accounts suspension

[atesin]

this is me...

Quote

Sorry about the rough start and welcome to HelioHost!

no problem, and thanks again

Quote

hosting identical content or parts of the same website

maybe analyzing access.log? .. finding cross sites between referers?... or big files served between different heliohost websites/accounts?, anyway sounds like a pretty heavy process, maybe write a wrapper that intercepts logs before being written to access.log? idk...  in this case you can suggest to host big files through dropbox public http folder (or other big files hosting that also offers http... i have a couple movies this way)

about finding same people logged at same time... sounds difficult to detect, and may be not necesarily ilegal... some isp's (or colleges, or companies) uses nat, so different users may appear with same ip... additionally they could still open web config in different browsers (like me sometimes xD) ... i think maybe detecting cross site hosting could be more important though

i return to cracking my head on sites migration..

[Kairion]

6 minutes ago, atesin said:

about finding same people logged at same time... sounds difficult to detect, and may be not necesarily ilegal... some isp's (or colleges, or companies) uses nat, so different users may appear with same ip... additionally they could still open web config in different browsers (like me sometimes xD) ... i think maybe detecting cross site hosting could be more important though

Unfortunately, there are no correct answers considering the resources we have available. We could demand a government ID to allow signups (which would be an enormous resource-consuming solution, as those systems are pretty expensive), and even that would not be enough to guarantee people would not have multiple accounts. Thus, we use what is less resource-consuming: blocking/suspending multiple accounts with the same IP address.

It is one of HelioHost's Terms of Service and part of the Suspension Policy that a user can only host multiple sites on the same account. Users could abuse and host multiple sites on different accounts (avoiding the 1000 MB disk space limit).

Of course, there are cases, like yours, where there is no terms or policy violation, as only one account is yours, the other being from your organization, which is why we have that forum section for our root admins to analyze cases of suspended accounts.

Remember that HelioHost is a non-profit organization, which means it does not have a lot of resources (monetary or human), as it is kept only with users' donations and the signatures of VPS plans (whose payments give some extra funds to keep up the bills).

[atesin]

....  what about registrar whois information ???  (for people owning a domain)

there are still exceptions ..  for example, you could find troubles in asking for gov id number because of different countries, me as example, i am chilean...

other options are asking for banking acount info, and require a transfer lets say for $0.001, with an immediate refund compromise, just for verify identity...  i had seen this method in some other places but it is very very bureaucratic and annoying..  I HATE IT, i dont even have an international credit card! (and process may be very complicated and expensive)

another method i had seen is to ask for a phone number and send a code by sms/whatsapp (but i dont use whatsapp!!)...  sms's have a sending cost, somebody like me dont like the idea to give their phone number, somebody even dont have a phone!, somebody even can use his/her parents/spouse/sister/colleage phone, etc

there are some biometric systems, i which you are asked to put your face in front of the camera (cell phone or pc+webcam) doing circular movements to 3d scan your face... because i have a webcam, but my pc dont have fingerprint scanner.. anyway we have 20 fingers so a single person can make 20 accounts (21 the men xD )

anyway, back to whois method... you will find my both domains registered by me (andres salinas), we are managing to get a legal person for my organization.. when accepted then i must transfer the domain titularity (www.nic.cl -> consulta whois)

some exception could be, for example... sombody could explicitly ask for a second account creation by ticket (like me) and your staff analyze the situation..  then in case of being approved, remark the accounts were marked for close behavior observation... 

so... i think your best chance is to check referer headers for cross hosting activity

[Kairion]

Well, you kind of pointed out all the problems/downsides with all your suggestions.

About checking referrer headers for cross hosting, it would be useless against users that are only avoiding our 1000 MB disk space per account limit to host different websites (or just using for file hosting).

WHOIS lookup also is not doable because:

1. The majority of HelioHost users use free services like Freenom, eu.org, or even HelioHost own subdomains (something.heliohost.us and something.helioho.st),
2. People with their own domains may have, according to their registrar rules, WHOIS privacy protection, e.g., https://mxtoolbox.com/SuperTool.aspx?action=whois%3akairion.eu.org&run=toolpage. You cannot get a single detail about me by doing a WHOIS lookup to kairion.eu.org.

[atesin]

i think these last 2 -3 comments should be moved to its own topic

back with the referer cross hosting thing.... you could create an indexed database table with just a single text column, and write a script that everytime a user modifies his/her primary domain(s) this table will be updated... then lock the "modify primary domain" option for while scan all domains in your system to populate the table... .. then use this fast table to lookup referer info to catch cross hosting requests...

warn the user first (depending on amount of requests/traffic) to correct the issue before blocking ..  because for example, imagine i am browsing the web and i found a very interesting info that i put on my website, without knowing that info is ALSO hosted in heliohost ...  additionally, if some user deploy a public modifiable content (say a forum or blog) ANYBODY could publish heliohost cross hosting links in his/her site, triggering the alarm

....  i have more thoughts about php mail() function that i will search info before open a new topic

 

[atesin]

move this last comments to a new topic to keep focus of original post

one of my personal projects is to develop a cheap irrigation system for little farmers using arduinos... i imagine somebody could offer cheap (or free) webhosting + website design for little neighbor markets, so a single guy could effectively have many accou... not really, he can still have all these sites under his single heliohost user account, so this is still against the rules, especially if he is making money with you (at hh)

so i still think your best bet is to catch referer headers and compare against a database table with primary domains

[Kairion]

All the above posts are originally from the topic account suspended?... i just created the account a couple hours ago! and have been split into this new topic.

49 minutes ago, atesin said:

back with the referer cross hosting thing.... you could create an indexed database table with just a single text column, and write a script that everytime a user modifies his/her primary domain(s) this table will be updated... then lock the "modify primary domain" option for while scan all domains in your system to populate the table... .. then use this fast table to lookup referer info to catch cross hosting requests...

There are a few issues:

• What if the user never changes the primary domain (as there is no reason to do that in first place)?
• If you are talking about changing the domain's content (i.e., files and databases) that would not be doable, like the above option, for the same reason explained below.
• HelioHost has four shared hosting servers now (Tommy, Johnny, Ricky, and Lilly) and there are plans for a new one (Morty). New ones can also be created in the future. Each one has more a lot of (sub)domains, and resources that are now used to provide free services would have to be redirected to that check running. It also would not escalate well (as it would be necessary to run it for any changes).
• It would have a lot more of false-positive matches than the current method (checking multiple accounts using the same IP address), because as you pointed out: "[...] for example, imagine i am browsing the web and i found a very interesting info that i put on my website, without knowing that info is ALSO hosted in heliohost ...  additionally, if some user deploy a public modifiable content (say a forum or blog) ANYBODY could publish heliohost cross hosting links in his/her site, triggering the alarm [...]",
• It would still be useless against users hosting multiple sites (i.e., different sites / different contents, but the same owner) or using multiple accounts for file hosting.

49 minutes ago, atesin said:

he can still have all these sites under his single heliohost user account, so this is still against the rules, especially if he is making money with you (at hh)

There is no specific item in HelioHost Terms of Service (ToS) ruling about "reselling hosting", so technically someone could do that if. The same goes to profiting while doing that. However, it should be noted that, according to that same ToS:

Quote

• We reserve the right to change the Terms of Service with or without prior notification.
• We reserve the right to delete, change, or edit your account or your content with or without prior notification, including, but not limited to cases arising from abuse of these Terms.

Which means that, if our root admins consider it to be an abuse and unfair use of the free service provided, they could (1) act to stop that use by deleting, changing, or editing the account and (2) changing the ToS.

A possibility that would not be against the ToS: that "single guy" could sell the webdesign service (since this is that person's work, it is obviously not ruled by HelioHost at all) and help the clients to set up their own free HelioHost accounts for webhosting.

 

[atesin]

hi...  i like this conversations, find them very interesting...  i am very passinate about technology, i imagine electrons inside computer buses/registers and system processes as little beings

1 hour ago, Kairion said:

• What if the user never changes the primary domain (as there is no reason to do that in first place)?
• If you are talking about changing the domain's content (i.e., files and databases) that would not be doable, like the above option, for the same reason explained below.
• HelioHost has four shared hosting servers now (Tommy, Johnny, Ricky, and Lilly) and there are plans for a new one (Morty). New ones can also be created in the future. Each one has more a lot of (sub)domains, and resources that are now used to provide free services would have to be redirected to that check running. It also would not escalate well (as it would be necessary to run it for any changes).
• It would have a lot more of false-positive matches than the current method (checking multiple accounts using the same IP address), because as you pointed out: "[...] for example, imagine i am browsing the web and i found a very interesting info that i put on my website, without knowing that info is ALSO hosted in heliohost ...  additionally, if some user deploy a public modifiable content (say a forum or blog) ANYBODY could publish heliohost cross hosting links in his/her site, triggering the alarm [...]",
• It would still be useless against users hosting multiple sites (i.e., different sites / different contents, but the same owner) or using multiple accounts for file hosting.

• to avoid this issue the procedure should be: 1 you previously write the script that adds/modify the domains list table when a user modifies some his primary domains in admin panel - 2 once the auto-modify function is implemented you block the panel function temporarily to avoid race conditions and run a query to populate the table initially - 3 you unblock the panel and as you already wrote the auto-update script, the function should run ok from now .....  doesnt matter if some user never changes his primary domain because anyway it was already added in step 2
• dont understand too much what you mean.. but just in case, i didnt mean to change domain content, but create another additional database+table with indexes, specific for this function... reading initial and later data from existing production plesk databases (as read only)
• to build this database initially, reads on all servers must be made....  maybe putting a dedicated computer for this (and old recycled laptop with a new ssd drive would suffice?)
• then this table need to have 2 columns, primary domain and owner... and lookups need to be aimed to catch different accounts instead of simply different domains... however i agree it could (unlikely) generate some false positives with publicly generated content like in forums or blogs
• as you cleverly noted, a single account hosting multiple sites/domains is not against the ToS, so as i observed above, the key point is try to find different sites referring each other, owned by **different user accounts**, recurrently

about making money.. maybe making money using HH is not considered harmful, but i found turning millionare at cost of your work questionable at least (it that thing is possible of course ...  or maybe i think too much sillinesses )

p.s.: i posted a topic analyzing php mail() as i said :

 

[Kairion]

Honestly, either I do not understand your concept, or you do not understand the points I am raising.

14 hours ago, atesin said:

to avoid this issue the procedure should be: 1 you previously write the script that adds/modify the domains list table when a user modifies some his primary domains in admin panel - 2 once the auto-modify function is implemented you block the panel function temporarily to avoid race conditions and run a query to populate the table initially - 3 you unblock the panel and as you already wrote the auto-update script, the function should run ok from now .....  doesnt matter if some user never changes his primary domain because anyway it was already added in step 2

The question stays the same: what if a user never changes the primary domain? E.g., I have the account kairion.helioho.st. I have no reason to change my main domain, even if I add new ones into my account. If I (against HelioHost ToS) decided to create a new account abc.helioho.st and start a new site with different, unrelated content to kairion.helioho.st, it would still be a ToS violation, as a user is allowed to have only one account with 1000 MB (unless that person does a donation of $5 or multiples of it, receiving +1000 MB for each, up to the maximum of 5000 MB).

14 hours ago, atesin said:

to build this database initially, reads on all servers must be made....  maybe putting a dedicated computer for this (and old recycled laptop with a new ssd drive would suffice?)

Where the script is running, while still is an issue, does not exclude the impact HelioHost servers, as that hypothetical computer would have to access data from all of them, thus consuming their resources. Using a laptop is also not workable, as it would be outside of our datacenter network creating a new security concern (and thus leading to human and computational resources necessary in securing that connection).

15 hours ago, atesin said:

as you cleverly noted, a single account hosting multiple sites/domains is not against the ToS, so as i observed above, the key point is try to find different sites referring each other, owned by **different user accounts**, recurrently

Though it is a concern to avoid users creating multiple accounts for cross-hosting, the greater concern (and what is more common to happen, at least in my experience), is having users creating multiple accounts for hosting different sites without being limited to our 1000 MB per user/account.

15 hours ago, atesin said:

about making money.. maybe making money using HH is not considered harmful, but i found turning millionare at cost of your work questionable at least (it that thing is possible of course ...  or maybe i think too much sillinesses )

That would be a philosophy debate about morals and ethics. If we consider only the technical side, someone will need more resources than we can provide before having a website/app/service capable of earning enough to be a millionaire, thus they would have their accounts suspended long before that happens (and invited to either move to a VPS, which also has its physical limits, or would have to move to either an enterprise solution or create their own infrastructure).

[atesin]

this is what i imagine ... i think we are talking the same thing

[wolstech]

Correct, doing what's shown in that picture would get all 3 of those accounts suspended when we catch it. That's cross-hosting, and is a tell-tale sign of having more than one account.

Another since you showed it in the example: Temporary email addresses are also against the TOS, even if you only have one account.