Many vandals hide behind shared HTTP proxies, which makes them difficult to ban.
Here's an idea:
Add a new attribute to user accounts: * "authenticated" users are users **who have supplied a non-throwaway E-mail address**: authentication to be done by sending them an E-mail which they have to reply to, in the same way as mailing list authentication.
We can then "greylist" IP addresses or ranges, so that only ''authenticated'' logged-in users can post from behind these addresses. We can point out to new users from these ISPs that the reason why they are being asked to authenticate is that other users from the same ISP have acted as vandals.
The good bit: * At the same time, non-greylisted IP addresses can still allow anonymous or non-authenticated user account edits, so we stay "open" to
99.99% of all users.
We should greylist just the IP address for a proxy, or the whole /19 range for a user IP address: this is the minimum routable block on the Internet, and will generally catch all users from a particular region.
This significantly increases the costs to vandals, and provides traceability back to providers, or even real identities if necessary. Vandals can go on making new accounts as many times as they like, but they have to incur the costs of setting up new provider accounts every time we ban their user account. (I believe that ISPs share phone numbers and credit card numbers of persistent abusers, so these people will either end up without access, or using rogue providers, who we can then blacklist. )
Then, we can reserve "blacklisting" only for IP addresses that are beyond hope, such as individual users who are non-cooperative, or providers without a workable anti-abuse policy. "Blacklisting" should then ban all editing. We can also refuse to accept authentication E-mails from E-mail providers who do not have a good abuse policy.
Neil