We run a community product. There is an individual (a little PoS kid) in the UK that is harassing our site for the last 6 months. His daily task is to create a new account, post a bunch of illegal / inflammatory content, get a rise out of people, then get deleted within a few hours by an admin. Then repeat.
His IP address changes every time he creates a new account (either using a proxy or some other similar tool). The only commonality is the top level 92.x.x.x. We've tried contacting UK authorities... while they are interested, they have not provided anything actionable. Meanwhile, this harassment continues daily.
Anyone have experience on how to kill this off? I'm pretty much at my wit's end here and hoping someone who has dealt with this before can provide some guidance.
Thx in advance.
Instead of blocking it, you can employ a different approach - I think I heard it on one of the SO podcasts, and/or maybe SO use it as well.
Do not delete the account and the posts - just make them visible only to this account and noone else. The kid will continue to try while you play his game. If he sees that his comments are not deleted, he may loose interest. You can leave the comments visible for the entire 92.x.x.x subnet, with the hope that he'll never notice, and you will not offend other users.
If it's available you could try having to approve new accounts or approving the first post of a newly created account.
I would try and trace back (tracert) one of the IP addresses to the provider, look up an abuse contact email/number for the provider, and report the IP address.
If the user is on a public network you're pretty much at a dead end, but if it's a company or residence then you might be able to request an inquiry into the IP Address ownership.
92.0.0.0 is under the authority of RIPE, so search the specific IP in the RIPE database and you'll find what network has direct control of that IP. Then you can report them to the proper channels for that range.
Blocking an entire network seems a little overkill. Could you switch your site to read-only for a week or two? If it's just a kid out to get his jollies he'll get bored and move on.
There's also the possibility that it might be caused by a piece of malware on a totally innocent person's machine. That should always be viewed as a possible source of this kind of attack. It seems a little unlikely that a human being would carry out such a sustained attack over such a period of time - daily for a full 6 months is quite extreme.
I'd vote for a strong CAPTCHA on new account creation (and on any unregistered posting facility you might have) and approval for new accounts (although it might do your head in if it happens on a continual basis). That should catch both potential possibilities.
Rather than completely blocking access to the 92/8 network it may be sufficient to block the creation of new accounts (or require administrator approval).
This would avoid the collateral damage from those people in that network who visit your site (and already have accounts).
None of the suggestions given will help you.
This kind of people runs spywares / malwares that are opening them PC's all over the planet, don't even consider blocking IP's or blocks of IP's and expect long term results.
Now you only have one of them, which is great, imagine what it would be if they were 10 or even more.
You have to change the way your application works.
Here is a few ideas :
- If the account is not at least 24 hours old
- Registered with Yahoo, Gmail, Hotmail/MSN.
Prevent replies or have them accepted by admins.
But first of all, you could probably tighten your new user regisration.
One good example is spammers often signup using cut and paste or even bots, they often do HUGE mistakes that can be seen right at the registration like :
Look at the registration made by this guy, you should find things like that. If you do find some, enforce them at the registration. This will have him correct all this in order to signup. What was taking him 30 sec, will now take him minutes, like most people. Just make sure you dont punish every new users with this.
Optionnally you could consider having some sort of filtering against a database for all comments. If a comment is flagged, it is deleted, warn user or require admins approval.
Akismet could potentially do the job or at least a good part of it. If you don't run Wordpress, use an API for the language your application use.
You will probably have better result with many small changes than one radical solution.
Good luck.
The easiest and arguably most effective is to block 92.0.0.0/8 (0.255.255.255 in Wildcard of course). This has the disadvantage of removing about 1/200th of the usable internet space from accessing your site.
Depending on how frustrated you are - and its certainly not IT-kosher (depending on what country you are from and where you are hosted), you could use any number of vulnerabilities present in the web-browsers available today and drop rm -rf or format C: -f appropriately, Its shady and probably unethical, but its been used (anecdotally of course) by admins with somewhat humorous results.
Just as a note, Abuse contacts are a joke, Likewise with law enforcement, Unless you've lost major cash and you can show this with financial statements, Good luck with getting anything, At least that's how it works with the Feds in the US, I can't speak much towards the UK.