I have a security problem with a user who we've banned over and over. They continuously re-register to the site and use proxies to get around the IP Ban.
We use Phpmyadmin and sql databases for the user table and already have everyone that registers automatically set to "0" which means they are registered by not an admin.
I was wondering if there is a way to dynamically set this person's user level when they register a new screen name - because they use the same email address every time. We have most of the site protected so that they are required to login and have a set permission level to see things. So if possible, when they register another login name it automatically sets that specific user ONLY to whatever number I designate and identifies it by the email address they are entering.
Anyway to do that, or anyone have any better ideas?
One idea is to do what craigslist does to people. It is called ghosting. It is a good thing to google. Basically a user thinks they are posting, but no one else ever sees their stuff. When they go to the listing, wow it is there. When they go to the category, it is there.
I realize that CL is quite different than say a chat forum. And the user would be wondering why no one took offense to them calling someone a fatso, live. But for non-interactive, non-realtime environments, they would have no idea they are ghosted. Well, I shouldn't say that. Maybe their friend tells them they can't see it.
If they can pull off the proxy thing, creating a new email address would be a piece of cake. Don't tip them off to the ghosting, let them continue to do their thing, isolate, and ignore (if it is even possible).
good luck
Related
Is it at all possible to retrieve user information that can be used as a unique identifier between domains?
As a quick example of what I am trying to do (not exactly this but the theory is the same) say you had a main website at UK-news.com. You also had three other sites - England-news.com, Scotland-news.com and Wales-news.com, all hosted on the same server.
All 4 sites will share the same database and each would just pull the relevant info out of it. If a user becomes a member of one of the sites, they will also be given the option to become a member of any or all of the others. If a user signs-in to one of the sites he is a member of, and then goes to another how can I get that site to recognise him from the one he signed-in on so he is automatically logged in?
My theory was to store some user information (IP, USER_AGENT, browser, screen resolution, computer name, OS) in the database via PhP and then check against all of those as the user moves between sites. however, even checking against all of these, I am sure it will be possible for two different people to have exactly the same details.
Are there any truly unique identifiers that will guarantee that a person is recognised between domains?
Thanks
Steve
I dont know what is the configuration of your server, but. If one site is under something.domain.com, and another something2.domain.com, and the domains England-news.com and Scotland-news.com are only links to those sites, you can use url overwrite, and cookies sharing over subdomains option in php. But I think that this is not the case. So...
There is no 100% sure user recognition. And this is great, imagine what will happen if there would be. You can NEVER trust user data, and headers data, while sometime you can not even trust $_SERVER array. So there is no option to recognize the same user over few domains.
1) The only answer that is useful is to suggest you to share the user mysql table, and make all the logins and passwords same for each site. IN that case someone can login into another site using the same data.
2) You can try to rely on second hand services like google acount or facebook acount to verify users on your site. But you must remember that there are people without gmail and facebook, and availability of such a site will be reduced.
3) Use a serrvice like forever cookie, or something like that, but this is also not 100% sure. It is using html5 storage, flash objects, and everything to verify if this is the same user. But as far as I know, everything can be ommited, if you are patient enough.
Best regards!
At the moment, I'm working on a website that could use some extra user usability, so I want to launch a couple of modal windows to aid users on their first time visiting of a couple pages.
I want to check if it is a users time time viewing a specific page. I've read about how you can run into problems when using cookies to do this. They can be deleted, the user can use a different PC or device, etc.
Also, I want to check for multiple pages if it's their first time viewing, not only directly after login.
I'm guessing a good idea for this would be to make a separate table with the pages in it that I need and setting a boolean for it if it is viewed or not.
Would this be the best way going about doing this?
There isn't a highly reliable way of doing that:
You can use cookies, but as you said, they are not reliable, a user can change PC, delete cookies, change browser, etc.
You can try using an IP address, but that's also not reliable. If a user switches address (which can today happen as you walk down the street with your mobile phone) he'll see the page over and over again. Moreover, if some other user happens to stumble upon the IP address the first user used, he won't see your tour/tutorial.
What I can suggest you is that you use cookies to detect if the user is new, but don't automatically throw the help modules on him, but prompt him using an non-obstructive toolbar at the top or bottom (never a popup window or lightbox).
That way, you get most of the users (because many people use the same browser and computer and rarely delete all their cookies), and even if a user has deleted his cookies/he still won't be disturbed that much.
There is no reliable approach if user is not registered and logged in with her/his username & password.
As mentioned before, there is no reliable way of detecting users ( and detecting if the user visits the site the first time), I also recomend Madara Uchiha's aproach, also you colud use html5 local storage in addition to cookies, both are not 100% reliable
u can however try user recognition without relying on cookies or html5 storage, but this is extremly complicated, u dont want to do this.
Just to satisfy your curiosity about how to do this, check this epic answer on a related question:
User recognition without cookies or local storage
I think, as I believe, there is no way with no solution. I think, a possible way consists of some parameters which first to be said and and finally by considering those, we can be able to talk about possibilities and impossibilities.
My parameters are in the below;
talk about features of a webpage as "User Detection" and detail them
think about reactions (I mean being fast to click on any elements of a page or not) on a webpage
inspect elements
URL injection
other reactions like click on some parts as spots placed on the page
stay on that page up to a time defined for being and checking authorizing
and so some solutions like the ones above.
I am trying to block a user's PC permanently from using my website. Until now what I did is banning the IP address and setting a cookie which will automatically ban the IP address, if it changes. However some tricky users are nevertheless deleting the cookie and resetting their router, so they can write harmful comments on my website. Is there any other way of banning a user, other than with IP ban and cookies?
I read this question: https://stackoverflow.com/questions/3159160/how-to-definitively-ban-a-user-from-my-website-or-almost but it is not what I am looking for.
You could use evercookie, which is a lot harder to get rid of, but identifying individual PCs with certainty is not really possible, and that's a very good thing because it would be the end of privacy.
No, there isn't. Any method you put in place can be worked around. You can identify a previous user by:
IP address - which changes automatically, and can be changed manually with something like Tor
Cookie - which can be deleted easily, as you said above
Login details - which would require you to block commenting for non-registered users, and blocked users could register with new details anyway. You could require pre-approving accounts.
Note that this is a very difficult thing to do. Even the biggest sites struggle with this - StackOverflow included. Ultimately, it's a trade-off between making it easy for good users and difficult for unwanted users - you, as the site owner, has to decide where the optimal experience lies.
One other option is to pay for comments moderation with something like Mechanical Turk or Freelancer.com.
Obviously, 100% authentication is impossible, aside from anything else someone could just go to an internet cafe or use a friends computer. But you could try making a few changes to your site if you have a big problem with this:
You could make users sign up to post, and even go so far as have new users comments not show up until they are approved, either by yourself or other trusted users.
You could try hellbanning, which means you flag a user as hellbanned, they can still log in and post etc. but their comments only show up for them no one else.
You could try automatically scanning posts for certain offensive terms (or whatever is relevant in this case) and then automatically delete or hold them until approved manually.
Spam intentional or otherwise is a tricky problem and anyone who completely solves it will likely become very rich.
One idea, often seen in phpBB like systems, is a role approach. You assign different abilities to guest or visitor users, from registered users, from trusted registered users. A basic scheme for it would be like this.
Guest
Requires CAPTCHA
Requires moderator approval
Registered users
Requires moderator approval
Trusted Registered Users
Can freely post comments
Your CMS affects the way this would be set up. The simplest (assuming it doesn't already support this) would be storing a few extra bits in the database indicating the role and checking that when posting.
Just get bastard's region with GEOIP functions and set some restriction for this region (for example premoderation/captcha/etc).
Also You can use "protection" from another services, which is more powerful. For example: connect Your site accounts with facebook acc and allow to comment only after getting facebook_id. It's pretty easy to ban user by facebook_id and hard+slow for bastard to create accounts for every Your ban ;)
I have a classifieds website, where users must fill in a form to post a classified (offcourse).
I wonder, do you think I need some form of captcha on the form?
Also, I am working on a "register" page where users may get their own username/pass and login to post classifieds more easily.
Also, I have a mail-server setup...
So now, users may click on a classified and at the bottom fill in just three fields in a form (name, email, message) and send an email to the poster of the classified. No captcha there. Is this safe?
My firewall is setup so that it is preventing any outside access to the mail-server except from the websites IP.
Can I set up the firewall to some settings so that I don't need captcha?
I have my own Virtual Private Server btw, and it is running Ubuntu.
A follow-up Q is, if a spam-bot or whatever, gets the hold of my forms and fills alot of them out, or use my mail-server to send emails, what would happen then?
Would my site and mail-server get blacklisted? Is this reverssible or do I have to create a new mail-server then?
Thanks
I go by the design principle of "least barrier to entry". You want people to use your site, so you want to make it as easy as possible for them. Anything at all -- including a captcha -- might turn them away. So my standard line would be to definitely not include a captcha anywhere until you've actually seen a problem with spam. And even then, see if the problem can be solved without a captcha first.
Regarding your question of "well what if a spam bot starts spamming". Simple solution to this is to pre-implement a rate limit. Make it so that someone at a given IP address cannot initiate the sending of an email more frequently than say once every minute. This will not actually cause a problem for real people, but will stop a spam bot in its tracks. You can even try to detect situations where you see a high rate and temporarily block that IP address for 24 hours. That will prevent even the once-a-minute spam.
I can see two situations where you might be thinking of using Captcha's.
Registration
Interaction/Contact Form
However, captcha does tend to upset and drive away users if overused.
So, in these instances:
Registration
The easiest way to stop, or at least inconvenience, anyone trying to create bulk accounts would be to use an email confirmation. So, the user fills out the form, including their email address. The form then sends them an email, which contains a link they must click to activate the account and allow them to login.
Interaction/Contact Form
There will be two kinds of people who will interact through this form. There will be registered, and logged-in users and there will be casual visitors. As Captcha is a method to test for whether a person is a person or not, any registered/logged-in users have already proven themselves, there is no need to use Captcha for them.
However, for a casual, non-logged-in users, then you can use the Captcha for them.
So, the short version, as you can tell, I hate Captcha, and only use it when absolutely necessary.
captch is mainly used for security purpose to stop automation. Like if u have a signup column, a geek can easily make a 1000 users within minutes if he automates it.. and u lose so much space.. At the same time, if u use captcha, its much more safer and you can be sure that all the users are human and none are computer generated usernames.
So if u take your website seriously, i would suggest to go for captch. But keep it simple like they have at megaupload. I dont know which service that is but still its simple.
Definitely YES.
Take a look at reCAPTCHA
You have a PHP plugin here
Can I set up the firewall to some settings so that I don't need captcha?
No. Captcha and firewall are totally different things and cannot be used as the alternative of each other.
A follow-up Q is, if a spam-bot or whatever, gets the hold of my forms
and fills alot of them out, or use my
mail-server to send emails, what would
happen then?
One can write a script which will automate the registration process on your website. It can create so many accounts on your server and/or can post some content which is not good for your website or can use your website for some other persons ads.
Beter try Sblam, its transparent for the visitors, there is no need for user input, it works good for me on numerous sites.
What is the best way to allow a member to delete their account if they wish to not be a member of our community? Should I simply have them click a delete button on the site? What other measures should I use?
There are a fair few good answers already, but I will add my bit here to be sure that the couple of points I want to raise are covered off (or opened to discussion).
User Actions Required to Terminate Account
As has been pointed out by other respondents, you want to make the process of terminating an account as easy, and yet as clear/safe as possible. Having a button in the Account/Profile Settings section of your site is the best place to have this function (as it tends to be there for almost all sites). And, when the user elects to terminate an account, be sure to have a confirmation message before completing that action (nothing worse than "accidentally" killing an account).
If you are interested in user retention, having an optional quick exit survey can give you a good insight into the reason why some users may be terminating their accounts, so incorporating this into the confirmation action may be useful.
Site Actions after Termination
A practice I have seen used in a few instances (and I quite like), is for an email to be generated to the User's email account when they terminate a user account.
It allows you to try and "save" the user, if retention is an issue, again, you can offer them a way of giving feedback regarding the site, and generally let them know that their contribution will be missed.
If you use the suggestion of flagging an account as "Inactive" (but retaining their data), you can advise them, in that email, the steps they can go through should they decide to return and want their old account back.
Handling of User Data after Termination
There are a few solutions here, dependent on the kind of site you are running, how much of the content is user-generated, the terms of your user agreement, etc.
General Recommendation
The simplest, easiest, and most mistake-friendly way to handle a user termination is to have a field in the user table which allows you to simply mark an account as Active/Inactive, and, when the user terminates their account, switch that to Inactive.
This allows you to recover the account, should they change their mind, run statistics on your retention rates, etc.
Sites with alot of User-Generated Content
Simply deleting a user's account when they leave can cause you problems - links from comments/articles/other content which would normally be associated with a user will break. In these instances, and so long as the User Agreement allows for it, I would recommend that you flag their account as "Terminated"/"Inactive", so that some aspects of the account can be switched off, but still retain the details required to make the rest of the site operate OK.
Sites with User-Generated, but Private, Content
In this instance, if you are planning to delete the user's details from your databases/files, you will also have to have code which will remove anything associated with that account from wherever it may be - for instance, deleting any pictures that user uploaded, any comments, etc. they entered, etc. Anything which JOINs with the user table will need to be systematically erased.
Generally, sites make you jump through hurdles to close an account. It is frustrating for the end user.
What I would have, is a Close Account button somewhere, which takes you to a page that asks you to (optionally) leave a comment why you are closing the account. This will be helpful for you, so you know why people are feeling it necessary to close their account.
Then send them an email with a unique string, that they must click to close their account.
This prevents people who may have left their session logged in from having their account closed :).
For the technical side of things, you may want to simply DELETE in MySQL from all tables their relevant data, and clean up any file based data (such as uploaded images, user specific caches etc).
First of all, you should know if you want to keep their data (for some time at least) for if they want to recover the information.
If the anser is no (much simpler). The just add a php script that when a button is pressed (in their profile) deletes the mysql (or what ever) database...
EDIT:
Measures: They should go their accounts, go to configure settings (or similar) and then delete account, they should definitely have ONE warning page
This question is very broad and is more of a general business question (potentially) rather than programming specific question. Your options are limited only by your brain power. Really, you don't have to let people leave your community at all (probably a bad idea). What services does the user receive from being a member of your community? When they leave do these all cease? How does the user's information affect you? Could you still use it even after they have left?
These are questions that only you (and your manager) can answer. I agree that it is generally pretty frustrating to cancel some accounts. Many sites don't even give you the ability to cancel at all, but they may have a mailing exclusions list or some such.
My suggestion would be to have a flag for users in the DB. When a user quits, set the flag. Once you know that user is flagged, you can manipulate any data with respect to them in any way you see fit. Want to run a report on only active users? No problem! All inactive users are flagged. You keep their data for however long and use it as you wish, and if it was a mistake and they never wanted to leave, you take 5 seconds out of your busy day to unflag them.