[HEHENE]

This may run afoul of your "no privacy invading methods", but are you able to implement email verification before new users can post? Then once they get bored of trying to attack the site you can go and purge all accounts created in the last n days that haven't been verified yet.

I run a gaming community with several thousand members and we regularly have to fend off attacks on both the community (spam bots in Discord) and the game servers themselves (targeted DDOS attacks usually in the 200-300Gbps range.)

From my experience, they tend to get bored and move on rather quickly so often times whatever we have to implement is more temporary in nature and doesn't really affect the existing community much if at all.

[ev1]

Email verification is already required and always has been.

He's cycling through handfuls of oddball throwaway/disposable providers, some catchalls. We block all known temporary email providers, but there are a few that are obscure/blackhat/let you point a MX record from any free dynamic dns provider to enable abuse.

Another interesting thing is that after we blocked all known VPN provider space, he switched to more "darknet" proxy providers that pretend to be legitimate by having random eastern european dirty IP blocks announced on Comcast/Verizon AS.

A human eyeball can detect them, they're all pretty obviously following a pattern like NameNameName or random letters, but unsure how I'd want to write something to catch this in an automated fashion.

Oddly, this actually started over ~2 month ago, and it just started again this week after a few weeks of no activity or attempts at all. Our complete VPN block resulted in no successful activity for 9 days.

He also periodically tries to re-register from the same home IP once a month claiming to be a new account and why is he getting banned? and etc.

[heartbeats]

You could whitelist the email providers, and require "strange" email providers to be approved by mods. The workflow would look like this:

1. Sign up with Gmail 2. Verify email 3. Account is instantly approved

1. Sign up with sharklasers 2. Verify email 3. "You're using a weird email provider. Mods will look at your account and see if it looks OK. If so, we'll approve it"

[hinkley]

Don’t telegraph that information, I think. Better perhaps for the automatic approval to look like a fast human and the manual approval to look like a slower one. A process doesn’t have to be manual to look manual. The goal here is to reduce the cost per request.

[tdrp]

If you are sure that's their home IP (and that's the same person triggering the spam), and they are in your country, you should consider getting a lawyer involved.

We had a similar issue and got one involved to get the process started (I think he used CFAA abuse). The attacker stopped as soon as we mentioned lawyers (he happened to also be in the US). We would have pressed it further but the lawyer was racking up billable hours and we were not in a position to afford it.

[toast0]

If all you want is for the abuse to stop, you might reach out to the ISP's abuse contacts. All this abuse is certainly against their terms, although they may or may not consider it if it doesn't happen from their IPs.

Getting your internet cut off, even if it's only temporary, can lead to a large change in behavior.

[nitwit005]

> He also periodically tries to re-register from the same home IP once a month claiming to be a new account and why is he getting banned? and etc.

I'd be tempted to try to trick them into telling you their personal information if they're doing that. Create a page that pops up only for that IP that asks for name/address for a prize give away or something.

[benmanns]

You could try checking the MX records on registration and build up a list of banned MX handlers instead of banned email domains.