Registering users' IP addresses

Part of this is installed as a beta feature on this server.

see also:

The beta security and antispam features implemented on this server are usually more intended as "let's see if this is effective" than as ready-to-release features with ready-to-copy code: No need to polish code when something isn't effective as a security measure, after all - and that can only be really tested on a "live" server.
So don't expect these beta features to be as "polished" as most beta features are: if they are effective they usually require more work to make them ready for release.

This is the development page for an anti-spam (and anti-abuse) feature intended to trace IP addresses used by (registered) users; this is intended to be able to ban spamming or abusive users by IP address if necessary.
 

Signup IP address


The first (and essential) part is to register the IP address used by someone when signing up for an account.

This requires not only a bit of code, but also an extension to the users database table.

users table


Currently there is only a minimal change to make this possible: the addition of a column called `ipaddress` as varchar(15) DEFAULT NULL at the end of the row.

actions/usersettings.php


The UserSettings action is then adapted to actually fill this column for new registrations.

Before:
  1.                 $this->Query("insert into ".$this->config["table_prefix"]."users set ".
  2.                     "signuptime = now(), ".
  3.                     "name = '".mysql_real_escape_string($name)."', ".
  4.                     "email = '".mysql_real_escape_string($email)."', ".
  5.                     "password = md5('".mysql_real_escape_string($_POST["password"])."')");


After (beta as installed):
  1.                 // ipaddress logging added by JsnX 20050621 (?) to help combat spam
  2.                 //      made secure by applying mysql_real_escape_string() - JavaWoman 2005-07-18
  3.                 $this->Query("insert into ".$this->config["table_prefix"]."users set ".
  4.                     "signuptime = now(), ".
  5.                     "name = '".mysql_real_escape_string($name)."', ".
  6.                     "email = '".mysql_real_escape_string($email)."', ".
  7.                     "ipaddress = '".mysql_real_escape_string($_SERVER['REMOTE_ADDR'])."', ".
  8.                     "password = md5('".mysql_real_escape_string($_POST["password"])."')");


actions/register.php


see also:
Since we already have a beta register action on this server, this now records the user's IP address the same way:

  1.                 // create user
  2.                 // ipaddress logging as added by JsnX 20050621 (?) to usersettings.php to help combat spam
  3.                 //      made secure by applying mysql_real_escape_string() - JavaWoman 2005-07-18
  4.                 $this->Query("insert into ".$this->config["table_prefix"]."users set ".
  5.                     "signuptime = now(), ".
  6.                     "name = '".mysql_real_escape_string($name)."', ".
  7.                     "email = '".mysql_real_escape_string($email)."', ".
  8.                     "ipaddress = '".mysql_real_escape_string($_SERVER['REMOTE_ADDR'])."', ".
  9.                     "password = md5('".mysql_real_escape_string($_POST['password'])."')");



Effectiveness


By itself, this cannot do very much yet except give us some information when needed to take manual measures.

Deleting a user vs. banning a user


In getting rid of a spamming or otherwise misbehaving registered user there are two possible options: deleting that user from the database (so he's no longer registered) and banning the user. There is also a difference between banning a user by name and banning a user by IP address. All have advantages and disadvantages depending on circumstances:

Deleting a user

Banning a user by name

Banning a user by IP address


More information needed


Obviously, we'll need more information to be able to decide what to do when we find someone is spamming or misbehaving. While (manually for now) deleting a user is an option, it doesn't prevent a spammer from signing up again; and it doesn't make use of the IP address at all. For banning a user by IP address though, we need to be sure the user is actually using a static IP address: for that, we should to record not just the IP address used when registering for an account, but also the address used when creating or editing a page and when adding a comment.


Todo


So the conclusion must be that to make use of the signup IP address to ban a user (without harming innocent users) a lot more information is needed.

Information


First, we need to store more information.

users table

pages table

comments table

Utilities


Then, given the information about which IP address is used for which activity, we need the utilities to support decision-making and to action based on that decision. So two types of utilities will be needed:
  1. Utilities to gather and review data about user activity (signup, creating and editing pages, adding comments) and the IP addresses involved in each. When considering banning by IP address it will be necessary to not only look at the activities of a registered user, but also all activity related to the "suspect" IP address (some of which may be by unregistered users).
  1. Utilities to implement a decision to delete, disable or ban a user, either by name or by IP address. Banning by IP address should be possible either via the .htaccess file or (if this is not supported) via the application itself.

Obviously, a lot still needs to be done in this respect.
preliminary specifications to follow


Only today, three spam comments were added (to two pages); all three had identical content and two were made within minutes of each other - suggesting they were made by the same spammer - but all three had different origin addresses, making it quite likely the spammer was using trojaned machines (and possibly a script). All three origin addresses were listed in one or more blacklists. This is a typical case where banning by IP address would not be effective at all while carrying the risk of hurting innocent users who are not spamming at all. --JW 2005-07-19



References


[1] IPv6 Address Formats


CategoryDevelopmentAntiSpam
There is one comment on this page. [Display comment]
Valid XHTML :: Valid CSS: :: Powered by WikkaWiki