Ban Evasion

[Tomás C.]

Hi!

How do you deal with ban evasion?

When you ban a nocive user, he regists again with a new ip and try to spam and attack your forum while you sleep?

This is messing with my moderators that spend lots of time dealing with this kind of users.

But what's the final solutions for this? I think this is one of the most important features in smf.

Let's go to solutions:

1) Banning through ip doesn't work.

2) Mac adress is out of question.

3) http://www.securiteam.com/unixfocus/5YP0315IUO.html

http://www.simplemachines.org/community/index.php?topic=301568.0

I don't really understand those solutions

4) by cookies? isn't possible?

5) This looks great: http://www.vbulletin.org/forum/showthread.php?t=121886

Using a global ignore (there's any mod for this?) : http://www.simplemachines.org/community/index.php?topic=284796.new#new

Any mod for this ignore feature? Looks awesome.

[Akyhne]

Did you install any mods preventing bots from registering?

[Tomás C.]

thanks for the answer!

But I'm not talking about bots, i'm talking about real people that spam, and real people that like to make problems.

So i ask everything again entirely

[Akyhne]

I don't know if there are any mods out there that will do some of the examples you are showing, but you could always ask for a mod like that.

Feature Requests: http://www.simplemachines.org/community/index.php?board=3.0
Mod requests: http://www.simplemachines.org/community/index.php?board=79.0

[perplexed]

What about using the Visual Warning Mod http://custom.simplemachines.org/mods/index.php?action=search;basic_search=visual+warning

Description
This mod allows you to give visual warnings to your users in four stages:
  1) First warning - instant message and a green warning mark next to user name.
  2) Post moderation - the user's posts must be approved before they are seen.
  3) Mute - instant message and the inability to post polls or messages.
  4) Ban - user is gone.

[Akyhne]

I don't think that would help if they then just creates another user as tomasilva says.

[Tomás C.]

I don't think that would help if they then just creates another user as tomasilva says.

That's exactly the problem!

Like i said:
When you ban a nocive user, he regists again with a new ip and try to spam and attack your forum while you sleep?

That's why i offered lots of solutions and asked for real help, because the "ban through ip" in the forum is a weak option.

[perplexed]

put all new users in a group that can only post in one area of the board until they prove themselves not to be spammers?

Or upgrade to 2.0 RC1-1 where you can set all new users to post approval by a moderator by default

[Tomás C.]

But RC 2.0 1-1 Isn't stable 100% right?

The approval method looks good, how can i do that in 1.1.8?

About that area to prove not spammers, they create a new user.

My only problem is most members that cause disturbance and regist new user over and over again.

Can we just control the members through ip?

Thanks!

[perplexed]

people can change their IP though

What about using the Visual Warning Mod http://custom.simplemachines.org/mods/index.php?action=search;basic_search=visual+warning

Description
This mod allows you to give visual warnings to your users in four stages:
  1) First warning - instant message and a green warning mark next to user name.
  2) Post moderation - the user's posts must be approved before they are seen.
  3) Mute - instant message and the inability to post polls or messages.
  4) Ban - user is gone.

or putting all new members into a restrictive group where they can only post in one section that can only be seen by you is all I can think of right now

[Father Luke]

This type of thing would be helpful:
http://www.simplemachines.org/community/index.php?topic=284796.0

- -
Okay,
Father Luke

[Tomás C.]

Thanks for the great answer guys!

The problem of global ignore are that the users will see that their posts don't appear in some time, right?

quiteperplexed, i think warning are not a good answer for this.

Global ignore - http://www.simplemachines.org/community/index.php?topic=284796.0


3) http://www.securiteam.com/unixfocus/5YP0315IUO.html

http://www.simplemachines.org/community/index.php?topic=301568.0

I don't really understand those solutions, does anyone understand*

4) isnt possible to ban by cookies?

5) This looks great: http://www.vbulletin.org/forum/showthread.php?t=121886

[Tomás C.]

Anyone?

[Arantor]

There isn't a reliable automated way of preventing users who set out to maliciously post on your forum. As you've seen, banning on IP doesn't help.

The problem of global ignore are that the users will see that their posts don't appear in some time, right?

Global Ignore does have the issue of there being a time lapse, but having a new-user posting area where users have to prove themselves first will help. The same thing would be achieved by having a board that isn't visible to regular users, only to those with 10 or less posts.

3) http://www.securiteam.com/unixfocus/5YP0315IUO.html

The post from securiteam.com is mostly a warning on a security vulnerability where IP spoofing could be used. But it is somewhat old now, and almost certainly fixed.

http://www.simplemachines.org/community/index.php?topic=301568.0

This is a solution that forces IP blocks to be banned by the webserver, without even getting as far as SMF. It's a solution for some cases - but not in this case.

4) isnt possible to ban by cookies?

Not really. All the cookie stores is a link into one of the SMF tables, specifically the 'session' ID. Boot the user, the session ends. New user signs up, it creates a new cookie.

5) This looks great: http://www.vbulletin.org/forum/showthread.php?t=121886

It would be possible to build some of that into a mod, but I really wouldn't suggest it would be advisable; each of the 'really irritating' factors (e.g. delaying the page load) is still consuming resources that would better be served doing other things.

Unfortunately there isn't really a good answer to this one; the general solution is to slow them down until they get bored and go away.

[Father Luke]

I like to run this about once a month:

http://forumspamscanner.com/download-and-install


- -
Okay,
Father Luke

[Tomás C.]

Arantor thanks for the awesome answers!


""The same thing would be achieved by having a board that isn't visible to regular users, only to those with 10 or less posts.""

The problem is that when users arrive to the forum they need to see almost the entire forum so they will like it!


"""""
Not really. All the cookie stores is a link into one of the SMF tables, specifically the 'session' ID. Boot the user, the session ends. New user signs up, it creates a new cookie.""""

But if the user doesn't logout he will need to clean the cookies before acessing the forum right? I think it's better than ban through ip, no one will remember to clean the cookies.


"""
This is a solution that forces IP blocks to be banned by the webserver, without even getting as far as SMF. It's a solution for some cases - but not in this case.
""""

Why???

___


THanks again, but it's a shame simple machines doesn't have another option to block the users 

[Arantor]

The problem is that when users arrive to the forum they need to see almost the entire forum so they will like it!

You can create board specific permissions - in Admin/Permissions, allow board specific permissions. Set it that on all normal boards (as the Global setup), Newbie (lowest post rank) can't post new entries. Set it that for the newbie board, they *can* post new posts. Once they hit 10 posts there, they will be bumped into the next group, which you can set for the other boards to allow.

But if the user doesn't logout he will need to clean the cookies before acessing the forum right? I think it's better than ban through ip, no one will remember to clean the cookies.

If the user doesn't log out, he will be logged out by SMF anyway after the 'time since last online' threshold passes (or the 'logged in for x time' window expires). A cookie won't change either of those facts directly; and whether the rogue user empties their own cookies or not, the only way to prevent them logging in is to ban by IP - as we established, you can't ban by cookie on any technical level.

This is a solution that forces IP blocks to be banned by the webserver, without even getting as far as SMF. It's a solution for some cases - but not in this case.

Why???

If the user can evade an IP ban in the forum, they can evade an IP ban on the webserver. The difference is whether you ban the IP in the server or SMF - the result is you're still doing bans on IP addresses.

THanks again, but it's a shame simple machines doesn't have another option to block the users 

Like what? What would you have SMF do? There is only so much information that gets sent by the browser, and all of that should be considered unreliable or forgeable.

[Tomás C.]

""
he will be logged out by SMF anyway after the 'time since last online'
""
But most users have a "alway on" option right?

And yes you are right, banning in the server is the same thing. Again thanks for the great answer.

What do you think about banning the proxy servers? Simple machines normally regists a range of ip's is this correct?

"""
Like what? What would you have SMF do? There is only so much information that gets sent by the browser, and all of that should be considered unreliable or forgeable."
""

Maybe... That's difficult, what does the browser sent to simple machines?

Some betting websites and social network for example to prevent fraude use iesnare

http://www.redorbit.com/news/technology/497367/bodogcom_selects_iovation_iesnare_and_stops_fraud_ring_one_week/

What about a "flash cookie"? A flash local shared object

"""Flash cookies are immune to typical "delete cookie" commands in your web browser. What's more, ieSnare sneaks under the radar of most antispy software because Flash cookies are either ignored, or viewed as low-risk items."" !!!!

[Arantor]

But most users have a "alway on" option right?

Yes, but some of the tables still get pruned on occasion. At the end of it once they're banned, they're banned. That account is no longer usable unless it becomes unbanned - no matter what they do.

What do you think about banning the proxy servers? Simple machines normally regists a range of ip's is this correct?

SMF, and that other solution discussed, work by restricting IP addresses. Proxies will get around this, as will Tor. It deters the basic forum troll, though. The hardened trolls can't be stopped through IP bans.

Maybe... That's difficult, what does the browser sent to simple machines?

The address it's requesting (URL), any cookies sent by the site, browser type.

Some betting websites and social network for example to prevent fraude use iesnare

http://www.redorbit.com/news/technology/497367/bodogcom_selects_iovation_iesnare_and_stops_fraud_ring_one_week/

What about a "flash cookie"? A flash local shared object

If there were a site that required me to use that, I'd not visit again. There are well documented vulnerabilities in Flash cookies - certainly there used to be, and I know that some sites are still vulnerable even now to them.

"""Flash cookies are immune to typical "delete cookie" commands in your web browser. What's more, ieSnare sneaks under the radar of most antispy software because Flash cookies are either ignored, or viewed as low-risk items."" !!!!

That's true, they are immune. But that also gives a whole new idea to the ability to track users with Flash ads; you'd easily be able to track where a user went, and it would be harder for them to opt-out. I've found users will avoid Flash for anything unless they want something interactive and fun, generally.

[Tomás C.]

Never heard about tor, i'm seeing their website right now!

But smf doesn't have the option in the search members, to search by a server right? I think banning a lot of proxy servers can be a good solution.

"""
If there were a site that required me to use that, I'd not visit again. There are well documented vulnerabilities in Flash cookies - certainly there used to be, and I know that some sites are still vulnerable even now to them.
"""

But isn't the flash in a stealth way? I think using flash cookies looks like the only solution to real ban an user, if that is possible to implement of course.