在投票比赛中寻找作弊者 [英] Hunting cheaters in a voting competition

问题描述

目前，我们正在进行一场比赛，比赛进行得非常顺利.不幸的是，我们所有的骗子都重新开始运作，他们运行的脚本会自动为自己的作品投票.通过手工查看数据库条目，我们已经看到了一些作弊手段-例如，使用同一浏览器的整整70分钟都是5星评级.现在，随着用户群的增长，识别它们的难度越来越大.

Currently we are running a competition which proceeds very well. Unfortunately we have all those cheaters back in business who are running scripts which automatically vote for their entries. We already saw some cheaters by looking at the database entries by hand - 5 Star ratings with same browser exactly all 70 minutes for example. Now as the userbase grows up it gets harder and harder to identify them.

到目前为止我们要做的事情:

What we do until now:

1. 我们存储IP和浏览器，并将此组合限制在一个小时的时间范围内. Cookies不会对付这些家伙.
2. 我们还使用了已被破坏的验证码

有人知道我们如何使用PHP脚本在数据库中找到模式，或者如何更有效地阻止它们吗?

Does anyone know how we could find patterns in our database with a PHP script or how we could block them more efficiently?

任何帮助将不胜感激...

Any help would be very appreciated...

推荐答案

直接反馈消除

这更多是一种常规策略，可以与许多其他方法结合使用.不要让垃圾邮件发送者知道他是否成功.

Direct feedback elimination

This is more of a general strategy that can be combined with many of the other methods. Don't let the spammer know if he succeeds.

您可以完全隐藏当前结果，仅显示没有绝对投票数的百分比，也可以延迟投票的显示.

You can either hide the current results altogether, only show percentages without absolute number of votes or delay the display of the votes.

• 专业版:适用于所有方法
• 缺点:如果欺诈行为很严重，百分比显示和延迟将不会有效

也是一般策略.如果您有某种理由认为该投票是垃圾邮件发送者，请计算他们的投票并将其标记为无效，最后删除无效的投票.

Also a general strategy. If you have some reason to assume that the vote is by a spammer, count their vote and mark it as invalid and delete the invalid votes at the end.

• Pro:对所有可检测到的垃圾邮件攻击都很好
• 骗局:歪曲了选票，难以设定，误报

使用 CAPTCHA .如果您的验证码坏了，请使用更好的验证码.

Use a CAPTCHA. If your Captcha is broken, use a better one.

• 专业版:适用于所有自动化脚本.
• 骗局:对咽法
没用

• Pro: good against all automated scripts.
• Con: useless against pharygulation

限制IP地址可以在一个时间范围内投票的数量.

Limit the number of votes an IP address can cast in a timespan.

• Pro:对那些在浏览器中不断命中F5的随机帅哥很有帮助
• Pro:易于实施
• 缺点:对于使用代理服务器的咽喉和精心制作的脚本毫无用处.
• 缺点:一个IP地址有时会映射到许多不同的用户

如果假定一个用户映射一个IP地址，则可以通过该IP地址投票来限制数目.但是，这种假设通常仅适用于私人家庭.

If you assume that one user maps one IP address, you can limit the number if votes by that IP address. However this assumption usually only holds true for private households.

• Pro:易于实施
• Pro:在某种程度上对简单的咽喉有好处
• 缺点:非常容易被自动脚本规避

使用电子邮件确认，每个电子邮件只允许投票一次.手动检查您的数据库，以查看它们是否正在使用一次性电子邮件.

Use Email confirmation and only allow one vote per Email. Check your database manually to see if they are using throwaway-emails.

请注意，您可以在电子邮件地址中的用户名中添加+foo. username@example.com和username+foo@example.com都将邮件传递到同一帐户，因此请记住在检查某人是否已投票时.

Note that you can add +foo to your username in an email address. username@example.com and username+foo@example.com will both deliver the mail to the same account, so remember that when checking if somebody has already voted.

• 专业版:适用于简单的垃圾邮件脚本
• 缺点:难以实施
• 缺点:有些用户不喜欢

随机选择选项的顺序.他们可能需要一段时间才能找出答案.

Randomize the order of choices. This might take a while for them to find out.

• 专业人士:仍然很高兴
• 骗局:一旦被发现，就很容易规避

伪造投票的一种方法是从有效的浏览器(如Firefox)捕获http请求并使用脚本模仿它，当您使用加密时，这并不容易.

One method of vote faking is to capture the http request from a valid browser like Firefox and mimic it with a script, this doesn't work as easy when you use encryption.

• 专业人士:仍然很高兴
• Pro:非常适合非常简单的脚本
• 缺点:设置起来比较困难

如果垃圾邮件发送者通过代理投票，则可以检查 X-Forwarded-For 标头.

If the spammer votes via proxy, you can check for the X-Forwarded-For header.

• Pro:对使用代理的更高级脚本很有帮助
• 缺点:某些合法用户可能会受到影响

尝试查看客户端是否加载了所有未缓存的资源. 许多水龙头不这样做.我从来没有尝试过，我只知道投票网站通常不会对此进行检查.

Try to see if the client loads all the uncached resources. Many spambots don't do this. I never tried this, I just know that this isn't checked usually by voting sites.

一个示例是将<img src="a.gif" />嵌入到您的html中，其中a.gif是一些1x1像素的图像.然后，您必须使用Cache-Control "no-cache, must-revalidate"为请求GET /a.gif设置http标头.您可以使用.htaccess文件在Apache中设置http标头，例如此. (感谢雅科)

An example would be embedding <img src="a.gif" /> in your html, with a.gif being some 1x1 pixel image. Then you have to set the http header for the request GET /a.gif with Cache-Control "no-cache, must-revalidate". You can set the http headers in Apache with your .htaccess file like this. (thanks Jacco)

• 专业人士:据我所知，这是不常见的方法
• 缺点:设置起来有点困难

• 所谓的 evercookie 可以用于跟踪基于浏览器的垃圾邮件发送者

• A so-called evercookie can be useful to track browser-based spammers

这篇关于在投票比赛中寻找作弊者的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！