They usually use some calculation of the numer of different IP's (or subnet's) in a certain period of time. If that is higher then a set limit, it is asumed that it will be a share.

This work fine for pornsites for example where if an account is shared, immediae hundreds of people from all over the world try to use it.

That's what I always tried to point out: You cannot detect if an account is being shared, you can only assume it, and this assumption might be good or bad, depending on your algortihms.

@Kirby,

If you are so depressed all the time, what is that smile doing on your face.

Thank you both. If I can gather the money I'll probably put this in paid requests.

ok, me being an admin, (well, im guessing we all are, lol) i have so many accounts on my site, it woudl drive you insane!) i log on2 all kinds of accounts, i see no need for this /;

What I would do is something like this: (It would not be full proof, but it would be a good start)

1) Save all of the IP's that a user logs in from. (I believe the vB does this already now.) You could add a number of times each IP has logged into that account as well to see which ISP is the most used.
2) Check if there is multiple sessions with the same username. If there is more than 3, start the extra check in number 3.
3) Check if the IP's are close together, or far apart. (i.e. make sure the xxx.xxx.*.* parts match up or are very close. (Even resolve the hostname to see if its the same ISP but a different IP address because it was dialed in.)
4) Have a check in to set the account to banned if it detects x number of sessions logged in the time period of y. (Both x and y would be settings that the owner can set.)
5) If it detects say over 20 ISP's of the account and all are different ISP's, ban the account automatically.

I think with the above stipulations, you could catch a number of accounts on www.bugmenot.com for example. You might get some legitmate users here and there, but some of the Untachy hacks I have seen would hit some legitmate users sometimes too I think.

-CMX

That would be a very nice hack.

To make it simpler, just check the domain. If more than x domains are logged into the same account over a period of y, do z.

"z" doesn't have to be automatically banning the account, changing the pass, or anything drastic. It could simply make a note in a text file for an admin to read.

The guy was stating that if ppl log in at the same time... dial up, would mean disconecting.. there for loging back in. new ip etc.. only 1 user logged in..

Over a 10 minute period of time you get http requests from 3 or 4 different IP addresses, I think that most people would say that is worth looking in to, so then FLAG the account.

Let me be specific that the requests contiune over the time period,
not IP1 for 10 munites then IP2 then IP3 then IP4, but a mix of requests.

A simple whois to check if the IP block belongs to the same ISP and then you KNOW its being shared (especially if you are talking saw east coast and westcoast IPs). (This can be done with a nightly cron job, or even on the fly depending on severity thesholds)

Quite possible to detect, since you are using authenticated access.
Remember its not that an account "changes" IPs its simultaneous requests.
A user with 10 requests per minute over 2 IP addresses for 10 minutes sure the heck IS sharing accounts :) (unless the ISP has some real elaborate load sharing proxy, but in this case you can rely on whois lookups)

1. VBB detects more than X IP addresses per username in an X seconds, and flags the account.
2. Log parcer kicks in for flagged accounts and strips out username/IP data and does a whois and checks for IP ownership, and outputs an email address to the forums staff (keeps false positives down)
3. Automated step via theshold that says if X IPs in X hours (and whois data not matching) and starts actions placed in the plugin (admin can set anywhere from flag and email to shutdown the account (heck lauch a nuke if you have that kind of access :P)

-Zxin