IP transfers

[SirChick]

Is it wise to block same IP transfers on a site...?

 

I keep a list of all the ip's a user has logged in on and was thinking if one of the ip matches any other other person's IP then it will block the transfer... but if this a wise idea cos i know alot of people have dynamic IP and so alot of people will be based on the same ip..

 

Do you think its a good or bad idea?

[revraz]

What do you think the threat is if they are from the same IP?

[SirChick]

If one person has like 10 accounts they all earning money and he then sends all that money to just one account he is technically earning 50x more than any other user which is cheating..

[BenInBlack]

This doesnt work because you can have a lot of computers under a router that make them look like 1 external IP, so you can have many legitimate users, but to you they would look like they need to be blocked.

[SirChick]

Damn.. what other way can I prevent this?

[revraz]

Impossible to prevent.  The best thing you can do is try not let them register more than once.  Set it for they can't use a free email account will help curve this.

 

And I would say for your purpose, even if they were behind the same router, that probably means they are cheating to if they only transfer with members of the same IP.

[PHP_PhREEEk]

Actually, tracking IP's is fairly accurate. I'd say at least in the area of 95% or greater. You have to open yourself up to communicating with those who end up banned, and figure out if they have a legitimate reason for sharing an IP. This takes a substantial amount of overhead programming, but is entirely possible.

 

One very big problem I ran into with this, is the fact that AOL users often are assigned an entire range of IP's, or what can be referred to as a 'pool'. This is the only ISP that I had this problem with. Normally, with users who have dynamic IP's, they will at least use one IP address for an entire session, and many times use the same IP over a period of days, weeks, even months before getting a different IP. This AOL problem arises because the AOL router assigns an IP out of their pool for each and every page request. So if a AOL user visits your site and accesses 10 pages, they might use 10 different IP's for that session. If you have 5 users that have Road Runner as their ISP, it would be extremely rare for their IP's used to collide with each other. However, the same 5 users using AOL would probably ALL collide immediately.

 

I solved it this way, hence the overhead: I setup a bool field in the MySQL users table called aol_exempt. If a AOL user signed up on my site and was banned for IP collision, I contacted them immediately (I had a log system that would email me bans immediately). I required them to email me a snail mail address, and I then sent them a snail mail with an auth number in it. Once they responded to the snail mail challenge, I updated aol_exempt = 1, which then bypassed the IP check routine for just them. I never had any complaints about this system, because legitimate users of my site appreciated the level of authorization implemented, therefore keeping it 'fair' for everybody.

 

It took a TON of programming to do all of the security checks. I spent nearly a month programming it all and tweaking it just right, but in the end, I was very satisfied that if any multiple accounts existed, they were only an extremely small handful. I kept meticulous logs, and the logs always suggested that the legitimate users were getting what they wanted.

 

PhREEEk