NYCPHP Meetup

NYPHP.org

[nycphp-talk] strategy question: point accrual system and bots

Billy Reisinger mail at billyreisinger.com
Fri Sep 30 18:03:01 EDT 2005 

Hey Marc -
I think that the simplicity of the solution is directly proportional  
to the importance of
preventing people from "submit fraud." If it is really important  
(i.e. there is money involved),
the complexity of your solution will necessarily have to be greater;  
however, if you are
not going to lose money or a limb if someone "illegally" accrues  
points, then perhaps
a simple combination of tracking session ID's and IP addresses would  
work.   I wouldn't rely
on any one method alone, though.  It seems that tracking user or bot  
activity on the web is best accomplished through
a combination of strategies.   For example, you definitely can't rely  
on the accuracy of IP addresses, or that
one user == one IP address.  On the other hand, using an IP address  
in combination with, say, the user's session id, some cookie
data, or some information in the http header (like browser or  
operating system) might be an effective way of tracking a single user.

If you are dealing with a system where people have to provide a  
username/password to submit anything, your chances of identifying  
your users just got a ton better!

Also, you can be sure something funky is going on if someone  
continually submits a form many times in a small
amount of time.  It might be good to put a threshold there,  
preventing people from re-submitting for, say, 60 seconds or something.

Cheers,
Billy

On Sep 30, 2005, at 5:23 PM, Marc Antony Vose wrote:

> Hi there.
>
> I'm asking a sort of general question here about how to design an
> application I'm making.  Basically, actions on a Web site will result
> in members accruing points (the actions vary, but almost always cause
> a form to be submitted, some action to be performed on the back end,
> and then points to be allocated to the user).
>
> I'm interested in people's strategies for preventing scripts or bots
> from continually submitting actions and accruing points for someone.
> In some cases, there are special things I can look for that will be
> the components of these actions, but I'm looking also for some kind
> of general strategy (special hash keys based on some random factor,
> etc. and so on).
>
> I have a few ideas, but other people probably have better ones...the
> simpler and more straightforward the better.
>
> Cheers,
>
> -- 
> Marc Antony Vose
> http://www.suzerain.com/
>

More information about the talk mailing list