Hunting scammers in the vote

Feedback correction

It is rather a general strategy that can be combined with many other methods. Do not let the spammer know if he succeeds.

You can either completely hide current results, only show percentages without an absolute number of votes or delay the display of votes.

• Pro: good against all methods
• Con: if the fraud is massive, percentage display and delay will not be effective.

Voting Mark

Also a general strategy. If you have reason to believe that the vote is being taken by a spammer, count their vote and mark it invalid and delete the invalid votes at the end.

• Pro: good against all detected spam attacks
• Con: echoes the vote, harder to set up, false positives

security code

Use CAPTCHA . If your Captcha is broken, use the best.

• Pro: good for all automated scripts.
• Con: useless against pharygulation

IP check

Limit the number of votes that an IP address can use for a period of time.

• Pro: Good against random guys who constantly get into F5 in their browser.
• Pro: easy to implement
• Con: it's useless against pharyngulation and developing scripts that use proxies.
• Con: The IP address is sometimes displayed to different users.

Referrer Check

If you assume that one user maps one IP address, you can limit the number of votes for that IP address. However, this assumption is usually true only for private households.

• Pro: easy to implement
• Pro: Good versus simple pharyngulation to some degree
• Con: very easy to get around automated scripts

Email Verification

Use email confirmation and allow only one vote per email. Check your database manually to see if they use emails.

Please note that you can add +foo to your username at the email address. username@example.com and username+foo@example.com will send mail to the same account, so remember that when checking who has already voted.

• Pro: good against simple spam scripts
• Con: harder to implement
• Con: Some users will not like this.

HTML form randomization

Randomize the selection order. It may take some time to get to know them.

• Pro: nice to have anyways
• Con: Once discovered, very easy to get around.

Https

One way to fake a vote is to capture an HTTP request from a live browser such as Firefox, and simulate it using a script, it is not so easy when you use encryption.

• Pro: nice to have anyway
• Pro: good versus very simple scripts
• Con: harder to configure

Proxy Check

If the spammer voted through a proxy, you can check the X-Forwarded-For header.

• Pro: well suited to more advanced proxy scripts
• Con: some legitimate users may be affected

Cache check

Try to check if the client is loading all unused resources. Many spam bots do not. I have never tried this, I just know that this is usually not checked by voting sites.

An example would be the embedding <img src="a.gif" /> in your html, with a.gif being a 1x1 pixel image. Then you must set the http header for the GET /a.gif request GET /a.gif using Cache-Control "no-cache, must-revalidate" . You can set the http headers in Apache with your .htaccess file like this . (thanks Jaco)

• Pro: an unusual method, as far as I know.
• Con: a little harder to set up

[Edit 2010-09-22]

Evercookie

• The so-called evercookie can be useful for tracking spammers in a browser.

If you're really worried about this, you need to do something like checking your email, which might be enough to block most cheaters.

It also depends on whether several people behind NAT can vote for the same option (for example, at your favorite school).

Any scheme you created may be skipped.

EDIT: like everyone else, you can use a CAPTCHA , such as reCAPTCHA , to block automatic bots and make people less likely to vote again. Due to the fact that people are less likely to vote at all.

Vote for promotion (you can know about it) has a section on how to soften the game - but it's complicated to avoid at all. Considering your actions today, I would think about using weighting, for example, to consider a reasonable level of voting for a certain period of time, for example, 10 votes per hour (just an example not a guide), and for additional votes the weight is the following 10 to 90 % (i.e. only score 9), the next 10 to 80%, etc. These are Yahoo tips for playing this template:

Public voting systems report a number of problems. In particular, the possibility that community members may try to play the system out of any number of motives:

• anger - perhaps against another member of the community, and that membership dues.

• profit - to realize some reward, monetary or otherwise, from those affecting the placement of certain elements in the pool)

• or a comprehensive agenda - always encouraging certain points of view or political statements, with little regard to actual quality for voting for content.

There are several ways to protect against this type of abuse. Although nothing can stop the game as a whole. Here are a few ways to minimize or thwart violators in their efforts:

• Vote for things, not for people. In accordance with the general strategy of Yahoo, they do not provide users with the opportunity to directly vote for another user: they look, their attractiveness, intelligence or something else. It is good for the community to vote on contributions from individuals, but not on the quality of their character.

  • Consider the limitation of the rates of votes. o Allow the user a certain number of votes within a given time period. o Limit the number of times (or the speed at which) the user votes down on specific user content. (To prevent ad-hominem attacks.)

  • Weighing factors other than the number of votes. Digg, for example, does not calculate them. Digg-score depends only on the number of votes cast. Their algorithm also takes into account: "the source story (this is a blog report, or the original story), user history, traffic Category levels, story falls under and user reports." They update this algorithm frequently. Consider keeping the exact algorithm secret from the community, or just discuss factorized inputs in general terms.

• If relationship information is available, consider the weighting user of the votes accordingly. It is possible to prohibit users with formal relationships from voting for each other.

While this is a popular template on the Internet, it is important to consider the contexts in which we use it. Very active and popular communities (Digg is an excellent example) that allow voting for communities can also give rise to a certain negative spirit (average comments, stubborn clicks, group attacks on the "outlier" point of view).

Check out Asirra: http://research.microsoft.com/en-us/um/redmond/projects/asirra/ It's still in beta, but it's pretty cool.

To prevent bots from voting, you can use CAPTCHA .

The only thing that comes to mind is Captcha . Either complicated with photos and noise, like ReCaptcha , or very simple and unobtrusive, like “What is seven plus three? Or (if you are in the USA),“ What is the name of our president ”, simple common sense questions that everyone can answer If you change them often enough, it can be even more efficient than the classic image-based CAPTCHA.

CAPTCHAs are not a silver bullet, a user can have their own script display CAPTCHAs for them and solve them manually at least a few votes per minute.

You need to use them in combination with the other methods described here.

You can add a honeypot field , as in Django. Most likely, this will not protect you from scammers who intentionally want to change their competition, but at least you will have fewer “wire” spammers to take extra care.

Sorry for the double post, but I was not allowed to send two URLs in the same message ...

If you are looking for your own tracking, this link may give some inspiration: https://panopticlick.eff.org/ It turns out that many browsers can be uniquely identified even without any form of tracking files. I assume that the boss vote can give a very specific imprint?

So, if everyone ever wants to compete when people can win something and want to use a community-based rating system ... here I share some impressions:

Poorly:
1) At first it cannot be protected 100%
2) to cover the mass of users who filter out all meaningless ratings, it is very difficult 3) Forget about star ratings in this case ... they are always either 5 stars or 1 star

Good
1) Do not give them orientation about where they stand ... We replaced the "Order by place" view with the random TOP-100 view (only the top 30 wll won the price) ... It really helped because a lot of users lost interest as soon as they did not see where they stood.

2) Do not allow voting like: 1x5_Stars 40x1_Star ... Just allow users who vote honestly ...

3) Most of them act a little stupid ... You will see them in your magazines and you can trace who votes honestly and who is unfair ... Look for templates ...

** LUCK;-) **

CAPTCHA is always good, it can be a "bother" for some users.

reCAPTCHA is a pretty used service

As soon as allowing users who are logged in with openid and reCaptcha , before posting a vote, and report the list of participants with the same ip address.

We use a combination of CAPTCHA and email. The user receives a link with a GUID in the mail. This should be unique to every user trying to vote. www.votesite.com/vote.aspx?guid = ..... Using this link, voting is confirmed or not. In the database, we check the combination of email address and GUID to be unique.

I use a combination of CAPTCHA, IP validation and LSO (Flash Local Shared Objects, hard to find and delete for ordinary people).

1.Use recaptcha
2. Give random voting options, but not like this:
→ from vote_id_1 - asdsasd_1, grdsgsdg_2,
Instead, use session variables to set the mask from vote_id_1 to asgjdas87th2ad in the voting form.

What about some post-run stochastic analysis , for example , time-series analysis - searching for periodicity in specific events (ip, browser, vote) ? Then you can assign the probability to each such group of events that it belongs to 1 person, and either discard all such groups of events outside a certain level of probability, or use some kind of weighting coefficient to reduce weight depending on the probability.

Look at R, it contains many useful analysis packages.