Review our idea: ip-address tracker for web-developers

5 points by somebody32 ↗ HN
While working on some of our projects we've been struggling the problem of preventing spammers or trolls from posting. Unfortunately, captcha is not always a solution (like for example when you have a vote widget, you wouldn't want your users to enter captcha). Browser cookies are not effective, of course. So, you have to track ip-addresses and make sure one ip does not send, say, more than 10 requests to a particular action during 15 minutes. Of course the primitive implementation is a 10-minute session of unintellegent coding. But over time things get more sophisticated, especially when you need to add new rules, track browser user-agents and assign each ip a trustworthy level. So out of 10-minute boredom code it grew into something slightly bigger.

Now we've been thinking. Would anyone be interested, if we make a webservice out of it, a lot like ReCaptcha: with an API and, say, libs for some popular languages, so that anyone could collect, manipulate and validate ip-addresses in their web-project. It would work like this (the simplest case):

1. You send a check request with an ip_address of your user to our service using our API. 2. We check if this ip exists in our db, if no - we add it. 3. Check when was the last activity from it, then check the rules that you set up in our web-interface when you signed up. 4. Then send you back true/false answer based on the rules and on this ip's previously stored data. 5. Based on this simple answer your application decides what to do with the user (so, it would take a 1 line of code to set this thing up in your app).

The service would also provide warnings (email, probably sms) about blacklisted IPs and a web-interface to manage IPs.

What features would you pay for? Or would you at least use it for free?

3 comments

[ 3.4 ms ] story [ 19.1 ms ] thread
Honestly speaking, I think you might have a bit of a chicken and egg problem with getting started.

I like the idea of your app and it's something I could use, but since you're asking your customers to hard code stuff into their application at potentially experience-critical moments, any kind of failure on your part would be pretty disastrous.

This service is something I would use when it matures a little, it's not something I would hook my app into whilst you're just starting out. Venture backing or an established partner might help me convert sooner.

My 2c.

Wouldn't it be trivial to poison your DB with false reports?

And it would be pretty much impossible for you to distinguish this from the reporter getting hammered for real.

This sort of attack wouldn't be likely ... unless and until your service became popular, at which point the payoff might be worth the trouble.

It is a good idea but not new. Zed Shaw's Utu took a similar approach: http://www.zedshaw.com/essays/ragel_state_charts.html Yes, it is an article about Ragel but it details Utu. There is no trace around Internet about it.

About integrating it in my app, I would use it. Maybe it can be built in different way: publishing a feed with the "offending" IPs (PubSubHubbub?) and leaving the API for only reporting them.