This is the blog of Adam Kalsey. Unusual depth and complexity. Rich, full body with a hint of nutty earthiness.
This is the blog of Adam Kalsey. Unusual depth and complexity. Rich, full body with a hint of nutty earthiness.
10 Feb 2004
Many proposals for eliminating comment spam are focused on banning or throttling comments from the IP address of the spammer. This is fundamentally flawed because it assumes IP addresses are both unique and hard to come by.
Banning an IP address can have severe consequences. Many ISPs (including AOL) and companies use a proxy server that makes it appear as if all users are coming from a single (or a handful) if IP addresses. By blocking an IP address, you might be preventing a substantial portion of AOL users from commenting. Depending on your point of view, eliminating AOL may not be a great loss; however the same thing would happen to millions of users behind other proxy servers.
The other problem is that IP addresses are very easy to get or fake for spammers who care about such things. There are hundreds of thousands of open proxies that will let anyone direct Web traffic through them. When I’m using an open proxy, my IP address is effectively masked. And I can use simple software to switch to a different open proxy (and thus a different IP address) every few minutes. So my spamming activity isn’t tied to a specific IP address.
Hypothetically speaking, if the problem of open proxies were to disappear overnight, there are two other mechanisms that provide a limitless set of IP addresses to spammers: dialup and spoofing.
Most dialup ISPs provide a different IP address each time you dial in. If a spammer were to find that their IP address had been banned, they could simply disconnect and redial. It would be trivial to automate the process of dialing in, spamming, disconnecting, and dialing back in.
IP addresses are easy to fake as well. The design principles of TCP/IP allows the sender of a packet to specify its IP address. The message will still be routed to its destination using the fake origin address. Return packets would be mis-routed, however, because TCP/IP would send responses to the true location of the IP address rather than where it actually came from. This means that IP spoofing is ineffective in situations where you need to interact with a remote server, but very effective in a one-way conversation. I can’t retrieve a Web page using a spoofed IP address because I need to make the request and then have the server send me the page. But I can send requests all day long if I don’t care about the response.
Posting a comment (or TrackBack) doesn’t require interaction. I can send a comment in a POST or GET message and not worry about the response if I don’t care about receiving acknowledgment that it was successful.
I own a web hosting company, I have ip’s banned for a certain period of time to deflect a ddos. If an attack is taking place, their ip will be banned if they go above so many connections. It doesn’t matter if they have an anonymous ip either, they can use a thousand different ip’s and their ip will be blocked for 10 minutes therefore deflecting a ddos attack.
Now if you want to block an ip from a server entirely, I do agree it is pointless unless you use software that will not allow a visitor to your website using an anonymous proxy ;)
As a networking security consultant, I strongly oppose IP address banning for the reasons mentioned by Adam in his blog:
IP addresses are far to easily spoofed. I often demonstrate this to my clients by re-registering and posting new content after being banned and without using a proxy.
While detecting and eliminating proxies isn’t difficult, it’s impossible to detect and elminate a NAT-based firewall, which can be configured to look like anyone.
Banning even one IP address can hurt tens, hundreds, even thousands of legitimate users. Banning ranges of IP address is violently agressive, highly injurious to the Internet community as a whole, and should never be a policy of any website catering to large numbers of users.
There are alternatives to IP address banning, including content readers. Most users are fairly well-behaved, and troublemakers make up a small percent. It’s not a difficult task to install a content reader that compares content from recently banned members with that posted by new members. While it shouldn’t be used alone as a criteria for banning, it can help support a decision based upon how well the two match with respect to the general vocabulary used, the grammer, and even the style of writing.
The most effective way to keep things civil is to enforce standards with grace, and work with the users, helping those who’re wayward to learn more about what’s acceptable and what’s not. Using buttoms to automate some of the reminders and “lesson’s learned” greatly eases this task.
What I would like to know is if any harm can be done to the internet community if you created a ban list of 0.0.0.0 to 255.255.255.255 on one server. With an allow list for a static IP range from a client server. Provided you included DNS to ISP in the allow range set and vice versa on the other server. This would in affect I think allow for two servers to travel the internet and yet be seen as a local LAN for connect intents. Anyone have thoughts?
JT
hi, where can I mask my IP address? I’m banned from a forum and I’d really like to go back :P. I just want to hide my IP address. my e-mail is dilute13@yahoo.com if anybody could help it would make me giddy.
These are the last 15 comments. Read all 22 comments here.
This discussion has been closed.
Adam Kalsey
Mobile: 916.600.2497
Email: adam AT kalsey.com
AIM or Skype: akalsey
©1999-2010 Adam Kalsey.
Content management by Movable Type.
frickaline
October 28, 2005 6:20 AM
rofl … I just tested countrycheck.com using an anonymous proxy and it failed to detect it. They thought I was really from Manila.
Back to the drawing board .…