Is "Last IP" Ever Reported Incorrectly?

In the constant effort to try to deal with trolls, and often trolls who were banned but who come back with alternate accounts, or who operate multiple accounts, we very frequently turn to the IP addresses recorded as “Last” and “Registration” to “verify” that someone is using an alternate account.

We’re frequently dealing with trolls who at least know how to use VPN’s. But it seems they will generally slip up at some point and, if we’re lucky, we are able to catch the slip-up and we screencap/log the IP commonality and then have a talk with the suspected “duper.”

Of course, people almost always deny it. They’re usually not so dumb that they use the same e-mail address or something obviously tied to an existing/banned account. And if they slip up in logging in with an IP address that ties them to another account, it’s usually fleeting.

If we were diligent/lucky, then we have a screencap of the Last IP so that we know for sure that we weren’t imagining things or somehow misread/misremember.

My question is: is the system’s logging/reporting of IP addresses infallible, if functioning correctly? (I.e. I’ve seen the various reports of stuff like all members having same IP addresses [i.e. the Discourse server’s] due to configuration issue.) Is it at all possible that there could be times when “Last IP” is logged/reported incorrectly?

Or can we treat the occurrence of two accounts having a common IP address as reliable “proof” that both accounts definitely logged in/accessed with a common IP address and take action accordingly, with full confidence that we are not treating someone unfairly?

1 Like

Other than the possible misconfiguration error that you mentioned, they could have a duplicate IP if they use the same coffeehouse, co-working space, or university (the last university that I worked for had all of wifi behind NAT on the same IP; it made, say, having a class all sign up for gmail accounts at the same time a real bummer).

So, it’s fairly unlikely that they’d have duplicate IPs, but it’s not impossible.

2 Likes

Yes, definitely various real life possibilities to common IP addresses. And there have been times when we had PM conversations with people and were told that two accounts were the accounts of two classmates, or co-workers, or brothers, or housemates. If they’re not problematic in any other way, then we just trust them on that.

But the cases I’m concerned about are with members who are at least in the gray area, or which have/had an IP common with someone problematic enough to be banned.

And the common IP is very often what appears to be a residential ISP account. Often in totally different parts of the country, or even different parts of the world. Defies belief that there is coincidental overlap. The easiest explanation is that the person is using a proxy service that allows them to present residential IP’s.

It’s something like this:

  • In the past, member behaved terribly, and was banned after multiple warnings and short Silencing/Suspension.
  • Then for some reason we check the Last IP of some account and it matches one of the IP’s for the banned member.
  • This IP match may only exist for a fleeting period of time. We take screen caps to maintain a record.
  • Could be that the banned member registered his account in Florida and Last IP was Florida. And then the new account has same Florida IP as Last IP but Registration IP traces to, say, Germany. And then when checked X minutes later, Last IP is back to a German IP.

So I’m just wondering if there is ever “sporadic” misreporting/logging of Last IP by the system. How reliable is it as a basis for banning an account that we suspect to be a new account of a banned member?

Another curious thing: in our Recently Used Devices logs, this fleeting IP match is not reflected. I.e. the new account only shows Recently Used Devices (and IP locations) for Germany, Germany, Germany…no Florida.

But I have a screencap of that account having a Last IP tracing to Florida.

Note that the IP number is probably their real IP, but that your copy of the MaxMind database (that attempts to tell where the IP addresses are on the planet) might be totally wrong about where an IP number is.

And also, it could be the case that an address that was in Germany one day is in Florida the next. (This is beyond my area of expertise, but I don’t think such changes would happen very frequently.)

Ah, perhaps the geographic specification is wrong.

But in at least the most recent “situation” that I’ve been looking at, for my community, the IP address “locations” reported by MaxMind are the same as what’s reported on at least one other IP-tracing database/site.

And, ultimately, I’m talking about a handful of accounts that, at some point, for a short duration (i.e. minutes), have the same Last IP reported by Discourse. And let’s just say that these handful of accounts definitely should not have a common IP within the same ~60 minute span of time.

In the situation I’m experiencing/talking about, I can only see two feasible possibilities:

  1. Discourse is reporting/logging Last IP incorrectly. Randomly/sporadically/temporarily.
  2. Someone is using proxy/VPN to circumvent/evade a ban, but slipped up briefly (or had an IP leak or something technical I don’t really understand).

Here’s a spreadsheet representation of what I’m talking about:
image

And let’s just say that the geographic IP “location” is not only confirmed with MaxMind.

Sounds fishy. If they have misbehaved, then this is probably nefarious. You probably don’t owe them the time we’ve spent already. :slight_smile:

1 Like

Probably the case. We try to be really thorough and only institute permanent bans when someone has been given multiple chances and, in the case of alternate accounts, if we feel like the evidence is irrefutable. I.e. the Registration IP is the same and there is no good explanation as to how that could have happened randomly.

And the behavior is borderline. Not necessarily problematic enough (or at all) to warrant mod action.

Maybe, if that’s the case, we should let it go.

But if Last IP is NEVER incorrect, so long as it’s generally functioning correctly, and I know that for sure, then we can take action just based on the occurrence of common IP.

1 Like

It’s hard to defend an absolute statement like “never”, since software has bugs. However, if the system is recording any IP incorrectly it is very probably recording every IP incorrectly. That is, the failure mode will be completely wrong and not just occasionally wrong.

The geographic location shown is just a best guess, so don’t rely on that. A match of the actual IP address recorded (XXX.XXX.XXX.XXX), though, is definitely suspicious. As @pfaffman mentions, there are plausible reasons for two accounts to match sometimes. Once you cross an ocean like Account 3 and 4 did, then it stretches a bit too far to be believed.

Given matching IP addresses, #2 is the WAY more likely of the two options.

3 Likes

Thanks so much for the response!

That seems to be a reasonable assumption. I’m not the actual admin for my site/community, so I’m not sure if there is something about the setup/configuration that might somehow create sporadic/random failure. But I have a hard time imagining something that would create sporadic failure, and not complete failure. Or, at least, routine and regular failure.

Thank you. This is reassuring to us in case we decide to take disciplinary mod action based upon observed IP “proof” that someone has duplicate accounts.

And I hope that I set up my example in a way that communicated how we already vetted the geographic reporting, and also heavily considered the “personalities” and posting history of the members to reach the conclusion that the matching IP’s are all but certainly not benign coincidence.

The only reason why we struggle with that conclusion is that, in the most recent case, we have matching IP’s that just cannot be benign coincidence, but involve two accounts/members that have radically different writing styles and even demeanors. Totally different levels of apparent/seeming literacy and style.

But given that I haven’t found any trace of any discussion for any other Discourse site mods seeing “phantom” IP matches, I guess the more logical conclusion is that we have someone using a residential IP proxy to run alternate accounts. And goes to a great deal of effort in being mindful of maintaining separate personalities.

This probably settles it, but I’m also going to try to dig through some of our mod discussion to review prior discussions of IP matches that we thought were potentially “phantom” ones. And see if there’s any meat to those bones that might be useful to put on the record in this forum.

Thanks again.

2 Likes