识别用户并将其列入黑名单的有效方法
我目前正在研究使用各种网络/互联网技术的不同方法,以便能够识别网站的用户而不是主机并将其列入黑名单。如果这没有多大意义,让我解释一下:
正如您可能知道的那样,某些网站(特别是论坛和留言板)经常受到垃圾邮件发送者的不受欢迎的访问。显然,论坛版主可以将任何用于执行此操作的帐户列入黑名单,但在此之后发生的事情才是问题所在。
在许多情况下,同一个用户能够绕过黑名单,创建一个新帐户,并继续他们的暴行。当然,有一些工具,例如 IP 地址黑名单,但任何对互联网稍有了解的人通常都知道如何获取新地址,并再次能够绕过针对他们的禁令 /em>.
我见过的另一个有趣的方法是使用唯一的加密 cookie 来(至少)识别黑名单用户使用的主机。也就是说,当用户被列入黑名单时,服务器端会记下cookie中的值,以便下次使用同一主机创建新帐户时,将cookie发送回服务器,服务器可以识别该用户他们正在绕过黑名单。但问题又是,熟练的用户能够删除浏览器的 cookie,从而使他们再次成为匿名的。
因此,我正在寻找不同的方法来执行这样的黑名单(如果存在的话)。我知道其他浏览器存储方法,例如 localStorage,甚至是基于插件的方法,例如“Flash cookies”,因此任何与这些想法类似的想法都是更好的(尽管理想情况下,能够成功就很棒了)仅使用常规 HTTP 技术(即无需 Javascript、Flash 等)进行识别。
还有一些想法是“当然,这个想法可能不是 100% 万无一失,因为用户可以更改或删除各种设置,但如果他们不理解或意识到它是这样工作的,那么它< em>有效”。我这里的意思是,就像我上面举的关于cookie的使用的例子一样;即使 cookie可以被删除,如果用户不明白它们正在以这种方式使用,那么黑名单仍然会被强制执行。
I'm currently looking at different ways to use various web/internet technologies in order to be able to identify and blacklist a user of website rather than the host. If that didn't make much sense, let me explain a little:
As you might be aware, some sites (particularly forums and message boards) have the unwelcoming visit of spammers every so often. Obviously forum moderators are able to blacklist any accounts used to do this, but it's what occurs after this that's the problem.
In many cases, the same user is able to bypass blacklistings, create a new account, and continue on their rampage. Of course, there are some tools such as IP address blacklists, but anyone who even a little bit knowledgeable about the Internet will typically know how to obtain a new address, and once again be able to bypass the ban meant for them.
Another interesting method I've seen is using a unique encrypted cookie to (at least) identify the host used by a blacklisted user. That is, when the user is blacklisted, the server-side makes note of the value in the cookie, so that next time the same host is used to create a new account, the cookie is sent back to the server which can then identify that they're bypassing a blacklist. But again, the problem is that adept users are able to delete the browser's cookies, allowing them to once again become anonymous.
So I'm looking for different methods of being able to enforce such a blacklist, if one even exists. I'm aware of other browser storage methods such as localStorage, and even plugin-based ones such as "Flash cookies", so anything similar to these kinds of ideas is preferrable (although ideally, it would be great to be able to make successful identification by just using regular HTTP technologies. ie. without Javascript, Flash, etc...).
There's also a fair bit of thinking in terms of "well sure, the idea may not be 100% foolproof since the user could change or delete various settings, but if they don't understand or realise that it works that way, then it works". What I mean here is, just like the example I gave above about the use of cookies; even though cookies can be deleted, if the user doesn't understand that they're being used that way, then the blacklist remains enforced.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您可能对此网站 http://panopticlick.eff.org/ 以及 报告包含一些关于如何根据收集的所有数据对浏览器进行指纹识别的数学知识。
您还可以检查使用新 HTML5 数据库存储的工具,例如 ringleaderdigital 这里是 选择退出链接可能对每个人都有用,因为 更好的隐私 Firefox 插件。
这篇阅读可以为您提供大量有关如何使用 LSO flash cookies 或本地数据库的技术细节。正如您可以在此处或在 LSO 上的维基百科页面上阅读的那样,可以使用一些 javascript 工具来处理flash cookies,就像Dojo框架一样。
您应该尝试处理“请勿跟踪”政策,请参阅常见问题解答。用户将发送标头告诉您不应尝试跟踪他们。就黑名单而言,这可能会成为一个问题。也许你应该尝试构建跟踪器,将其与黑名单进行比较,如果在那里找不到他,则将其扔掉。
You may be interested by this website http://panopticlick.eff.org/, and by the report containing some mathematical things about the way to fingerprint a browser based on all the data collected.
You can check as well tools which used new HTML5 database storage, like the one used by by ringleaderdigital here's the opt-out link that may be usefull for everyone as the better privacy plugin for firefox.
This reading can give you quite a lot of technical details on how to use LSO flash cookies or local databases. And as you can read there or on the wikipedia page on LSO some javascript tools can be used to handle flash cookies, like the Dojo framework.
You should try to handle the "Do Not Track" policy, see the FAQ. Users will send headers telling you you should'nt try to track them. In terms of blacklisting this can become a problem. Maybe you should try to build the tracker, compare it to blacklist and throw it if you cannot find him there.