| > What's your recommendation for a low-cost, low-effort method that solves the Tor and every other I.P. user problem? The first step is realizing that you have a behavior problem, not an IP address problem. There is no silver bullet against an adaptive adversary, but this is the sort of thing that proof of stake or proof of work is well suited for. If the user wants to do more than read your website then they need to post some collateral. In the small time case this is just putting a CAPTCHA on account creation. If you're a bank or something then nobody gets in the door unless they have an account with you which has been verified against their government ID etc. Then anybody who misbehaves forfeits their collateral, i.e. you close their account. Which for normal people never happens, but for malicious parties is designed to happen before the profit from their malice exceeds the value of the collateral. Spammers aren't going to be willing to solve CAPTCHAs all day just to post one message at a time which will be deleted in twenty minutes. And then the administrative cost disappears because the spammers realize it isn't worth doing and you don't have to spend time deleting spam once they stop posting it. > It has to provide a reduction just as good as blocking Tor with similar effort by admin. To which a large point is that blocking Tor isn't particularly effective. People make a lot of noise about the fact that a Tor IP address is some large factor more likely than average to have malicious traffic, but it also represents a larger number of people than most IP addresses. If you look instead at the percentage of all malicious traffic that comes from Tor, it's a minority. And even allowing Tor traffic and then trying to measure what percentage of all malicious traffic is from Tor is over-representing the effectiveness of blocking Tor by counting malicious traffic that comes from Tor if you allow it but would still come from somewhere else if you didn't. Net result being that blocking Tor might get you something like a single digit reduction in malicious traffic. Now you need to do something about the other 90%. CAPTCHAs and pseudonym reputation systems and so on. But those things work about as well against traffic from Tor as traffic from anywhere else, which cuts a nice chunk out of the remaining single digit percentage improvement you had been getting by blocking Tor. Net result is you end up blocking a lot of innocent people to get something like a 2% overall reduction in malicious traffic. And the better you get at solving the problem in other ways, the smaller the benefit of blacklisting IP addresses becomes. |