I am preparing a registration form for my website where they can register and track how many registered so far. But I encountered some issues that some people register multiple times by using different details from same device. I would like to stop that cheat. Anyone help me to overcome this issue. I want to track their ip or their device details and restrict multiple registration.
You should look at the $_SERVER array: https://www.php.net/manual/en/reserved.variables.server.php
The thing that might interest You most in this case would be $_SERVER['REMOTE_ADDR'];
Just remember that many PCs from the same network might have the same IP, so You can't just block them purely on the IP. Be careful to not block normal users by accident. You might want to set a cookie as well.
Obviously You won't be able to 100% block multiaccount cheaters if they know what they are doing, but You should be able to either catch most of them, of force them to give up. Add things like not allow to register multiples accounts on the same email, force to solve hard captha, email confirmation links etc. Often it is just a small deal, but it simply makes multiaccount-cheaters life a little harder, and most of them will give up just because of that.
Sometimes is good idea to let them be for some time and log the multiaccounts for some time. Then block them all at once, so they won't know if they managed to bypass Your security or not at the very second when they try to create account.
Check as well other $_SERVER variables that You might find useful, like HTTP_USER_AGENT that returns very specific information about browser.
You can use the PHP superglobal $_SERVER to find their ip. Then use some validation on whether to accept the registration.
Related
I have just added a CAPTCHA to a page to block spams but we are getting spams as usual.
The website is using Html, Php, Javascript and unsecured http only and nothing else.
I am generating and comparing captchas in Php using if statement. I am also adding both the captchas (generated and typed) in a comment for testing. So while genuine mails are received with both the generated and typed captcha. In the spams mails both capchas are blank (the spammers are at work so mystery and confusion).
I have checked all the files on website they are exactly as I had uploaded. I do not understand what spammers have done and how?
Some guidelines are needed. So, I can start studying books and websites.
You can basically chaulk that up to...
https://dynomapper.com/blog/514-online-captcha-solving-services-and-available-captcha-types
https://github.com/imagetyperz-api/imagetyperz-api-nodejs
https://github.com/bestcaptchasolver/bestcaptchasolver-php
The list goes on and on but I think you get the idea.
Your going to want to stack methods of spam prevention that don't annoy real users.
https://www.lifewire.com/solutions-to-protect-web-forms-from-spam-3467469
Good list there, my personal goto has always been honeypots, just a hidden field that looks and feels like a real field, but if someone fills it out you immediately know its a bot. Maybe throw it 9999px of the page to the right, but to a bot they still see it right under the other fields in your code.
Also if you are bored and have a bit of time and another great way of banning most of the current active botnets from your site, or maybe setting up a seperate site on the same hosting provider just to harvest all the active IPs of botnets trolling your hosting providers IP range.
Make a robots.txt file like this
User-agent: *
Disallow: /secret/
Any honest bot like google bot won't follow the path to /secret/ on your domain, but let me tell you that if its a bot you do not want on your site one of the first things its going to be programmed to do is check files like this for queues on where the paths on your site are, especially private ones.
Then just set up a script to automatically IP ban all traffic to /secret
Now odviously this is doing to end up banning some legit people who end up using the IP after the bot etc, etc. But honestly tell me it doesn't sound like a fun idea.
HiI am at prototype stage. For the scenario below, I want to share my plan with you and I am asking your opinions if my plan makes sense or is there any better way to achieve my requirement that you may recommend. thanks, regardsSCENARIOA spam bot can haunt my forms. (mail, comment, article sharing) At the verification stage, I can detect if it’s a spammer by known methods. (captcha, time limit, secret question, hidden form element etc.) but what if the spam boy tries and tries continuously? It won’t able to validate and excute the form aim but it’ll consume the bandwidth continuously. MY REQUIREMENTNot only prevent to execute the form aim but also prevent bandwidth consumption on a continuous base. MY PLANUsing session abilities, count the number of attempts of the specific ip in a limited time. If the number of attempts is greater than n in x minutes, then redirect the visitor to a totally different url or ban the visitor ip at run-time with php codes. MY QUESTIONS
Is it logical to redirect the spammer to a totally different url? If
yes do you know any web page that welcomes the spammer IPs in order
to add them to their blacklists? In other way I am aware that this
activity will not be ethical so I must not apply this kind of
redirection.
Is it possible to ban an ip at php runtime in my related
verification pages?
1) It seems illogical to me. For example imagine brute-force bot that would try to get through your captcha. Most propably it will not even run in a web browser. If you send redirect headers, it might just ignore them and not load the target page. If you really need to save bandwidth, you could simply print blank page (for example you could use exit())
2)It is possible to ban ip anytime, you allways have $_SERVER['REMOTE_ADDR'] variable and if you decide to ban the ip, you can just add it to database (or file). And whenever somebody needs to be verified, you can query the database for their ip.
I was looking for a way to create an IP filter, so that I could easily identify customers, but many examples I saw, I could not understand in a way.
Then, I come here with some questions
A customer enters my site, IP x recovered from $_SERVER ['REMOTE_ADDR'], but I've been reading some things about CRID, which is one way to check if this IP is on the list denied, because obviously 90% of customers accessing the site, when you restart the modem IP is changed, I do not know if I'm talking nonsense, but a good idea to create an IP filter?
You should combine multiple factors such as sessions, cookies and ip filters.
But of course users still be able to clear cookies and sessions.
You may try to get mac-id of user's pc or computer but it is complicated and dunno it is useful or not and also user still can change mac-id but it's not an easy thing to do.
Let's say I want to open a simple, simple poll which could be hand-made via PHP. There are only two options. Option A or Option B. Without telling people to register, what is the most secure way to deter cheating?
If possible, I would like to use MySQL to store the data such as the votes. I am not asking for code, I am asking for ways on what I should do.
I say no registering because it puts people off just for a simple vote...
Thank you and have a good day.
There is no "good" way, let alone a "secure" way. Store their IP address, and don't allow additional votes from that IP. People behind NAT get screwed, but it's really the only thing you can do.
Alternatives include sending them a cookie which prevents them from voting twice, but that is trivially circumvented by even the most tech-unsavvy user.
Give each voter an ever cookie. It's sneaky as all hell, and some people take issue with them, but if you want a fairly good guarantee this is probably it.
Defence in depth. Store as much identifying information as you can.
Store IP address, browser agent, host address, host name ... everything you like the look of, in your MySQL table. If ALL of these match, then it's someone trying to dupe.
Set a cookie to stop them voting. If this exists, they're trying to dupe.
Set a flash cookie to stop them voting (entirely different to normal cookies, get Googling :P) If this exists, they're trying to dupe.
Plus anything else you can think of. There will always be ways to get around it, of course, as it's always extremely hard to say "yes, that almost untraceable request came from that person", but it's more about making it a MASSIVE pain in the ass to beat the system with something like this.
IP is the way to go without registration. You could also get and check against the useragent in addition to the IP address, this might allow for a few more people who are using different computer configurations from the same IP address. Good luck.
I am about to write a voting method for my site. I want a method to stop people voting for the same thing twice. So far my thoughts have been:
Drop a cookie once the vote is complete (susceptible to multi browser gaming)
Log IP address per vote (this will fail in proxy / corporate environments)
Force logins
My site is not account based as such, although it aggregates Twitter data, so there is scope for using Twitter OAuth as a means of identification.
What existing systems exist and how do they do this?
The best thing would be to disallow anonymous voting. If the user is forced to log in you can save the userid with each vote and make sure that he/she only votes once.
The cookie approach is very fragile since cookies can be deleted easily. The IP address approach has the shortcoming you yourself describe.
One step towards a user auth system but not all of the complications:
Get the user to enter their email address and confirm their vote, you would not eradicate gaming but you would make it harder for gamers to register another email address and then vote etc.
Might be worth the extra step.
Let us know what you end up going for.
If you want to go with cookies after all, use an evercookie.
evercookie is a javascript API available that produces
extremely persistent cookies in a browser. Its goal
is to identify a client even after they've removed standard
cookies, Flash cookies (Local Shared Objects or LSOs), and
others.
evercookie accomplishes this by storing the cookie data in
several types of storage mechanisms that are available on
the local browser. Additionally, if evercookie has found the
user has removed any of the types of cookies in question, it
recreates them using each mechanism available.
Multi-browser cheating won't be affected, of course.
What type of gaming do you want to protect yourself against? Someone creating a couple of bots and bombing you with thousands (millions) of requests? Or someone with no better things to do and try to make 10-20 votes?
Yes, I know: both - but which one is your main concern in here?
Using CAPTCHA together with email based voting (send a link to the email to validate the vote) might work well against bots. But a human can more or less easily exploit the email system (as I comment in one answer and post here again)
I own a custom domain and I can have any email I want within it.
Another example: if your email is
myuser*#gmail.com*, you could use
"myuser+1#gmail.com"
myuser+2#gmail.com, etc (the plus sign and the text after
it are ignored and it is delivered
to your account). You can also include
dots in your username (my.user#gmail.com). (This only
works on gmail addresses!)
To protect against humans, I don't know ever-cookie but it might be a good choice. Using OAuth integrated with twitter, FB and other networks might also work well.
Also, remember: requiring emails for someone to vote will scare many people off! You will get many less votes!
Another option is to limit the number of votes your system accepts from each ip per minute (or hour or anything else). To protect against distributed attacks, limit the total number of votes your system accepts within a timeframe.
Different approach, just to provide an alternative:
Assuming most people know how to behave or just can't be bothered to misbehave, just retroactively clean the votes. This would also keep voting unobtrusive for the voters.
So, set cookies, log every vote and afterwards (or on a time interval?) go through the results and remove duplicates based on the cookie values, IP/UserAgent combinations etc.
I'd assume that not actively blocking multiple votes from same person keeps the usage of highly technical circumvention methods to a minimum and the results are easy to clean.
As a down side, you can't probably show the actual vote counts live on the user interface, or eyebrows will be raised when bunch of votes just happen to go missing.
Although I probably wouldn't do this myself, but look at these cookies, they are pretty hard to get rid of:
http://samy.pl/evercookie/
A different way that I had to approach this problem and fight voting fraud, was to require an email address, then a person could still vote, but the votes wouldn't count until they clicked on a link in the email. This was easier than full on registration, but was still very effective in eliminating most of the fraudulent votes.
If you don't want force users to log, consider this evercookie, but force java script to enable logging!
This evercookie is trivial to block because it is java script based. The attacker would not likely use browser, with curl he could generate tousends of requests. Hovewer such tools have usually poor javascript support.
Mail is even easier to cheat. When you run your own server, you can accept all email addresses, so you will have practically unlimited pool of addresses to use.