How to nab and block a creepy user?

Many apps nowadays use phone numbers for verifying new accounts. Obviously, it is far from impossible for a malicious user to get a new phone number if they care enough, but it does usually have a monetary cost, which will keep a significant portion of malicious users out. This also can help prevent some forms of fraud.

This is somewhat obvious, but take care in designing social interactions on your app, and introduce easy reporting systems and user-controlled blocking systems (e.g., even if you don't respond to a user's report in a timely manner, a user should still be able to block communications from another user using a button in the app). You may want to allow users to choose to only allow messages from users who have been on the site for a certain amount of time, or have some kind of additional level of verification. Also consider introducing active, paid moderators who actively respond to reports as they come in, if your budget allows.

Allowing users access to open text fields on the internet is inherently dangerous. I have tried to avoid it in all of my apps (for example, I've made games that use randomly-generated user names rather than allow users to input their own, and I only added user comments to an app I was building _after_ I'd built a user reporting system and ensured I got an immediate alert on my phone if a user sent a report). It is your responsibility to try to design your app, and moderate your community, to mitigate these risks.

I'm not sure it's applicable for you since it's a mobile app but I encountered the same issue with a single specific user, which would cause chaos everywhere.

The right answer for us has been to make the website utterly annoying for him, slowing down pages, disconnecting him randomly, removing the styling randomly, throwing a 500 page randomly, his experience was truly miserable.

Here are some strategies for IOS:

1) use device identifer / advertising identifier to identify the user and block them. problem: user can reinstall app and these identifiers are recreated

2) store a random identifier on the disk or in nsuserdefaults or some other app storage. problem: user can reinstall app and these locations are wiped

3) store a random identifier in icloud keychain. my understanding is this doesn't have the same problem as above but its possible for user to wipe this.

4) use apple device check API. https://developer.apple.com/documentation/devicecheck this allows you to associate 2 bits of information with a users device. you can use 1 bit to control whether the device should be banned.

5) use a third party device fingerprinting solution or roll your own device fingerprinting. my understanding is there is enough entropy on the phone to uniquely identify it. for example you can find out what time the original OS was installed in the Foxconn factory. i think apple should ban all apps that do this but a lot of apps do this. :(

So, a slightly sketch thing to do is to shadowban the user, so that they don’t know that nobody can see their posts. They might get bored. You might need to modify some of your application code though. You can do this by their IP if they haven’t caught on.

Shadowbanning in its different forms would be the best option, don't let the user know they have been noticed.

Let them think they sent messages and comments to other users, but don't actually deliver them.

Captchas. Do not block him, but make him solve a captcha if you detect a bad word. He'll lose the fun.

Took idea from this talk https://www.youtube.com/watch?v=0kBhvM9OIaI

Don't block them, degrade their performance to annoy them out of your platform. Or treat them the way you would any spambot,add registration difficulty,cumulative but minimal interaction cost(performance,financial,points,etc...) and as a last resort ban or set restrictions on their connectivity network (subnet,isp,email provider, vpn provider,asn,country,etc...)

We need a thing whereby a person can only sign up to a service once - without disturbing the on-boarding process (too much). Maybe a contradiction in terms but I'm putting it out there since there are some mighty clever people in here, and someone may just have a solution.

How about creating rules?

  A talks to B
  B blocks A
  A registers as C
  *not too much time passes*
  C talks to B

At this point C is considered to be a harasser and therefore it will be hidden for B. B can of course lift the ban if it's just a false positive. To further specify who's who in this graph, the logic can find the smallest time between ban and the creation of a new user with the same behavior (writes to B) as the reported one.

I think this is way more easier than handling those who abuse the actual service you're selling.

Make it very easy for people to report these messages, then put in a temporary block on a user after the first report, until it can be checked by a human.

Related question for folk in similar situations: What are your experiences bringing these sorts of abuse to the attention of the ISPs?

On top of what many users have stated here, shadow blocking! If the malicious user doesn't know that they're blocked, they'll keep using their account. If you shadow ban them, you just don't show their comments and posts to anyone else than themselves and they can't harm anyone.

Slightly related, does anyone know any solutions to this for a public slack group? I'm a member of one that has a public invite link (temporarily disabled) and it's constantly plagued by one troll account that comes back whenever the invite link is enabled again.

Additional to this, can some one help with this -

* Under GDPR, user can request for it's account deletion where we have to delete all the user's reference. If a user signup again there would be no way whether it is the same malicious user, how to overcome this?

perhaps have some ai that detects lewd comments and autobans those users. Oh and the standard thing of checking both ip and mac addresses whenever people log in or register against a blacklist of IP's/MAC's used by banned users.

rate limiting by ip, force recaptcha, shadow banning the user