Name: Anonymous 2013-10-12 11:36
I'm building a website that let's people post whatever text they want completely anonymously. The heart of the project is inspired by moot's concept of 'prismatic identity' - people need the ability to wear masks, and I want to give them that in a Twitter-esque fashion.
So as you'd expect, no login is required to post, but I am issuing a cookie to the browser (that expires @ 6 hours), and also storing a "user" key server-side that's built using IP address, user-agent, and screensize - totally separate from the cookie itself.
All that said, I do need/want to weed out spambotting and shitposting, so I need to implement rate limiting and possibly temp bans - oh and I HATE captcha, so I don't want any of that shit requiring a post. Now I did think about a much more watered down version of captcha, whereby it asks you to do VERY simple math problems (2+2=?) and I'm sure we've all seen those, and I quite like them actually, but still hate the overall concept.
I don't want to ban/rate limit people based on IP because that's just dumb and not effective, but is the user key I'm using really the best method for this? It basically takes lessons from panopticlick regarding browser-fingerprinting, but I'm curious to know if anyone has 1) had this problem and 2) solved this problem.
tl;dr What are the best alternatives to rate limiting / temp banning apart from IP based methods?
So as you'd expect, no login is required to post, but I am issuing a cookie to the browser (that expires @ 6 hours), and also storing a "user" key server-side that's built using IP address, user-agent, and screensize - totally separate from the cookie itself.
All that said, I do need/want to weed out spambotting and shitposting, so I need to implement rate limiting and possibly temp bans - oh and I HATE captcha, so I don't want any of that shit requiring a post. Now I did think about a much more watered down version of captcha, whereby it asks you to do VERY simple math problems (2+2=?) and I'm sure we've all seen those, and I quite like them actually, but still hate the overall concept.
I don't want to ban/rate limit people based on IP because that's just dumb and not effective, but is the user key I'm using really the best method for this? It basically takes lessons from panopticlick regarding browser-fingerprinting, but I'm curious to know if anyone has 1) had this problem and 2) solved this problem.
tl;dr What are the best alternatives to rate limiting / temp banning apart from IP based methods?