What are some good ways to prevent malicious proxy users from accessing your site?
This question has been bugging me for some time. I always picture launching my site, and some dirt bag coming on and uploading porno or spamming profanity. So I decide I don't want him using my site, I ban his account and ban his ip in开发者_Go百科 my cpanel, but what if he is using a proxy and just keeps making new accounts to harass me? What can I possibly do to prevent this horrible outcome?
Well, if it's not problematic for normal users, you could block IPs/IP ranges which are known proxies. However, if any of your regular customers are behind one of those proxies, this won't work.
In general, however, unless you require registration with some form of hard-to-duplicate linked information (such as a validated phone number, credit card number, et cetera), it's going to be hard to prevent proxying from a determined user.
You can't really. You could set a cookie which defines him as malicious user, but it's trivial to remove such cookies.
The question is, what does it require for one to upload files on your site? Make people register, have them enter a valid email address. Send a verification to the email address before activating the account. If someone behaves inappropriately, then ban his email address. This way the person always need a new working email address for registering.
HI,
Just rephrasing what "Cosmin Prund" said. Put up an option in your site, where a User can mark any content as inappropriate, and for accountability, put up some easy way of specifying the reason why the content is inappropriate(a simple drop box with various options will do). Now, if your users really like your site, they would mark all the porno and spam content. All you need to do is simply delete the marked content after a quick review. You can also make a policy wherein, if the content posted by a user has been marked as inappropriate in, say 100 different instances, block that account. Keep the unblocking part at your discretion.
Its just like the "Spam" button provided by email service providers to identify spam messages.
Hope this helps :)
If this is really a big problem for you, you could do some sort of UUID based security with the help of the User Agent and other client sent variables.
I have seen a recent POC (can't remember the address), saying that with javascript browser detection and php user sent variables, you can create a UUID to identify your users.
EDIT : Found it, the script is called Panopticlick, it does a fingerprint identification of the user based on plugins available, fonts available, user agent, time zone, and screen size. From their say :
Your browser fingerprint appears to be unique among the 777,809 tested so far.
Currently, we estimate that your browser has a fingerprint that conveys at least 19.57 bits of identifying information.
Of course this is not totally secure, as the user can easily spoof this information, but you can use it to create a gray list, so that if a user matches the UUID of your banned ip, you present him with a login screen, or a captcha, or any sort of added security you need.
It sometimes helps looking at other applications that might have the same problem, see how they fixed it. Those other applications might be:
- Forum web sites
- eMail applications
- Blogs
- StackOverflow
... and now you'd notice a pattern, the stuff you want to avoid has a name: "Spam", and the people doing it are called "Spammers". How are those people handled on the sites that are exposed to such problems? I kind of like StackOverflow's bag of tricks.
精彩评论