I've found Evercookie to be really useful in eliminating spam.
Despite having captchas and per user send limits on my site, Nigerians were submitting tons of forms through my site a while back trying to trick users with the same scams that are popular on Craigslist. They know to clear their cookies, etc. Adding Evercookie cut down on the number of spam messages considerably just by keeping a count of the number of messages sent from a particular computer and blocking messages after more than a certain number per day.
Perhaps most satisfying, I implemented it so the message appeared to have been sent successfully even when it was blocked. So there are Nigerians happily working away all day "sending" message on my site still thinking it is working. I sometimes get hundreds of blocked message notifications per day.
If you're already implementing messages like that another fun thing to do when the person goes way past the threshold is start making the site slow/buggy. Add in random sleeps, redirect to a random valid or error page, etc. Basically make the site increasingly buggy. The added benefit is that is breaks any automated scripts people might be scamming with.
That's what I did when we marked an account as obvious spam. Usually that was when an account was created and the same or next day sent 1000+ messages to random other users. Basically the person using the account would think the messages got sent but really they usually hit either a keyword/bayes moderation or a similarity throttle and the messages were put into a moderation queue rather than delivered immediately. Once the moderator picks "obvious spam", for that account the site gets buggier and buggier for 30 days until the account gets completely shut down and the person can't log in with it anymore. I did that for 30 days because I didn't want to warn them their account had been flagged and just have them create a new one.
Evercookie is the herpes of user tracking. Wear protection (don't run JavaScript from untrusted websites).
Still, there are some interesting ideas for places to hide trackers. I wonder which parts actually survive (as wiki suggests that something does) after doing a full "clear browsing data" on something like Chrome (which comes with a super helpful link to clear Flash cookies).
Also, isn't the best way to defend against this once it's there not to try to clear it only to have it come back later, but to shuffle it's content so much that their perpetrator can't make use of it? The core of it is it's resiliency thanks to redundancy, so let's corrupt it so that the information becomes noise.
This, on linux, is defeated by Chrome's Incognito mode. It's why I didn't use it to track spammers on ragechat.com.
Edit: that, and it tries to use silverlight to store some silverlight based cookies, and people would just get big "Install Silverlight!" button/adverts coming up.
Careful though: older versions of flash will still store cookies even if you're in incognito mode (http://www.google.com/support/forum/p/Chrome/thread?tid=072d...). This is especially true with many linux installations, as often times they have older versions of flash for compatibility purposes (64 bit flash... ugh...)
Evercookie isn't evil, it's just a tool; it's how you use it that matters. Using it to keep track of users for spam or troll purposes is perfectly fine to me.
Some communities seem to act like magnets for trolls and abusive behavior. I use evercookies on one of my websites to keep the trolls out. Works tremendously well. It has allowed the community there to really flourish, absent petty personal attacks and troublemakers.
I would be, at least for ad networks based in the United States or Europe. The rhetoric around online privacy has gotten rather heated lately, and they're trying to avoid government regulation by being on their best behavior and trying to self-regulate. Evercookies are the opposite of that - it'd be like holding up a sign saying 'make me a target'.
Back when things were a little less heated (aka a couple of years ago), some companies did use a combination of cookies and Local Shared Objects in order to provide redundancy - information deleted from one was later restored by the other. Those companies have almost certainly stopped.
Not that it indicates any wrongdoing, because there's a class-action lawsuit for everything remotely advertising-related, but there's been a ton of class-action lawsuits in the Flash cookie space. I believe the ones involving actively rewriting deleted information have largely been settled, and now it's mostly lawyers trolling companies for the use of Flash cookies to store any type of information more complicated than a volume setting.
For a recent example, search for Del Vecchio vs Amazon.
Ah very cool. Tangentially related: I've been helping a client get some affiliate marketing set up, and the email-based affiliates require CAN-SPAM compliance. Basically, this requires a generic unsubscribe link where people can put in their email address to be added to a "suppression file" blacklist, which the affiliates can then download. It's intended to act as a shared blacklist when you're working with multiple affiliates, but I'm wondering what's to stop someone from just harvesting suppression files?
I believe CAN-SPAM has provisions against that, but several vendors have standardized on storing the suppression files as a list of md5s. Of course that is not bulletproof (the source space is small, especially among the big mail providers) but at the moment it seems to have shifted the economics favorably.
Despite having captchas and per user send limits on my site, Nigerians were submitting tons of forms through my site a while back trying to trick users with the same scams that are popular on Craigslist. They know to clear their cookies, etc. Adding Evercookie cut down on the number of spam messages considerably just by keeping a count of the number of messages sent from a particular computer and blocking messages after more than a certain number per day.
Perhaps most satisfying, I implemented it so the message appeared to have been sent successfully even when it was blocked. So there are Nigerians happily working away all day "sending" message on my site still thinking it is working. I sometimes get hundreds of blocked message notifications per day.