View Full Version : May have banned user posting under diffrent account.
huskermax
08-04-2012, 03:51 PM
So I have two users that were banned. I have a pay site. both of these users know each other. First one was banned started another account using his son's credit card but we matched up the ip to his old account.
The 2nd guy get's banned a few weeks later.
Have a new account set up, very active poster that posts just like the 2nd guy that is banned. All of my mods feel like it is the same guy. Different credit card and location then the 2nd banned guy.
IP's used are all local to the LA, California area. (2nd banned guy lives in Texas)
163.150.11.151 - CA (San Bernardino County Superintendent of Schools)
163.150.13.112 - same
163.150.22.112 - same
163.150.28.188 - same
66.74.192.130 - Twentynine Palms, CA
66.74.196.111 - Twentynine Palms, CA
10.80.127.201 - Unknown
The bolded one is new from the last few weeks. On the .com site I have been told this is a private ip address and this is one way a banned poster can beat the system.
I have the:
Proxy to Real IP Conversion (https://vborg.vbsupport.ru/showthread.php?t=231873)
Multiple account login detector (https://vborg.vbsupport.ru/showthread.php?t=183268)
These two have not triggered anything. Is there anything else out there I can use to maybe catch this guy?
If it is the same guy and he was using a desktop connection how would the ip be reordered?
I think the answer is that you can't do anything about it. There are ways to get a different ip or to use a proxy (and not all of them can be detected by a "proxy detector" mod). And even if you're requiring credit cards, it's probably not too hard for most people to get someone else to pay or something. I suppose you could try verifying people by phone or snail mail or something, but that's a lot of work. If the users were banned just because of behavior, then my suggestion would be to not worry about it until/unless they start with the same behavior again (don't let yourself get caught up by the idea that it's a game you have to win, because you can't). If it's some other issue, then I don't think there's a lot you can do.
Edit: about the 10.... ip - I don't know how that happens. That's an ip address that can't be used on the internet (it's for use in a private network). In any case, it won't tell you anything about who used it.
Big Al
08-05-2012, 04:32 AM
@huskermax.
10.80.127.201 Shows as-
Blackhole Address
Internal to a network or a router.
You may find it hard to get any more info from it unless you have very advanced (expensive) programs.
RFC 1918 reserves several ranges of network addresses for use on private network in IPv4:
10.0.0.0 10.255.255.255 Is included.
You can Try a Google search on the email used to register.
Sarteck
08-06-2012, 09:59 AM
To use a 10.*.*.* address, wouldn't the user have to be accessing the site from the same internal network as the OP's host?
Disco_Stu
08-06-2012, 12:24 PM
To use a 10.*.*.* address, wouldn't the user have to be accessing the site from the same internal network as the OP's host?
"The Calls Are Coming From Inside The House" :D
huskermax
08-07-2012, 04:18 PM
"The Calls Are Coming From Inside The House" :D
Same host? That is not that unusual is it?
My mods are thinking this might be a group of posters we have had issues with. Two of them banned and the others did not renew after a suspension.
Each time this poster posts it is written like more then one poster is commenting. Like, we, we are, never posts in first person.
I have a dedicated server, can I do something on that to get any more info?
--------------- Added 1344361294 at 1344361294 ---------------
You can Try a Google search on the email used to register.
Nothing found.
I did exchange one email with this account (so it does work), even in the email it is written like two or more people.
Disco_Stu
08-07-2012, 05:06 PM
Give this mod a try.
https://vborg.vbsupport.ru/showthread.php?t=231106
or this:
https://vborg.vbsupport.ru/showthread.php?t=239033
and here's a really good one:
https://vborg.vbsupport.ru/showthread.php?t=264870
nhawk
08-07-2012, 05:40 PM
The 10.xxx.xxx.xxx are private addresses and should never be seen on the internet. Another word for private could be 'internal'. In other words, it is an address on an internal network not a public IP address which is used to access the internet.
If a 10.xxx.xxx.xxx IP address is showing in Who's Online, then the IP address is being spoofed.
Unless you are accessing your site on an internal network with an IP that starts with 10, you can safely add '10.' (10 dot - without the quotes) to the Banned IP Addresses in vBulletin's User Banning Options. That should prevent the user from seeing any part of your board.
The same holds true for 192.168. addresses.
Sarteck
08-08-2012, 04:05 AM
@nhawk, while proxying to get a different IP address is a walk in the park for anyone with some Net savvy, actual spoofing of IP addresses and still having communication is NOT so easy.
While it is possible to spoof the initial SYN packet, if the server sent back a SYN+ACK to the "spoofed" address, then the actual spoofed computer would not get it.
Unless by some chance the person has control of all routing tables between his computer and the server, his computer would NOT be able to communicate with a spoofed address.
Point here is that biodirectional spoofing on the Internet is more or less impossible unless a user has control over all the networks between himself and the target, and unidirectional spoofing will not generate the IP Address into the $_SERVER['REMOTE_ADDR'] due to the SYN+ACK packet not being answered.
On a LAN, there would obviously be more options. But only on the LAN. :P This address IS coming from the LAN if it's being generated in the logs. Maybe someone behind the host's network was vulnerable to being a proxy? Maybe the OP's host itself is a vulnerable proxy and maybe the IP Address he's seeing is actually his own server on the internal side? Maybe someone from within the host is trying to give him a hard time? X3 Who knows for sure?
My suggestion to the OP is to copy any/all logs with the internal network address(es) and contact his host, and explain the situation to them. They will be able to find out which machine on their internal network has those addresses.
vBulletin® v3.8.12 by vBS, Copyright ©2000-2025, vBulletin Solutions Inc.