How to set limits for amount of user-generated content per user

Question

What is the best way to implement limits for users in applications like discussion boards, image hostings etc. ?

Let's say we want to set limits for StackOverflow. Anonymous users should be able to post 50 questions per 12h and registered users 100 per 12h.

I thought about creating a database and storing information about IPs/users and their posts. Data would be erased after 12h.

However, such solution can be easily hacked. A single IP shouldn't generate more than 100 questions, but what if one user create several accounts on the same IP? Every account has its own limit, so user could generate unlimited amount of questions.

I would have to limit number of accounts per IP (what with schools/other places with many users and single IP?).

Answer 1

I could write on this topic for months. This is a super hard problem that is not solved with a single silver bullet...if this is a real problem for you, you'll solve it over and over as you move forward.

If there is value in putting large amts of content on your site, as you get to scale, bad guys will discover this and get around your defenses. You'll need to look at what they are doing, adapt and attack the problem different. This is why the GMail spam team still exists. :) Deep pockets, smart gals/guys on that team. If it were "solvable" they would have solved it by now.

Doing something like what you describe above is a great start. I would also invest in instrumentation & push the data off to a platform where you can analyze it after the fact (ex: a Hadoop cluster). This way you can study the livesite traffic to see if you have a problem and, if so, learn about how they are doing it so you can adapt.

Welcome to the Hotel California...where you can check out anytime you like but you can never leave.

Answer 2

Most systems use IP based for non-authenticated users and per account on authenticated users. If people are going to sign up for multiple accounts to circumvent your security then you can either use captcha to remove bots and/or a cooling off period for new accounts before they are allowed to post or even use ip based until the account is at least 24 hours old.

Answer 3

You have already answered your question, if I were you, I would have done following things : 1. Limit number of accounts created per IP 2. Set a DB which maintains records or counter for content created in past 12hours 3. For guest, however could be tricky, you can use IP+cookies to track user's activity, however could be problem if there are many users behind a single proxy. For that, either you have to sacrifice your rules or be strict.

I have seen many website when I am behind proxy, they say you have already visited this site but I never.

Answer 4

This will not fix 100% of your problems and might bring some other in.

Instead of using completely anonymous users and registered users and check IP's, anonymous users should present a working email as verification and a temporary identifier (which will not be publicly shown ofc) each time they post a question.

As they post question it will be saved along with the email and they should receive question activation link in their mailbox.

If they click the link in email, question gets activated and published, so the email servers as a temp identifier instead of client IP.

Ok, it is still possible that some people might use like 10 different email accounts and spam you with questions, and it may even scare some people off.