> If I have a site where people will log in and make posts, what's
> to stop someone logging in manually, ie. with the password they've
> signed up to the site with, and THEN running the bombing script to
> fill up the database with junk?
> I suppose Apache can be configged to prevent too many posts from
> 1 IP in too little time (is this done by default?), but this is not
> really a solution.
Such a feature could be very annoying to a user trying to *READ* a
hundred messages a minute looking for something specific. It isn't
so easy for Apache to *automatically* tell the difference betweeen
"Post a message" and "Display next page of this message", especially
if the messages are kept in a database, not as static links. Your
custom code can do this easily.
And you really need to enforce at least some of the limits on a
per-user, not per-IP, basis. It should be pretty easy for you to
use a database query to count previous messages from user X within
time period Y. You probably want to hold in reserve the ability
to ban particular IPs from accessing your site *AT ALL* - there are
some bad guys who bring a site to its knees just repeatedly requesting
pages at a thousand times a second from many hosts (and they don't
necessarily even try to log in or post).
> I would really hate to put Capchas in my site for *each time
> people wanna post something* - this is really a horrible thing to
> do to my users. Is there a solution?
Capchas are a good idea to create new accounts. Each user has to
do it only once (and you can "grandfather" existing users with
accounts so they don't have to do it at all) unless they are
constantly creating throwaway accounts.
If someone misbehaves, manually ban the account. You have to resort
to this as not everyone uses bombing scripts - sometimes they just
use bad words, insult other users, and post a small amount of
advertising, solicit sexual favors, or insisting on campaigning for
Hillary Clinton in a group dedicated to Major League Baseball games.
Have handy a "delete all posts from this user" function an administrator
can use to clean up the mess.
If people log in on accounts they have created, you can limit the
number of posts made in a certain time *by user name*, and turn off
the account if it's excessive. I think 20 posts in 20 minutes is
approaching excessive. Also, repeatedly posting messages with
nearly-identical content is at least suspicious.
Capchas are also something you can activate in the case where a
user is doing something suspicious but you can't say it's abusive
yet. For example, if they post more than 20 posts in 20 minutes,
require capchas for the next hour.
Require some personal information to create an account (such as an
email address or a phone number). Verify these, say by sending a
link to the email address and requiring the user to click on it to
activate the account to allow posting, or texting a security code
to the phone number, which they need to enter to activate the
account. Do not permit more than one account (banned or not) on
the same email address or on the same phone number. That means
they keep having to come up with more throwaway email addresses or
phone numbers, and will at least slow them down a little.
(Warning: this approach may create some problems if there are any
husband/wife or parent/child pairs still left who share the same
phone number and/or email address. You may have to tell them that
if they share the phone, they have to share the account also.)
*NEW* users can have stricter posting limits than more established
ones. You might require manual approval (by you) of each post for
users whose accounts are less than 48 hours old, or manual approval
of the first 3 posts regardless of account age. You might also
only turn on automatic approval after they have posted a few times
with *information useful to the other users*, such as answering
other user's questions or contributing news on a topic, not just
asking questions. (This is a much stricter rule than "non-offensive").
Some sites have "reputation points" or "karma" which get users
additional privileges as they do more positive things on the site.
Let your users help you. Allow them to flag posts as offensive or
pointless. You probably have to review these manually, and some
of them will flag any post critical of them, but if users abuse the
"flag post" button, you can turn it off for that user or ban the
user.
Yes, a lot of this requires actual work from an administrator,
and not just in writing code.