On Wed, Nov 19, 2014 at 4:06 PM, Kyle Banerjee <[log in to unmask]>
wrote:
> There are a number of technical approaches that could be used to identify
> which accounts have been compromised.
>
> But it's easier to just make the problem go away by setting usage limits so
> EZP locks the account out after it downloads too much.
>
But EZProxy still doesn't let you set limits based on the type of download.
You therefore have two very blunt sledge hammers with UsageLimit:
- # of downloads (-transfers)
- # of megabytes downloaded (-MB)
# of downloads is effectively useless because many of our electronic
resource platforms (hi Proquest and EBSCOHost) make between 50 and 150
requests for JavaScript, CSS, and images per page, so you have to set your
thresholds incredibly high to avoid locking out users who might be actively
paging through search results. Any savvy abuser will just script their
requests to avoid all of the JS/CSS/images to derive a list of PDFs, and
then download just the PDFs, thereby staying well under the usage limits
that legit users require... and I've seen exactly that happen through our
proxy.
# of megabytes downloaded is a pretty blunt tool as well, given that our
multimedia-enriched databases now often serve up video and audio as well as
HTML, images, and PDF files. For the pure audio and video streaming sites
such as Naxos or Curio, you can set higher limits; but as vendors
increasingly enrich their databases with audio and video, you're going to
have to increase your general limits as well... and you can pull down a ton
of PDFs under that cover.
So no, I don't think it's easy to make the problem go away through the
suggested approach, unless you're willing to err on the side of locking out
legitimate users.
|