I'm currently revamping the banning system for a semi-text based MMORPG I'm developing. I'm trying to come up with the most fool-proof method of banning a user if they misbehave, and here is what I've come up with. 1. Account Ban - To register an account you have to have a valid e-mail address, so this is effectively an e-mail address ban. They could make a new account based on a different e-mail address. 2. IP Ban - Obviously IP addresses change (especially for the few dial-up users still out there ;) ) and you also run the risk of catching someone else in the ban if you ban by IP Range. 3. MAC Address Ban - This seems to be the most effective measure, especially in junction with the other two, however it's still possible to mask it. 4. Embedded Registry / File - This seems like it would also help, in conjunction with the others if every install had a personalized ID for it. However, this also would be something a user could find and edit if they knew to look for it. So, my question is, has anyone found a more fool-proof method of banning? Any help or comments would be appreciated.

I don't have any real insiteful information for you but just want to comment on the account banning. Since this is an RPG game if a user has been playing for a little while and built up some stats / experience or whatever your promotion system is based on, then suspending there account would seem to be a good first step. Like you mentioned they could always create a new account, but they would be starting over again.

I can point you in the direction of a fella who has to deal with this all the time with his free MMORPG Forgotten World. You can probably just reach Rod by leaving a post in the FW forum

Quote:Original post by giveblood
Mail them a registration number to their mailing address. Now that you have their address, you can go punch them in the face instead of having to ban them.

Unless they have a PO box?

Anyways Kraiger, there's no such thing as a fool proof method, just look at all the copy protection is put on games yet people always find the time to get around them. Best used method is the system of CD keys, only allow one key logged on at a time, and once a key is banned, then it's done with. You would do all of this verifcation server side of course to make sure the clients couldn't fake it. As to comment on your ideas:
1. That's a must, disable/delete the account
2. Works for the most part if you do not do ranges, and there exists methods to get a real ip if they are behind a proxy trying to mask their IP or change it.
3. Not sure how it would be implemented, but collecting user hardware information might raise privacy concerns if you do not disclose what you will do if a user is caught cheating.
4. Not worth it, reinstalls, formats, even programs like spybot can detect reg changes and allow the user to deny that change.

Just my take on this, I really think the whole idea about having accounts based on a personal key, CD key more or less, is the best approach to prevent people from geting around the system. Better yet, what you could do is not even generate the key on the client side, you do it on one of your computers and send the key to the user encrypted of course. Then that way, you do not have to worry about keygens popping up or anything like that.

Well, there might be a more reliable way to identificate clients than relying on MAC and/or IP adresses: http://www.cse.ucsd.edu/users/tkohno/papers/PDF/

in the news:
http://it.slashdot.org/article.pl?sid=05/03/04/1355253
http://news.com.com/Tracking+PCs+anywhere+on+the+Net/2100-1029_3-5600055.html

Good luck!

A combination of MAC and IP address ban should be sufficent.