Make it useless to even try. Don’t make it easy to detect when someone has burned through an ip - they’ll just pick the next up in the proxy list they bought. Make it so after 100 unsuccessful attempts, flag the ip and only allow it to log into accounts they’ve already logged into before (to stop them from using a real account to detect if they’ve been banned.) don’t say “you’ve been banned” - just shadowban the IP and always fail the auth. After a while they will notice but not after a ton of attempts
Very true, for example in case of reddit shadowbans it is trivial to check if an account is banned while a legitimate user can go on for a very long time assuming that simply no one is replying, unaware that something like a shadowban exists.
They might reach the point where one starts to feel litigious, if one pays for the service and there is anything remotely approaching an SLA.
Be careful if you are a paid service and use shadowbans.
