Everything in Moderation {click to return to homepage}

"Out of moderation a pure happiness springs." Johann Wolfgang Von Goethe

The importance of IP addresses...

October 13, 2003

When you've run an online community for any period of time, then you'll come up against trouble-makers - people whose sole purpose appears to be to try and interfere with the community you've created by any means possible. Mostly these people are short-term annoyances and are easily weathered, but occasionally they'll continue to be a problem in perpetuity unless you do something about it. They may post using multiple user-names (if that functionality is available to them) and they may become quite abusive.

The first tool at your disposal in identifying and dealing with this kind of troll should be their IP (Internet Protocol) address. Every computer that accesses the internet has an IP address - which (in the case of people who connect from home) is normally allocated by the user's ISP when they attempt to connect to the net. When a web browser goes and gets information off the internet, it tells that server the IP address of the computer it's using to access the internet. The address is then duly recorded (normally) in the logs of the server that is hosting the content. Bear in mind that the specific IP address will most likely change each time a person connects to the internet through their ISP, but all ISPs only have certain number of IP addresses available to them, and you can check any one of them fairly easily.

IP addresses can be profoundly valuable pieces of information to have. For a start they can tell you whether your troublemaker is using an ISP to connect to the internet and if they are they can also tell you which ISP they are using - which will tell you loads of information about roughly where in the world your troll is based as well as helping you get in contact with their abuse department. The ISPs, of course, know precisely which of their customers have which IP address allocated to them at any given moment in time and are more than capable of rescinding access to the internet if they're convinced their user has been abusive. That is - of course - if you're prepared to push the issue (and they agree that the person concerned is breaking their Terms and Conditions). Bear in mind, though, that these abuse departments will often ask for the server logs that recorded the specific abusive behaviour. This can be fiddly information to find - particularly if you are not particularly technically able. It's also worth bearing in mind that getting someone banned from a specific ISP might not be enough to stop your problems, since there are many other ISPs in the world. You may end up just enflaming the problem user.

On occasion you might find a troll accessing your site via an IP address that comes from an employer or an academic establishment. It's worth considering the implications of contacting these institutions directly. It should be a particularly effective mechanism for putting pressure on a user to leave your site alone if they're a particularly hardcore problem (causing legal difficulties or engaging in harrassment and the like) - but the ethics of this kind of thing are a bit problematic unless you've spelled them out to all new users. And of course if a user is really alarming, then it can be best to find a way of alerting the authorities.

Even if you don't intend to go to the extreme of contacting the ISP, employer, school or University - the IP address is still a profoundly significant and useful tool. First things first, it can help you group together various user names that you believe might simply be the same person. If different users have the same IP address within a short period of time then it's an indication that those users share a least a computer, if not a real-world person behind the scenes. Even different IP addresses from the same ISP can help you narrow your focus if there's suspicion that an abusive user has returned to the site. Secondly, they can help tell you who isn't your troll - or indeed (in extreme cases) how many trolls you actually have to contend with. This whole element is based around trying to tie user names more effectively to real-world users in some effective way.

And of course, knowing the IP address opens up a number of technical solutions. Firstly - with a bit of technical nous - it's possible to tell your board software not to let users with certain IP ranges login, post or even see your online community. This isn't always a brilliant solution because in order to block an AOL user via their IP address alone, you'd most likely have to block a great many other AOL users as well since their IP addresses are dynamic and will move around to other users. But if your troll accesses mostly through a small ISP, company or academic institution then it can be much easier just to block the whole establishment than deal with the complexities of any individual user.

Because of how useful IP addresses are, it's well-worth trying to use community software that records them every time every one of your users connects or posts. And if you're building the software yourself, it should be one of the first objectives to build this kind of tracking in. You will have a systematic troll at some point and it's well worth being ready for it. And if you're a commercial operation it's pretty much the baseline for being able to run an online community without being irresponsible - and that level of responsibility may become particularly important on those rare occasions where you might find yourself threatened with court because of the behaviour of one of the people who use your service.


Oscar Merida said:

One complication in collecting IP addresses is the possibility that a user is using a proxy server to request content from your site. In that case, you'll want to get the HTTP_X_FORWARDED_FOR header. Here's how you'd do it in php: http://www.phpbuilder.com/mail/php3-list/199912/3757.php

Ben Edwards said:

I've got a situation at the moment where a particular piece of abuse on our message board links directly to a single IP, used by one user, but I'm almost certain that user is not responsible for the attacks. However, I know that another much more likely culprit has been 'attacking' this user with IM trojans, but I really can't prove they have done anything and the user I'm dealing with is not nearly techie enough to come up with evidence herself.

Without hard evidence it's really difficult to deal with the serious troublemakers. Often they are tech-savvy and when confronted just deny everything. I hate losing to the bastards, and wonder if anyone has other strategies for dealing with them?

Christian said:

With respect to HTTP_X_FORWARDED_FOR it should be noted, that this value cannot necessarily be trusted. If the user is not using a proxy server, he can supply whatever value he wants in this field.

Thus HTTP_X_FORWARDED_FOR should not be logged instead of REMOTE_ADDR, but in addition to it.

Carol said:

How do I report an abusive and demeaning person to their ISP. This guy stalks our message board community and calls people morons and other demeaning comments. Prime example of narcissistic personality disorder. He thinks he's so clever as he has software which prevents the message board administrator from banning his posts. His ISP is

Sam Rowlands said:

Carol, use nslookup and find the person ISP. Then contact the ISP and if they are a responsible ISP they will want to some evidence. Show it to them and they should then warn him or disconnect his internet access. I friend of mine had a similar problem, he went to the ISP and told the ISP this guy was issuing child pron, he threatend the ISP with negligence and they buckled cutting the guys internet access.

Post a comment

Remember personal info?