Many unwanted users are creating fake accounts on our website to pester us.
What can we do?
Add a captcha to keep out robots, then monitor IP addresses for multiple create attempts and block the ones that make more than 1 or 2 (depending on nature of site).
If you give us your web service software name (IIS, glassfish, tomcat, etc...) there may be some more specific addons that could help you.
You can require all new accounts to be manually accepted by an admin before they're activated. Checking the IP's for multiples is okay, but ineffective if they're using proxies.
Generally, you just have to make it enough of a pain so that they get bored and move on.
Most of the websites do these things to prevent that.
Create an email verification while registering.
Add Captcha to register form.
Do not accept emails from temporary/disposable email services.
Monitor IP addresses and block them from creating multiple accounts.
Related
I have one G Suite account with three domains (mainly many emails).
Now I would like to separate one domain to other fresh G Suite account. Of course with historical emails.
Anybody know how to do this? It's possible without G Suite support team?
There are different ways of doing this and yes, you can do it yourself. Please consider that it can be tricky depending on the amount of data you want to move.
The main steps are:
Create a new account with a temporary domain (the same domain can not be in two consoles at the same time)
Migrate all the contents from your current account to the new one. You have different options to do this. The cheapest one is the Data Migration Service (DMS) that will only allow you to migrate only email using the IMAP protocol (so you need to know the users' passwords). Google support for the DMS is best effort, so if you have time and budget I recommend to use a commercial tool (my tool of choice here is Cloud Migrator) that is also able to migrate calendar items and Google Drive files using the Google APIs (so it is transparent for the users).
In a cut-off date that you agree with your users you remove the domain from the original console, you add it to the new one and perform a mass rename (my tool of choice here is GAM).
There are many variables that can make the process much more complex that are difficult to describe in a single answer and this kind of activities usually require a dedicated project and a (small) team: I really suggest you to get some help.
A word of warning:
I did this on Bluehost (transferring G Suite ownership of a domain from one Bluehost account to another) through Bluehost customer support.
It took 3 separate calls to Bluehost to get everything fully moved over. Make sure that your hosting provider sends you an email confirmation that everything happened successfully, because as a reseller of a Google product, they may not have complete authority over transferring ownership of Google's product.
Best regards.
Also in reference to the domain go to Google Domain and you can see all the options you have in reference to your domain website etc. It is very self-explanatory.
wc.
I'm hoping to get some kind of idea if what I have in mind is even possible or if I'm looking in the wrong place.
Basically, my company provides a website which users are able to access online with credentials we sell and provide them. We have another potential customer who would like to access this website. Sadly this customer is very stuck in the past, and they don't allow their users any internet access at all.
For a number of reasons, I don't want them to host their own version of this website. However, I considered that we might configure a web proxy on their network (which is given internet access) which reverse forwards connections to our website. Is this even possible? And should it be attempted? Or are there better ways to achieve this?
Yes it's possible, you can install on their intranet a simple proxy script for example
https://github.com/Athlon1600/php-proxy-app
and modify the index.php and allow from there only a single host to your website.
I don't know what technology you can use on their Intranet network but virtually for every web language, such software is available.
Here is some discussion related to the "Access the sites blocked over the network" that is just for Gmail but it will definitely help you too:
https://superuser.com/questions/453825/how-to-bypass-web-url-filtering-service-to-access-blocked-websites-proxy
For bypassing the firewall and getting access to the blocked sites:
http://www.makeuseof.com/tag/how-to-get-into-blocked-websites-in-school-with-freeproxy/
Good afternoon,
Recently websense bot (or employee) scanned my website.
Let's start with that my website is dedicated to really small group of ppl, in specific country. And so before that i had regional filter which blocked them. I also heard that they dont really have good opinion (In the past, these policies have been criticized because it can block innocent websites or content protected by free speech). But im not sure if is that enough...
I wanted to rangeban their ips, the problem is i cant find any lists with it...
Am i safe with only regional blockade?
You can try searching ARIN or RIPE, but neither it nor regional blocking cant protect totaly. It can be bypassed by using proxy servers or vpn in your specific country.
If group is really small and your website is really confidential, try SSL client certificate authentication.
i trying make an internet voting service but the problem is internet is just so easy to cheat by creating multiple accounts and vote same thing. capcha and email is not helping as take just 3 second to pass by human. IP can be changed by proxy. if we put some cookie on voter browser he just clean it next time.
i created this question to ask help for methods we can use with basic futures that all browsers have (javascript etc)to prevent our service being cheated easily.
the first idea i have myself is that possible my website access all cookies user have on his browser by just visiting my site ? because when they clean everything by CCleaner for new accounts then i can understand the browser is empty so the person is perhaps a cheater as most of real users when come to my site always have at least several cookie from different sites
There is no way to address the issue of uniquely identifying real-world assets (here: humans) without stepping out of your virtual system, by definition.
There are various ways to ensure a higher reliability of the mapping "one human to exactly one virtual identity", but none of them is fool-proof.
The most accessible way would be to do it via a smartphone app. A human usually only has one smartphone (and a phone number).
Another way is to send them snail mail to their real address, with a secret code, which you require them to enter in your virtual system.
or the social insurance number
or their fingerprints as log in credentials
The list could go on, but the point is, these things are bound to the physical world. If you combine more such elements, you get a higher accuracy (but never 100% certainty).
We would like to run a wireless access point for public use. However, in case of misbehavior, we would like some personal information to be able to pass on to law enforcement.
The proposed solution involves a captive portal where users enter their email addresses, and are then given ten minutes to check their email and verify, after which they are given unrestricted access.
The problem, as I see it, is that once a user is authenticated, anyone can come along, spoof the MAC or IP, and then have access. If they commit a crime or copyright infringement, the user who entered the email address is now blamed.
Now, we could solve that by using WPA and requiring users to preregister. But as I said, we would like to allow anyone to just drive up and use it, and we don't want to provide any technical support.
The other alternative is not collecting email addresses, but then in case of an investigation or lawsuit, we wouldn't have anything to hand over, and thus risk the possibility of being shut down.
Is there any way out of this dilemma?
Collecting email would also be futile since you have no good way of confirming it without also providing compromised access. You should simply log the traffic that the user generates.
The answer is to not care about unsatisfiable demands from law enforcement for the personal information of your users. If that's not an acceptable answer, then the answer is to stop trying to provide a public access point. If that's not an acceptable answer either, then the answer is the proposed solution you already have. How you go about living with yourself afterward, for collecting personal information from law abiding people that will only ever be used by criminals to cover their tracks, is a personal matter and out of scope for this site. Good luck.
Having the end-user accept a legal disclaimer that you (the provider) are not responsible and they (the end-user) is responsible, and that they should not do illegal things is usually good enough. Just log that they clicked "I agree" and their IP and MAC at the time. They should have to do this every time they connect.
Asking for an email is basically worthless; many will use a made-up email, or enter a typo, then complain they never got it - many will use a disposable email - many will use a junk account they create with one of the free webmail providers.
A system that sends their mobile phone a TXT message with a unique (random) code, and having that entered on the captive portal page to gain access is a better system IMHO. I've done this before and it works OK, except for kids who have mommy's iPad or another tablet but no phone. You save all this data for 90+ days, or however long your lawyers tell you.
Realize that implementing any of this significantly decreases the actual use of your hotspot, users don't have the patience and will be frustrated and abandon the process.
Most captive portal products can log the MAC and IP lease every client gets, and where they go on the Internet (at least that's how I do it) so if a legal request comes along, you can give law enforcement the data you have. It's up to law enforcement to then steak out or track down the device with that MAC, which depending on their competency level is possible, or impossible for them, either way it's not your job to do their job for them.
I also advocate filtering the obvious porn and malware domains, not just to save on bandwidth, but to limit your liability. Any good captive portal product can do this.
Your public wireless network should at the least be NAT'd to a separate static IP, so you can differentiate legal requests that reference that IP, as opposed to say your private office network. You can do this with separate firewalls, or a firewall that supports multiple LAN interfaces.