阻止用户启动多个帐户?
我知道,最终,这是不可能的。
哪些选择:
但是,有 a) 限制人们创建多个帐户的选项,
多个帐户/人员的机会
b) 增加检测类似博客网络服务的 ?
(人们可以注册自己的博客)
更新:
我认为“限制选择”已经得到了很好的回答。 (没有可靠的方法,但我们可以提高标准)
但是,我仍然想知道还有哪些其他选项可以检测多个帐户?
I know that in the end it, can't be done.
But, what are the options to:
a) limit the options for persons to create multiple accounts,
b) increase the chance of detecting multiple accounts / person
for a blog-like web service?
(people can sign up for their own blog)
Update:
I think the 'limit the options' has been answered nicely. (there is no reliable method, but we can raise the bar)
However, I would still like to know what other options there are to detect multiple accounts?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(10)
我假设您正在谈论免费服务? 我想不出任何方法既没有严重的缺点,又很容易被击败。 像设置cookie、需要唯一的电子邮件地址这样的事情很容易被破解。
要求唯一的 IP 地址并非万无一失,但可能在某种程度上有效,直到您拥有大量用户并收到代理背后的人的投诉。
最好的方法是收费或要求人们提供某种个人信息,例如您验证的真实姓名/电话/地址,或抄送号码,但这是侵入性的(话又说回来,也许您只想要愿意提供信息的严肃用户)这类信息)。
我想我会反过来问“为什么你不想让人们拥有多个帐户?”
可能还有其他一些方法可以缓解您的根本原因,即,如果您担心大量孤立的博客,您可以扫描一段时间的不活动状态并禁用它们,或者至少安排它们由人工查看。 如果您担心垃圾博客,您可以定期扫描所有博客内容以查找垃圾内容。 如果您担心机器人程序并且正在使用一些通用软件(例如 WordPress),请更改表单变量的名称,并以其他方式保护您的表单免受机器人程序的侵害。
一定要考虑其他方法来处理这个问题,因为如果它是像 Blogger 这样的典型免费服务,你将无法阻止人们注册多个帐户。
至于检测一个人的多个帐户,您需要做的第一件事是有一个日志文件存储每个用户登录的完整数据(用户名、时间戳、IP、用户代理等),以便您稍后进行分析。 我将列出一些需要注意的事项,但只需仔细研究日志文件,您可能会发现其他模式。 需要注意的一些想法是:
如果您担心垃圾邮件博客,您可以尝试对博客内容进行一些分析,即提取所有 < code> 并查找博客之间的相关性。 您可以通过 SpamAssassin 之类的工具运行博客内容本身,或者以其他方式过滤垃圾邮件单词,例如“伟哥”和“劳力士”。
I'm assuming you're talking about a free service? I can't think of any ways that don't either have serious drawbacks or would be trivial to defeat. Things like setting a cookie, requiring a unique e-mail address are easy to defeat.
Requiring a unique IP address is not foolproof but might work to some degree, up to the point that you have lots of users and get complaints from people behind proxies.
The best ways are to charge money or require people provide some kind of personal information, like real name/phone/address that you verify, or a CC number, but that's invasive (then again maybe you only want serious users who are willing to provide this sort of info).
I guess I would turn the question around and ask "Why don't you want to let people have multiple accounts?"
There may be some other ways of mitigating whatever your underlying reason is, i.e. if you're worried about lots of orphaned blogs you could scan for a period of inactivity and disable them or at least schedule them to be looked at by a human. If you're worried about spam blogs you could periodically scan all blog content for spammy stuff. If you're worried about bots and are using some generic software like WordPress, change the names of the form variables and otherwise protect your forms from bots.
Definitely think of other ways of dealing with the problem, because you are not going to be able to block people from registering multiple accounts if it's a typical free service like Blogger.
As for detecting multiple accounts by one person, the first thing you need to do is have a log file store complete data on every user login (username, timestamp, IP, user-agent etc.), that you can then analyze later. I'll list a few things to look out for, but just by poring over the log file you will likely discover other patterns. Some ideas of things to look for are:
If you're worried about spam blogs, you could try doing some analysis of blog content, i.e. extract all the
<a href>s and look for correlations between blogs. You could run the blog content itself though something like SpamAssassin or otherwise filter for spammy words like "viagra" and "rolex."我认为最好的方法是消除创建多个帐户的激励措施。
你们是否以任何方式限制用户? 通过创建多个帐户可以(轻松)克服这些限制吗? 如果是这样,那么也许您应该考虑取消这些限制。
I think the best method would be to remove the incentives for creating multiple accounts.
Do you limit the users in any way? Can those limits be overcome (easily) by creating multiple accounts? If so, then maybe you should think about removing those limits.
您可以在创建帐户之前向用户发送短信进行验证。 由于人们无法像获取电子邮件地址那样轻松地获取手机号码,因此这可能会起作用。 有些人可能可以获得两个或三个帐户,但数量不是无限的。 有许多服务可让您以编程方式发送 SMS 消息,包括 Gizmo SMS、Text4Free 和 TxtDrop。
当然,这需要用户拥有手机,并且愿意向你提供号码。
You could send users a SMS message to verify before creating the account. Since people can't get cell phone numbers as easily as they can get email addresses, this might work. Some people might be able to get two or three accounts, but not an unlimited number. There are a number of services that let you send SMS messages programmaticly, including Gizmo SMS, Text4Free and TxtDrop.
Of course, this requires users to have cell phones, and be willing to provide you with the number.
您可以设置跨浏览器 cookie,例如 http://samy.pl/evercookie/(flash cookie)
浏览器 cookie 删除无法删除它们,它们将永远保留 4,您可以跨浏览器读取 cookie。 如果用户使用同一台计算机,这是最终的解决方案。
对于 1 台以上的计算机,IP 地址是您查找的唯一方法,但(就我而言)有时 2 个真实的人在同一所房子里用 2 台计算机登录 2 我的网站
You can set a cross browser cookie e.g. http://samy.pl/evercookie/ (flash cookies)
The can not be deleted by the browser cookie deletetion they stay 4 ever and you can read the cookie cross browsers. Its the ultimate solution if the user uses the same computer.
With more than 1 computer the IP address is your only way to find out, but (in my case) sometimes 2 real people in the same house with 2 computers login 2 my website
要求用户使用信用卡注册。 您无需向该卡收取任何费用,只需检查该卡是否有效即可。
Ask users to register with a credit card. You don't have to charge anything to the card, you can just check that the card is valid.
你不能也不应该。 你不是在和现实世界的人打交道,而是在和账户打交道,所以把他们当作抽象的实体,拥有平等的生存权。
我可以即时想象一些选项:
-- 电子邮件地址只有一个帐户。 但我可以创建多于一封电子邮件...或使用 Mailinator。
——验证过程漫长而繁琐。 但这会阻止用户注册
——将 IP 绑定到帐户并阻止(暂时?)该 IP 创建另一个帐户。 但是具有相同网关的两个不同用户将被阻止...
-- 使用cookie。 但用户可以删除它们。
You can't and you shouldn't. You are not dealing with the real world guys, but with accounts, so treat them as abstract entities which have the equal rights to live.
Some options I can imagine on the fly:
-- Only one account for email address. But I can create more then one email... or use Mailinator.
-- Long and tedious verification procedure. But that will discourage the users from registration
-- bind the IP to the account and block(temporarily?) that IP from creation of another account. But two different users with the same gateway will be blocked...
-- Use the cookies. But the user can delete them.
我在现实生活中见过的最难破解的方法是使用单独的硬件介质进行确认(通过短信发送确认码以获取公共服务,或邮寄 RSA 令牌以获取更敏感的内容,例如内联网访问),或者要求提供与财务相关的身份证明,例如银行帐号(Paypal 向您的帐户存入几美分,金额总和就是您的密码)或有效的信用卡号。
The most difficult to break methods I've seen implemented in real life are to use a separate hardware medium for confirmation (sending a confirmation code via SMS for a public service, or mailing an RSA token for something more sensitive, like intranet access), or to ask for a financially-bound piece of identification, for example a bank account number (Paypal deposits a few cents to your account and the sum of the amounts is your passcode) or a valid credit card number.
我认为另一个方向是让“大男孩”去做。
http://oauth.net/
将网站的身份验证工作转移给知名的第三方(例如 Google 或 Facebook)。 它不会防止重复帐户,但很高兴想到最新的垃圾邮件防护和其他功能会自动为您实现。
I think an alternative direction to take with this is to let the "big boys" do it.
http://oauth.net/
Offload the authentication of your site to a well-known 3rd party like Google or Facebook. It won't prevent duplicate accounts, but it's nice to think that the latest in spam prevention and whatnot is automatically implemented for you.
一种常见的选择是通过电子邮件验证此人的身份。 实际上让他们回复发送到他们帐户的电子邮件。 有些网站更进一步,不允许来自 yahoo、g-mail、hotmail 等域的地址...
One common option is to verify the persons identity through their e-mail. Actually make them respond to an e-mail sent to their account. Some sites take this a step further and don't allow addresses from domains such as yahoo, g-mail, hotmail, etc ...
我认为,正如许多人上面提到的,最好的方法之一是验证手机号码,这就是我首先想要使用的方法,如果它不是那么昂贵的话......
我找到了这个网站 这里,我认为它可以用于此目的,但我自己没有测试过,但它看起来相当现代且便宜
I think, as many people have mentioned above, one of the best ways is to verify mobile numbers and that's what I wanted to use in teh first place, if it wasnt so damn expensive ...
I have found this site here and I think it can be used for this purpose but I havent tested it myself, but it seems pretty modern and cheap