Page 1 of 1

proxies

Posted: Tue Jun 06, 2006 11:02 pm
by s.dot
is it possible to determine if a user is using a proxy.. and if so, not allow them access to register?

Posted: Tue Jun 06, 2006 11:07 pm
by feyd
Not reliably (only compliant proxies) .. and it's not a good idea: a lot of ISPs employ proxies.

Posted: Tue Jun 06, 2006 11:26 pm
by s.dot
so if someone registers say 20 accounts (which has happened lately.. even though I require a different email for each account, different usernames, and i have tokenized the register form to prevent fake forms from being processed) the only thing i can do is delete them and ban their ip?

Posted: Tue Jun 06, 2006 11:30 pm
by feyd
People and bots that do that often run through non-compliant proxies, so you'd have to do that anyways.

Posted: Tue Jun 06, 2006 11:39 pm
by s.dot
Sounds good... just extra work on my part i was hoping to avoid by checking for proxies. I was not aware of compliancy and ISPs using proxies, so it looks like I will not be able to do that.

Perhaps i can set up a few scripts to check for duplicate accounts with the same IP addresses, and then check their validity. Some may be valid (IE: brother & sister registering from the same computer).. but a script would make it much easier.

Thanks feyd.

Posted: Wed Jun 07, 2006 2:56 am
by Maugrim_The_Reaper
Bear in mind IPs can be common across unrelated users on the same ISP...

Re: proxies

Posted: Wed Jun 07, 2006 9:20 am
by Roja
scottayy wrote:is it possible to determine if a user is using a proxy.. and if so, not allow them access to register?
Bit of a trick answer: No, and let me tell you how. :)

There are users. Some use compliant proxies - which you can detect using getenv("HTTP_X_FORWARDED_FOR").

Some use non-compliant proxies, which you might be able to detect based on their browser signatures (see http://phpsniff.sourceforge.net ).

Finally, some use open proxies, which are bad. You can thankfully detect those to some degree using the Blitzed Open Proxy Blacklist : http://wiki.blitzed.org/BOPM

However, none of that is reliable, and plenty of proxies don't meet any of those categories. As a result, no, you cannot detect a "proxy user". The above categories are the closest you can come.
scottayy wrote:Perhaps i can set up a few scripts to check for duplicate accounts with the same IP addresses, and then check their validity. Some may be valid (IE: brother & sister registering from the same computer).. but a script would make it much easier.
This too is also fraught with inaccuracies. I've done a number of posts on why IP != user. Not at all, not close, not reliably, NO. Shared IP's on national ISPs are not uncommon. Whole 50,000+ user environments can come from one IP (Large Businesses in the US often use a single cluster for web proxying).

The list goes on. IPs are not at all, in any way, reliably related to users.

Posted: Thu Jun 08, 2006 5:15 pm
by s.dot
so then how do I stop people from registering 1839182 accounts in a row? this has happened to me A LOT in the past few days and I am getting sick of deleting.

the only thing i can think of is an approval process... which i don't really want to do.
but meh =/

Posted: Thu Jun 08, 2006 10:13 pm
by Roja
scottayy wrote:the only thing i can think of is an approval process... which i don't really want to do.
Remove the incentives to being a user. Don't show their urls in the membership list, don't allow them to post without moderation for the first (3, 8, dozen?) posts, etc.

If automation is gaining them something, they will keep doing it.