10

We run a community product. There is an individual (a little PoS kid) in the UK that is harassing our site for the last 6 months. His daily task is to create a new account, post a bunch of illegal / inflammatory content, get a rise out of people, then get deleted within a few hours by an admin. Then repeat.

His IP address changes every time he creates a new account (either using a proxy or some other similar tool). The only commonality is the top level 92.x.x.x. We've tried contacting UK authorities... while they are interested, they have not provided anything actionable. Meanwhile, this harassment continues daily.

Anyone have experience on how to kill this off? I'm pretty much at my wit's end here and hoping someone who has dealt with this before can provide some guidance.

Thx in advance.

  • what kind of server OS are you using? – Patrick R Feb 23 '10 at 23:38
  • Any chance the UserAgent is identifiable or there is some sort of pattern in the web requests? – Dscoduc Feb 23 '10 at 23:39
  • Redhat 5, LAMP stack. –  Feb 24 '10 at 01:05
  • 1
    I hope that's RHEL 5 and not Red Hat 5.0, which is ancient... :P – Avery Payne Feb 24 '10 at 02:31
  • You could try http://www.iwf.org.uk/ or maybe contact UK CERT http://www.ukcert.org.uk/ to see if they can provide better contacts at the ISP or an appropriate UK Law Enforcement contact if the posts are that bad. – Sim Feb 24 '10 at 02:39
  • What kind of 'illegal content'? Being obnoxious or inflammatory, while contrary to etiquette and forum goals, is not illegal. It is disturbing to see these two words juxtaposed. Something is only seriously illegal when it breaks an enforced law or actually harms someone in a tangible way ... in which case the authorities or the victims would not respond with inaction. – Paul Feb 24 '10 at 03:00
  • @Farseeker - Civil sanctions can be useful but a kid offender doesn't have the deep pockets to attract the lawyers. In contrast, you might recall a certain cult church that lost millions of dollars in one such suit, over protesting funerals with outrageous signs and slogans. I realize this is an opinion or a feeling, but there is something unnerving about prosecuting criminally for speech or publication. – Paul Feb 24 '10 at 08:57

8 Answers8

18

Instead of blocking it, you can employ a different approach - I think I heard it on one of the SO podcasts, and/or maybe SO use it as well.

Do not delete the account and the posts - just make them visible only to this account and noone else. The kid will continue to try while you play his game. If he sees that his comments are not deleted, he may loose interest. You can leave the comments visible for the entire 92.x.x.x subnet, with the hope that he'll never notice, and you will not offend other users.

Sunny
  • 5,722
  • 3
  • 21
  • 24
  • I like that approach Sunny. +1 – Patrick R Feb 24 '10 at 00:13
  • +1 Yes this is radically neat – Oskar Duveborn Feb 24 '10 at 00:25
  • Very creative. I likey a lot. =) – Wesley Feb 24 '10 at 00:40
  • 2
    Nice. But how would this be implemented? Since attacks come from 92/8, do you set *any* post from 92/8 to be visible only in 92/8 ? What about decent people in 92/8 ? – Paul Feb 24 '10 at 04:20
  • 3
    Wait for him to make a new account and apply it to that account instead of banning it outright? Yes he will make a few more accounts, but chances are if he's not getting "banned" frequently he won't make too many. – Frenchie Feb 24 '10 at 05:40
  • Kudos for "ignore it and it'll go away", but I would think that this is somewhat limited in implementation depending on what the platform of the site is. There would need to be provisions in the product for hiding content from others based on account. If it's your product, then great. If not you're at the mercy of the product developer or relegated to coming up with a mighty creative hack. – squillman Feb 25 '10 at 22:29
  • @Paul Yeah doing this to an entire /8 would be ridiculous. I looked through the first 15% of that range and found 7 different ISPs in 4 different countries. – kasperd Oct 31 '18 at 15:51
4

If it's available you could try having to approve new accounts or approving the first post of a newly created account.

dimitri.p
  • 653
  • 3
  • 8
2

I would try and trace back (tracert) one of the IP addresses to the provider, look up an abuse contact email/number for the provider, and report the IP address.

If the user is on a public network you're pretty much at a dead end, but if it's a company or residence then you might be able to request an inquiry into the IP Address ownership.

Dscoduc
  • 1,095
  • 2
  • 8
  • 15
  • We've done this, and the ISP is (usually) carphonewarehouse. Given the vile nature of what this kid posts (think harming children, animals, and others in incredible detail), we were hoping that examples + IP addresses + times of access would be enough to get them motivated. They've acknowledged receiving the data, but in the meanwhile we continue to see him everyday. –  Feb 24 '10 at 01:08
1

92.0.0.0 is under the authority of RIPE, so search the specific IP in the RIPE database and you'll find what network has direct control of that IP. Then you can report them to the proper channels for that range.

Wesley
  • 32,320
  • 9
  • 80
  • 116
1

Blocking an entire network seems a little overkill. Could you switch your site to read-only for a week or two? If it's just a kid out to get his jollies he'll get bored and move on.

There's also the possibility that it might be caused by a piece of malware on a totally innocent person's machine. That should always be viewed as a possible source of this kind of attack. It seems a little unlikely that a human being would carry out such a sustained attack over such a period of time - daily for a full 6 months is quite extreme.

I'd vote for a strong CAPTCHA on new account creation (and on any unregistered posting facility you might have) and approval for new accounts (although it might do your head in if it happens on a continual basis). That should catch both potential possibilities.

Maximus Minimus
  • 8,937
  • 1
  • 22
  • 36
  • The OP has already indicated that this has been happening for 6 months, so this particular person doesn't get bored too easily. More's the pity. – John Gardeniers Feb 24 '10 at 09:04
0

Rather than completely blocking access to the 92/8 network it may be sufficient to block the creation of new accounts (or require administrator approval).

This would avoid the collateral damage from those people in that network who visit your site (and already have accounts).

0

None of the suggestions given will help you.

This kind of people runs spywares / malwares that are opening them PC's all over the planet, don't even consider blocking IP's or blocks of IP's and expect long term results.

Now you only have one of them, which is great, imagine what it would be if they were 10 or even more.

You have to change the way your application works.

Here is a few ideas :
- If the account is not at least 24 hours old
- Registered with Yahoo, Gmail, Hotmail/MSN.

Prevent replies or have them accepted by admins.

But first of all, you could probably tighten your new user regisration.
One good example is spammers often signup using cut and paste or even bots, they often do HUGE mistakes that can be seen right at the registration like :

  • Lower case first name, name, city, ...
  • Easy passwords

Look at the registration made by this guy, you should find things like that. If you do find some, enforce them at the registration. This will have him correct all this in order to signup. What was taking him 30 sec, will now take him minutes, like most people. Just make sure you dont punish every new users with this.

Optionnally you could consider having some sort of filtering against a database for all comments. If a comment is flagged, it is deleted, warn user or require admins approval.

Akismet could potentially do the job or at least a good part of it. If you don't run Wordpress, use an API for the language your application use.

You will probably have better result with many small changes than one radical solution.

Good luck.

Embreau
  • 1,277
  • 1
  • 9
  • 10
-2

The easiest and arguably most effective is to block 92.0.0.0/8 (0.255.255.255 in Wildcard of course). This has the disadvantage of removing about 1/200th of the usable internet space from accessing your site.

Depending on how frustrated you are - and its certainly not IT-kosher (depending on what country you are from and where you are hosted), you could use any number of vulnerabilities present in the web-browsers available today and drop rm -rf or format C: -f appropriately, Its shady and probably unethical, but its been used (anecdotally of course) by admins with somewhat humorous results.

Just as a note, Abuse contacts are a joke, Likewise with law enforcement, Unless you've lost major cash and you can show this with financial statements, Good luck with getting anything, At least that's how it works with the Feds in the US, I can't speak much towards the UK.

zetavolt
  • 1,352
  • 1
  • 8
  • 12
  • The only time I've seen abuse contacts work is when an ISP has put rubbish in their IANA records, which I found because they were spamming. I got a very swift result from their international link when I emailed them about that! – staticsan Feb 24 '10 at 00:02
  • My point is proven. When I said 'abuse contacts' I mean in relationship to Hacking and I imagine ESPECIALLY harassment attempts, I have never, literally NEVER heard of success on the ISP level. – zetavolt Feb 24 '10 at 00:04
  • 1
    -1 for the rm -rf (which I hope was intended as a joke). – Maximus Minimus Feb 24 '10 at 00:12
  • 3
    rm -rf is never a joke. – zetavolt Feb 24 '10 at 00:37
  • But seriously, One post suggests tracing, Which the original poster has already contacted UK law enforcement, So it can safely be assumed that he already knows the originating IP, or the proxy, either way its not relevant. If you've visiting or seen any EDers, You're well aware that getting someone's line pulled for harassment is nigh impossible. The other suggests potentially complex modifications to a piece of software with unintended results (If its C, Get ready for some IDA!). If he's from Iran or a Central African Republic - He's in the legal clear. I'm just saying - Its an option. – zetavolt Feb 24 '10 at 00:43
  • 2
    Ethics and morals aside, If he knew enough about the person to setup a targeted attack against his PC don't you think he could just block the person? Definitely not a viable option – einstiien Feb 24 '10 at 01:27