cookiesip-addressforumhost

Effective methods of identifying and blacklisting a user


I'm currently looking at different ways to use various web/internet technologies in order to be able to identify and blacklist a user of website rather than the host. If that didn't make much sense, let me explain a little:

As you might be aware, some sites (particularly forums and message boards) have the unwelcoming visit of spammers every so often. Obviously forum moderators are able to blacklist any accounts used to do this, but it's what occurs after this that's the problem.

In many cases, the same user is able to bypass blacklistings, create a new account, and continue on their rampage. Of course, there are some tools such as IP address blacklists, but anyone who even a little bit knowledgeable about the Internet will typically know how to obtain a new address, and once again be able to bypass the ban meant for them.

Another interesting method I've seen is using a unique encrypted cookie to (at least) identify the host used by a blacklisted user. That is, when the user is blacklisted, the server-side makes note of the value in the cookie, so that next time the same host is used to create a new account, the cookie is sent back to the server which can then identify that they're bypassing a blacklist. But again, the problem is that adept users are able to delete the browser's cookies, allowing them to once again become anonymous.

So I'm looking for different methods of being able to enforce such a blacklist, if one even exists. I'm aware of other browser storage methods such as localStorage, and even plugin-based ones such as "Flash cookies", so anything similar to these kinds of ideas is preferrable (although ideally, it would be great to be able to make successful identification by just using regular HTTP technologies. ie. without Javascript, Flash, etc...).

There's also a fair bit of thinking in terms of "well sure, the idea may not be 100% foolproof since the user could change or delete various settings, but if they don't understand or realise that it works that way, then it works". What I mean here is, just like the example I gave above about the use of cookies; even though cookies can be deleted, if the user doesn't understand that they're being used that way, then the blacklist remains enforced.


Solution

  • You may be interested by this website http://panopticlick.eff.org/, and by the report containing some mathematical things about the way to fingerprint a browser based on all the data collected.

    You can check as well tools which used new HTML5 database storage, like the one used by by ringleaderdigital here's the opt-out link that may be usefull for everyone as the better privacy plugin for firefox.

    This reading can give you quite a lot of technical details on how to use LSO flash cookies or local databases. And as you can read there or on the wikipedia page on LSO some javascript tools can be used to handle flash cookies, like the Dojo framework.

    You should try to handle the "Do Not Track" policy, see the FAQ. Users will send headers telling you you should'nt try to track them. In terms of blacklisting this can become a problem. Maybe you should try to build the tracker, compare it to blacklist and throw it if you cannot find him there.