How to reliably identify a troll with suspected multiple user accounts?


(ljpp) #1

Surprise, surprise, our community has a troll.

Our troll is using a mobile connection, instead of a land line, and thus his IP-address is ever changing, constrained only by the operators IP pool. We have already suspended couple of his user accounts, and now I suspect he is back with a third. Unfortunately I don’t have rock solid technical proof that this is the same guy, even though he has similar agenda, writing style and IP-range of the previous accounts.

So if IP is useless, is there any other ways for me to investigate and identify that this new user is the very same we have suspended before, with a reasonable level of certainty?

Could/should Discourse cookie-tag registered users to improve chances of detecting dupe accounts? Cellular 4G broadbands are very popular nowadays, so old school IP-based method does not do the trick anymore.


Handling trolls with multiple accounts over VPNs
Build a browser fingerprinting plugin
Handling trolls with multiple accounts over VPNs
(Jeff Atwood) #2

How “changing” are we talking on the IP? If necessary, just block like so:

192.168.1.*

or even

192.168.*


(Kane York) #3

This would probably block everyone on that mobile network, though, and will probably fall if they move themselves to another region (temporarily) to continue posting.


(Matt Palmer) #4

Butt-tagging the browser is almost certainly the least-worst way of identifying abusive people who are in that narrow band of “smart enough to change usernames / IPs but not smart enough to switch browsers and/or clear their cookies”. Whether that band contains enough people to make it worthwhile to build that tracking into core (or even provide it as a plugin, which would go some way to alleviating the privacy implications, because it wouldn’t be on-by-default) is another question…

The more advanced (and much more tricky, technically) approach is to use “browser fingerprinting” (as demonstrated by the EFF’s Panopticlick project), which prevents the abusive person from clearing their cookies to avoid being tracked across their accounts, but doesn’t prevent switching browsers.

Either way, the way I’d approach it is that when a new user is registered whose signature (either the same cookie value, or browser fingerprint) matches a currently suspended/banned/whatever user, mods are notified (and, optionally, the user is temporarily blocked, if you’re under sustained troll attack). The user can then be whacked or paid close attention to, as appropriate.

To at least put a fig leaf over the privacy concerns, I wouldn’t allow mods to answer the question, “which users share the same signature?”. Admins, of course, can dump the DB, so there’s no point trying to actively prevent them from answering such questions, although I don’t see a particular need to give them a simple way to query this, either.


(ljpp) #5

Kane is right - blocking the whole IP-range would block the whole operator, which has around ~35% of local market share.

I am not sure what is the situation globally, but on local market ever since the 4G LTE networks came, the operators have strongly favored cellular connections over land lines. This makes sense as LTE gives you decent 100Mbps speed and pings below 20ms, and most likely is cheaper to maintain for the operator and even even more robust than landlines. The connection has a NAT at the operators end (they charge extra for a public IP), and the IP is really changing frequently. This is very different from ADSL and other cables, where IP mostly remained unchanged for months, unless you changed your MAC.

I have no idea how will things work with 5G and IPv6, but the future is most likely wireless (or cable-less).

I like @mpalmer’s idea of tagging users at the point of registration. I don’t quite agree with the privacy concerns, as previously admins used to be able to identify users with the IP-address with similar probability. And cookie does not actually tag the person, but the specific browser in the specific device – even if a dupe id-tag is found, one cannot be automatically suspended, as it could be a shared device.

As the IP-address has lost it’s significance in user identification, I would love to see the cookie tag approach in the future of Discourse. It’s not rock solid, but it adds a layer of security.

Our trolls are not typically genius cyber criminals. They are typically premature people with an odd idea of having fun. This is sports forums, so think New Jersey fans trolling NY Rangers fans. Another archetype is that someone goes too emotional, and gets a short suspension, after which he goes to berserker mode and comes to rage with a new account. IP-address they may be aware of, as it is old news, but quite certainly a cookie would catch them by surprise.

Edit: Another thing that is making the IP-address less useful is the emerging consumer VPN services. For example the F-Secure Freedome seems to be gaining some popularity and Opera browser now ships with VPN. This seems to be a big trend now.


(Eli the Bearded) #6

Are these trolls using a noticeably similar pattern in email addresses?


(OG) #7

Just wanted to share that we were pretty succesful with basic cookie tag in the past (non-IT community) and are planning to use it with Discourse also in the future…

As we have completely resigned on using IP addresses for spam prevention I also like the idea of fingerprinting and will look into it in detail. Thanks!


(ljpp) #8

Well, the individual we are currently dealing with is not. Trolls often have earlier forum experience and are able to invent new unique emails.


(Kane York) #9

Or, if they

they have a bunch of emails already created and ready to use…


(Jeff Atwood) #10

Consolidating discussion here