How to protect against a determined harasser

Increasing the time it takes to begin any sort of harrassment, and decreasing the time it takes to take any action of illicit content is going to be the best wat to mitigate the problem.

In this case, contacting the police is your best option as far as taking any direct action against the attacker. In the meantime your primary focus and concern is to mitigate the issue as much as problem. Remember that this is one person who has dedicated his time, he will eventually get bored and move on to something else.

Your primary goal here is to make it harder for him to make any illicit content in the first place, while still allowing your regular users in. Here are some of the steps I took when I had a similar issue on my popular vBulletin website:

  • Blacklisting potential domains or hosts of illicit material
  • Requiring a unique email address, with certain temporary email providers blacklisted
  • Limiting new accounts:
    • I required moderator approval for all posts made with an accout under 15 (approved) posts for anything that embedded a link or image.
    • I required moderator approval for all PMs sent from any account less than 3 days old or with less than 15 (approved) posts.
  • Find an anti-spam plugin or addon that can match possible patterns.
  • Disabling email capability. In most cases, only admins really should have the power to email their users.

Another thing to try is to get a cheap SSL certificate and use HTTPS during registration, or even site-wide. Most standard proxies don't support HTTPS, and most that do are usually for a fee which he may be unwilling to pay after a while. Tor still may support HTTPS, so it's worth trying to block Tor entry points if possible (as you've indicated).

For example, gandi.net has a single-domain for $16/yr that would suffice just fine.


You have already done the correct thing by alerting the police.

Sadly though, if the person is being careful it will be next to impossible to locate or stop him. There really isn't much you can do besides increasing the effort required to start harassing your members and hope he gets bored and stop. It might be a good idea to implement a system like the one Stackexchange uses where a certain amount of helpful contributions is needed to unlock certain privileges.


The nice thing about persistent attackers is that their behavior is consistent and repeated, through which you can establish a pattern which then leads to an identity.

It's possible to be completely anonymous on the Internet, but the only way to do so is to avoid establishing a pattern, and avoid behavior that can be correlated, analyzed, and eventually distilled to find its common feature: you. This is how and why hackers get caught; they don't go silent.

So, if the common target is your forum, then you use the forum to find the common factors in the attack. You already have criminal behavior (child porn and death threats) which is enough to get the police actively involved. That helps with gathering data that would otherwise be inaccessible.

The next step is to start blocking off access routes that can't be traced. Assuming this doesn't adversely affect your other users, you can block TOR exit nodes, known anonymizing proxies and so on, until the only routes to your server left are ones that can be traced by the police.

Obviously this can affect your legitimate users, so you may want to only apply these restrictions for posting messages or new user registrations.

Next you start following up on leads; when you get relevant traffic, you check up on its origin. Did it come from a hacked webserver? If so, get in contact with the site's admin to report the intrusion and find out if they are keeping logs. Many admins will be more than willing to turn over logs of malicious actors, as they'll be just as mad as you are.

Sites like domaintools.com are surprisingly useful in determining who is involved with a given IP, what sites are hosted there, who the owner is or was, etc. A GeoIP lookup will help determine with more precision if IP addresses are physically located near each other.

Eventually you start to see patterns develop. You figure out that he only posts during a given 5 hour window (which probably corresponds to evening where he is), and while he relays his connection through other servers, the originating IP is typically coffee shops in a single city. He uses firefox on OSX. Little details which may come in handy.

The more information you have, the more information you can give to the police, the more likely they are to actually identify him.

Either that or he stops posting and the trail goes cold. Both ways, you win.

Tags:

Privacy