple of weeks. The lusers will find another site to harass, and you can lift the ban.

    Shaun

  • MAC address? (Score:2, Interesting)

    by Clubber Lang ( 219001 )
    Not much info in your story... but here's the first thought off the top of my head (and consider that I've been up for 30+ hours). Keep track of your pesky guy's MAC address, then block the connection if it matches. No, it's not perfect since it can be changed... but assuming you're dealing with a lame-o script kiddie they might not know better, and you have less of a chance of blocking users who are legit as compared to just blocking a whole chunk of ip addresses.

    Here's what I'd do: Check the MAC when you get a request (probably only for certain key pages, but you could do it for all I guess) and if the address matches your banned list, automatically ban that ip address for say... 24 hours. This way you don't accidentally lock out real users for any length of time, and it should at least slow down your pest. Granted this falls apart if your intruder knows how to change the address on your card, but you didn't say how sophisticated this all is and it's better than nothing.

    Cheers
  • So far everyones contribution is about slapping down the abusers. Another approach is to concertrate on promoting users that add value to your site. People that have had their accounts a long time, made useful posts and haven't consistently got moderated down.


    Giving these guys a quick route through the posting process will allow you to slow down new comers to a crawl. If users have been reading your site for sometime then they probably have something useful to say, and it is probably worth speeding them up. I read slashdot for ages before starting to post (not that what I post is always useful).


    If a newcomer does have something they really want to say, then they would be prepared to go through the hoops. Perhaps going through the password by email cycle for every post, or answering a selection of blindingly obvious but difficult to automate random questions (e.g. What colour is grass? red, green or blue).

  • Browse at 3, 4, or 5.

    In regard to users who abuse the system, one of the things I love about /. is that it's user moderated. The community as a whole decides what is relevant data.

    The logitics of who gest banned is an adders nest to be avoided as well. How is it fairly applied? What is deemed illegal on said boards? How woudl fair notice be given?

    I have similar problems on boards we run, but we've gone for the standoffish side. As soon as we edit a post or start saying which users are valid or not as the owner of the system, we take on a far more expansive regulatory role. And that's not fun.

Slashdot Top Deals

"What man has done, man can aspire to do." -- Jerry Pournelle, about space flight

Close