[Wikipedia-l] Vandals,proxies, and so on:a proposal

[Neil Harris]

Many vandals hide behind shared HTTP proxies, which makes them difficult 
to ban.

Here's an idea:

Add a new attribute to user accounts:
* "authenticated" users are users **who have supplied a non-throwaway 
E-mail address**: authentication to be done by sending them an E-mail 
which they have to reply to, in the same way as mailing list authentication.

We can then "greylist" IP addresses or ranges, so that only 
''authenticated'' logged-in users  can post from behind these addresses. 
 We can point out to new users from these ISPs that the reason why they 
are being asked to authenticate is that other users from the same ISP 
have acted as vandals.

The good bit:
* At the same time, non-greylisted IP addresses can still allow 
anonymous or non-authenticated user account edits, so we stay "open" to 
 >99.99% of all users.

We should greylist just the IP address for a proxy, or the whole /19 
range for a user IP address: this is the minimum routable block on the 
Internet, and will generally catch all users from a particular region.

This significantly increases the costs to vandals, and provides 
traceability back to providers, or even real identities if necessary. 
Vandals can go on making new accounts as many times as they like, but 
they have to incur the costs of setting up new provider accounts every 
time we ban their user account.  (I believe that ISPs share phone 
numbers and credit card numbers of persistent abusers, so these people 
will either end up without access, or using rogue providers, who we can 
then blacklist. )

Then, we can reserve "blacklisting" only for IP addresses that are 
beyond hope, such as individual users who are non-cooperative, or 
providers without a workable anti-abuse policy. "Blacklisting" should 
then ban all editing.
We can also refuse to accept authentication E-mails from E-mail 
providers who do not have a good abuse policy.

Neil