MAC Address equivalent to identify ASP.NET website's visitors

Question

I have a registration page that sends a Welcome SMS for every registered user where the username is the user's mobile number.

In the welcome SMS there is an activation code to complete the registration process.

I also uses a Captcha control to prevent people from using bots.

The problem is, Some bad users are using the registration page to send SMS's to random mobile numbers which makes me loses the SMS credit.

Getting the MAC address of a website visitor is impossible, If it was possible, I will solve the problem by adding the anonymous bad visitors to a black list data table after say 3 different unverified mobile numbers.

My Question is: Is there any technique to identify a visitor in ASP.NET Or IIS.

Answer 1

Your question is answered in How can I Identify unique users on my website even IP is changed or browser data has been cleared? and How do I uniquely identify computers visiting my web site?. It can be done by combining the IP address and 'browser fingerprint'.

While this may be enough, I suspect that the malicious users will do anything possible to be not detected by these techniques. They can use a proxy server, a botnet, or other anonymizers like Tor to change IP address for every request, and they can craft their requests to fake random browsers.

To ultimately overcome this issue, you can for example make a Verified bit for each user, where you'll only send them an SMS after you have verified their account.