Is this the same person? - A question for forums administration

[britechguy]

I really don't know exactly where this question fits in the technibble forums, but I have to believe that there are a number of folks here who may be in a position to answer it.

I moderate on a couple of different sites, and most of my duties don't involve trying to ferret out if impersonation is going on, particularly in the case of a previously banned user, but I now have one instance where I very strongly suspect that I've got just that going on.

If anyone here routinely has to perform the detective duty to determine whether someone is who they say they are, and knows of tools that can be used as part of that process, would you mind sharing?

If this topic should be elsewhere, then please move it, and if it's entirely inappropriate, please lock or delete it.

 

[phaZed]

Have you taken any steps so far? How about IP tracing/Same IP? I believe your course of action will depend on what type of "data" you have about the user currently, now and past, and what "tracking" your software/network/site has the ability to obtain.

 

[britechguy]

Well, I'm at square one right now, hence the reason I'm looking for a broad range of suggestions.

It may be nothing, and I actually hope it's nothing, and at the moment I have no idea what historical data we may, or may not, have with regard to the e-mail addresses/IP addresses that were previously banned.

I also presume that there are likely websites that are purpose dedicated tools for this sort of research, but I'll be darned if I would even know how to craft the correct search terms to find them.

 

[Markverhyden]

Logging is variable. Personally I don't have any experience with forum software but I do know that logging is usually set to something that's informative, not overly detailed. So you should at least have IP address of when a set of credentials is used login/attempt to login. That would include account creation. I'd expect you to need administrator level privileges.

I'm guessing most sites run on top of a *nix so all the logging should be in /var/log. Most *nix apps also put their logging there as well.

1. make a list of reasons that are causing you to do doubt their identity.
2. whois the IP's to find who owns them.
3. try to engage the user in an email exchange. Then use mxtoolbox on all of them to parse the headers to see if there are any clues.
4. these two website will help identify if IP are tied to Tor or not. Many sites outright block Tor exit nodes for obvious reasons. https://ipduh.com/ip/tor-exit/, https://metrics.torproject.org/exonerator.html

 

[Kitten Kong]

Brian, im out right now, but when im back in the workshop later I'll give you a shout. Maybe I can help you with the problems you're going through.

 

[YeOldeStonecat]

I'm a mod over at www.speedguide.net, most forum engines have admin tools where you can see IP addresses of the users. Usually a button labeled "IP" you can hover over right on the posts. And you can go to the admin portion of the users list and bring up a user and see a list of prior IP addresses. Yes some users may use a VPN/anonymizer...but that may be against forum rules in the first place so there's a reason for you to swing the ban hammer.

Also have a registration email address....while yeah I'm sure they don't use the same one, it may be from the same mail host, and/or show a username pattern.

Combine those along with "personality" shown in that users posts...and you can come up with a pretty reasonable conclusion.

 

[britechguy]

Yes some users may use a VPN/anonymizer...but that may be against forum rules in the first place so there's a reason for you to swing the ban hammer.

First and foremost, a big thanks to all who've posted replies. They are very much appreciated.

As to the above, good luck enforcing that, if such a rule exists. Given that VPNs are now the "hot, hot, hot thing" that so many are using whether they really need to or not, such a rule becomes entirely unenforceable. This was not always the case, but it certainly is now.

 

[sapphirescales]

As to the above, good luck enforcing that, if such a rule exists. Given that VPNs are now the "hot, hot, hot thing" that so many are using whether they really need to or not, such a rule becomes entirely unenforceable. This was not always the case, but it certainly is now.

This. I'm usually behind a VPN and I've never gotten banned for it. I have both a dedicated VPN (for websites like 4chan that ban VPNs) and I also use NordVPN for sites that don't care. It's pretty rare that I access websites unprotected.

 

[Sky-Knight]

IP based access controls have been all but useless on forums for quite sometime now. Ban based on disruptive behavior, and assume that your bans will be bypassed.

Most people have dynamic IPs from their ISPs anyway. Those addresses change, sometimes rapidly, sometimes not... but always when forced by the user. This was true well before 3rd party VPN services came along. The popularity of which confuses me, since they don't do what people think they do.

 

[britechguy]

Well, attempts to get around bans are as old as forums themselves.

It's also not unusual for VPNs not to be involved, either.

One site I now know of from other sources is StopForumSpam, https://www.stopforumspam.com/search, which is still IP based and widely used.

While VPNs are "hot, hot, hot" not everyone uses 'em nor do many know how. Amateur spammers or cranks aren't the sharpest tools in the shed in many cases.

 

[Sky-Knight]

Yeah, so you wind up checking IP addresses to see what VPN service or ISP they belong to, and if they stay the same in that arena, along with a similar registration email address / NIC, along with posting language styles...

Well it's not hard for the human to connect the likely dots, but how you handle that depends on the forum. I'm not involved in moderating anything anymore, but I have been there and done that as it were.

I assume you've checked with the forum's ownership? They should have some sort of a policy for this sort of thing, it is as you say... not new.

 

[britechguy]

It is not new, but it's also on a blind-technology-related group, and the depth of experience with this sort of thing is generally more shallow. It's a relatively rare occurrence to get spammers and trolls in that particular community.

As it stands now, I believe my own concerns may have been unwarranted, but better to be prepared in the event they might not be in the future.

 

[Sky-Knight]

Yeah, sounds like a great time to get the staff to have a conversation on the topic, and define the policy going forward.

 

[sapphirescales]

they don't do what people think they do.

They do mask where my traffic is going from my ISP. I don't want any company knowing everywhere I visit online. It's a matter of privacy. I buy my VPN service anonymously with crypto and I don't visit any websites with legitimate/identifying information. I like to keep everything as separate as possible online. Every website I'm registered with has a unique username/email address and I never use my real information when registering. Call me paranoid all you want, but if you ever get attacked online and they track you down IRL, you'll be paranoid too.

 

[YeOldeStonecat]

Yup attempts to get around bans are constant. It can be a tiring cat 'n mouse game.
Over at Speedguide we have an add-on for VBulletin, called Spam-O-Matic. Makes our lives easier.

Regarding the IPs...and dynamic IPs...and anonymizers....I'm not saying to spend all your time coming up with blocks of those IPs ...but to use the information you should gather from the IPs. You can narrow down subnets to get a particular area....the leg of an ISPs network in a certain area of the state. Subnets are just smaller local legs of an ISPs network, for the majority of 'em.

The information you gather..combined with viewing the posts of the "suspect person"...give you more ammo, or less ammo, to make your move with the ban hammer. Or decide not to.