I tried reading articles about setting up a good spoof-proof system for faking you IP at websites and forums, but I don't understand how to actually set such a system up on my webspace for my forums/website. Could someone explain, in simple words, how to set something like this up? With 4200+ members, it's time to set up more specific security features.

You'd need to either add it on the apache level (like a module) or need to use something else besides PHP. In the end, it's not really going to be worth it.

I have had a problem with someone spoofing their IP to keep on making new accounts, and I was hoping this would be a worthwhile solution to that problem

It's more host firewall level, really.

There's no fool proof method.

Spoofing it how? If he was "spoofing" his ip, the packets would never get received again. If anything, he is using proxies, or some kind of BNC type mechanism. Or even easier...he may just be resetting his ip alloted to him by his ISP by reconnecting...that is nothing new.

There is no way to prevent this from happening...if there is some rhyme and reason to the emails that he is using to register with, make sure you ban all of those...and certainly ban any "free mail" domains as well, such as hotmail, yahoo, etc etc, and require verification of those emails. That is the easiest way to prevent a clown from getting onto your board. Eventually, having to reset his ip AND create an email on a valid server each and every time he wants to get on usually will thwart the individual after a few attempts. Morons are lazy.

If you're really concerned about people signing up multiple times, and you have the money, I guess you could implement an automated phone call verification system using an API to a system such as VariLogix FraudCall or similar systems.

If you disallowed the same phone number more than once, IMO at least, that would get rid of anyone who wants to sign up more than once, because they'd need some way of getting to another phone to be able to complete the verification code. Getting new phone numbers isn't as easy as getting new email addresses.

However, I'm sure the costs associated will put almost everyone off this. At about $1 per successful call (free for unsuccessful ones), who's going to pay for all that?

Far better I'd say to do something with the email addresses like chickenbak suggested. Or turn on admin verification.

I wouldn't want to sign up there...

It has only been a problem once. Maybe I'm just paranoid -- who knows ...

Something like this can be applied: http://yro.slashdot.org/article.pl?sid=05/...&tid=95&tid=158 However, it is blockable.

Are XMLHTTPRequest objects filtered through the proxy? And, if it is, is there some way to circumvent this in Javascript?