I am looking for a solution to stop multiple sign ups on an upcoming websites of mine, but I am looking for different alternatives besides IP saving and tracing that.
So I was thinking about computer ID saving on the server. Is that possible?
No, that's not possible simply because this information is never sent on the network. The only information you could reliably get from a user visiting your website is his IP address in addition to the standard HTTP headers which might or not contain information about the UserAgent he is using, the language he configured in his browser, ...
Related
With the new HTTP reporting headers being developed and refined, it seems more important than ever to be able to tell/validate where the reports are coming from.
For example, someone attempting to "hack" the site can very easily flood the reporting endpoint with false reports, drowning out the details of what they're attempting. It's also a vector for a DDOS attack.
Is there some mechanism for doing this aside from obfuscation?
Do the User Agents sign their reports?
Any advice would be much appreciated!
I took a quick glance through the standard draft for the Report-To header, but it doesn't seem to touch on it.
One thought on application-level mitigation: record the IPs of all clients that are connected and authenticated and only accept reports from IPs that are whitelisted in this way. This assumes that the browser sends its reports direct from the client machine (I believe this is the case, but can anyone confirm?).
We are having an issue where robots are hitting our site and maxing out CPU usage. It's an ASP.NET Web Forms based site, we need to be able to identify these automatically and capture the IP addresses and write them to an event log, we can't put it in a database because of speed issues. Is this possible? Has anyone ever accomplished something like this? I have manually done this before but it's not possible with all the traffic we see to do this anymore.
Thanks!
I have a client who has a crimestoppers' website. They want to provide visitors a means to submit anonymous crime tips, which would then be forwarded to a pre-established email address at the local police department.
What is the best / easiest way to accomplish this? The sender's IP address needs to be hidden. My client also needs to be able to pull reports showing how many tips were submitted and forwarded.
Many thanks!
A simple contact form can be used. It's up to the developer's trust to hide the IP. The submitter won't see anything what is being done using PHP.
You can then update a database with the tips being posted before sending the mails.
In terms of development, you can use a plugin such as Contact Form 7 and then use its hooks to save the tips submitted before sending the mails.
While it is rather simple to set up a contact form that submits to an email address (just use the excellent ContactForm7, as rrikesh's answer suggests). However, getting anonymity right (especially against a party that has as much power and resources) is tricky. You need to be clear about the level of anonymity that you can provide. Log files, document metadata or your ISP can easily give a lot of information away.
Here are two project that have different approaches. They're both not ready-made solutions to your question, but still relevant:
PrivacyBox:
This is a web service run by the German Privacy Foundation. It's basically a message relay like the one you want, except that the user has to trust the Foundation, not you. This model highly depends on the institution providing this service. I'm sure there are other, US-based services like this.
Briefkasten:
An open source software tool used by the German newspaper Die ZEIT.
a reasonably secure web application for submitting content anonymously. It allows to upload attachments which are then sanitized of a number of meta-data which could compromise the submitters identity. Next, the sanitized files are encrypted via GPG and sent via email to a pre-configured list of recipients. The original (potentially 'dirty') files are then deleted from the file system of the server. Thus, neither should admins with access to the server be able to access any submissions, nor should any of the recipients have access to the unsanitized raw material.
This is an attempt to automate the crucial steps to strip any identifying data from the submission and encrypt it, so only the intended recipients can access it.
You would have to host this yourself, though. And it's a Python app.
I've seen the following Question : Implementing "Report this content" and detecting spammer or robot triggered event, but it doesn't quite answer all I need to know about setting up a "Report this content" function.
My situation is very similar (users not needing to login to be able to report content) but I'm unsure what I should capture about a user to ensure that they are not reporting a single posting multiple times.
I thought the most obvious one would be IP address but I heard that mobile users can sometimes find themselves all sharing a single IP address when the users are close together.
This means I need something else as well.
The Question above mentions user-agent but it doesn't sound too far fetched that multiple iPhone users could be sharing the same IP address, so even with IP address and user-agent it still isn't unique.
What if I logged their IP address and their session ID?
Would that be a good compromise or can anyone suggest a better option?
Thanks
I have read a few other posts on here about mass emailing, but I need some other information. We want to integrate our mass e-mail system into our current application, but I fear this may not be a good idea. Does anyone have any input as to what kind of resources are needed to send, potentially, 1000's of emails an hour? We only have one web server right now and do not have access to our mail server. We do have full access to our web server, however. Would it be a bad idea to host the mass e-mail application on our current server? Should we have a separate sever to run this type of application and call the server via web services (WCF)? Each email would need to be sent separately because the links on the e-mail are for tracking and unsubscribing purposes. I appreciate your thoughts.
Daniel
Yes its a bad idea,
One of the key things for detecting spam, is the IP address it came from (Known as its reputation) if you start sending out alot of emails which end up getting marked as spam (Which is likly, even if the users said they wated to recieve email) your IP address could end up in trouble. I wouldnt fancy doing this on my webserver.
As for specs, your bandwidth is going to be hit hard when you start doing somthing like this. Although I think you would be suprised at how fast you can send out emails (Mail Server Dependant)
Either way when it comes to sending mass mail campaigns out, I'd speak to a third party if its somthing you are serious about, they have the knowledge and hardware to perform campaigns that are not going to damage your IP rep.
I think this issue all depends on your mail server. I've been in a project where we sent out 50-100K emails in a few hours and the main limitation was the capacity of the mail server. In my opinion it would be fine to have the mail client run on the web server as it won't be using too much resources if well written, the main question is what the mail server can take.
You can help your reputation on some email providers by contacting them and or filling out bulk mail registrations.
This is for yahoo:
http://help.yahoo.com/l/us/yahoo/mail/postmaster/bulkv2.html
I would not recommend using exchange for anything like this. You will want a separate bulk mail server like Ironport.
http://www.ironport.com/
Otherwise your internal emails will get stuck in the queue with all of your bulk emails which you definitely don't want.
The actual code involved does not have to be that complex. In my case we used an asynchronous task to loop over an email list table in the DB pulling out a batch of 20 or so at a time sending then sleeping for a number of seconds. Email providers do not like receiving hundreds/thousands of emails from a source at one time. Even better if you can stagger the list by providers.