Revision [10122]

This is an old revision of RegisterUserIpAddress made by JavaWoman on 2005-07-18 17:44:44.

 

Registering users' IP addresses

Part of this is installed as a beta feature on this server.

The beta security features implemented on this server are more intended as "let's see if this is effective" than as ready-to-release features with ready-to-copy code: No need to polish code when something isn't effective as a security measure, after all - and that can only be really tested on a "live" server. So don't expect these beta features to be as "polished" as most beta features are: if they are effective they usually require more work to make them ready for release.
This is the development page for an anti-spam (and anti-abuse) feature intended to trace IP addresses used by registered users; this is intended to be able to ban spamming or abusive users by IP address if necessary.
 

Signup IP address


The first (and essential) part is to register the IP address used by someone when signing up for an account.

This requires not only a bit of code, but also an extension to the users database table.

users table


Currently there is only a minimal change to make this possible: the addition of a column called `ipaddress` as varchar(15) DEFAULT NULL at the end of the row.

actions/usersettings.php


The UserSettings action is then adapted to actually fill this column for new registrations.

Before:
  1.                 $this->Query("insert into ".$this->config["table_prefix"]."users set ".
  2.                     "signuptime = now(), ".
  3.                     "name = '".mysql_real_escape_string($name)."', ".
  4.                     "email = '".mysql_real_escape_string($email)."', ".
  5.                     "password = md5('".mysql_real_escape_string($_POST["password"])."')");


After (beta as installed):
  1.                 // ipaddress logging added by JsnX 20050621 (?) to help combat spam
  2.                 //      made secure by applying mysql_real_escape_string() - JavaWoman 2005-07-18
  3.                 $this->Query("insert into ".$this->config["table_prefix"]."users set ".
  4.                     "signuptime = now(), ".
  5.                     "name = '".mysql_real_escape_string($name)."', ".
  6.                     "email = '".mysql_real_escape_string($email)."', ".
  7.                     "ipaddress = '".mysql_real_escape_string($_SERVER['REMOTE_ADDR'])."', ".
  8.                     "password = md5('".mysql_real_escape_string($_POST["password"])."')");


actions/register.php


see also:
Since we already have a beta register action on this server, this now records the user's IP address the same way:

  1.                 // create user
  2.                 // ipaddress logging as added by JsnX 20050621 (?) to usersettings.php to help combat spam
  3.                 //      made secure by applying mysql_real_escape_string() - JavaWoman 2005-07-18
  4.                 $this->Query("insert into ".$this->config["table_prefix"]."users set ".
  5.                     "signuptime = now(), ".
  6.                     "name = '".mysql_real_escape_string($name)."', ".
  7.                     "email = '".mysql_real_escape_string($email)."', ".
  8.                     "ipaddress = '".mysql_real_escape_string($_SERVER['REMOTE_ADDR'])."', ".
  9.                     "password = md5('".mysql_real_escape_string($_POST['password'])."')");



Effectiveness


By itself, this cannot do very much yet except give us some information when needed to take manual measures.

Deleting a user vs. banning a user


In getting rid of a spamming or otherwise misbehaving registered user there are two possible options: deleting that user from the database (so he's no longer registered) and banning the user. There is also a difference between banning a user by name and banning a user by IP address. All have advantages and disadvantages depending on circumstances:

Deleting a user

Banning a user by name

Banning a user by IP address


More information needed


Obviously, we'll need more information to be able to decide what to do when we find someone is spamming or misbehaving. While (manually for now) deleting a user is an option, it doesn't prevent a spammer from signing up again; and it doesn't make use of the IP address at all. For banning a user by IP address though, we need to be sure the user is actually using a static IP address: for that, we should to record not just the IP address used when registering for an account, but also the address used when creating or editing a page and when adding a comment.


Todo


So the conclusion must be that to make use of the signup IP address to ban a user (without harming innocent users) a lot more information is needed.

Information


First, we need to store more information.

users table
pages table
comments table

Utilities


Then, given that information, we need the utilities to support decision-making and to actually delete/disable/ban a user - by name or by IP address.

to follow



References


[1] IPv6 Address Formats


CategoryDevelopmentAntiSpam
There is one comment on this page. [Display comment]
Valid XHTML :: Valid CSS: :: Powered by WikkaWiki