Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Hunting cheaters in a voting competition

Tags:

php

spam-prevention

voting

Currently we are running a competition which proceeds very well. Unfortunately we have all those cheaters back in business who are running scripts which automatically vote for their entries. We already saw some cheaters by looking at the database entries by hand - 5 Star ratings with same browser exactly all 70 minutes for example. Now as the userbase grows up it gets harder and harder to identify them.

What we do until now:

  1. We store the IP and the browser and block that combination to a one hour timeframe. Cookies won't help against these guys.
  2. We are also using a Captcha, which has been broken

Does anyone know how we could find patterns in our database with a PHP script or how we could block them more efficiently?

Any help would be very appreciated...

like image 701
Bosh Avatar asked Feb 25 '10 09:02

Bosh

2 Answers

Direct feedback elimination

This is more of a general strategy that can be combined with many of the other methods. Don't let the spammer know if he succeeds.

You can either hide the current results altogether, only show percentages without absolute number of votes or delay the display of the votes.

  • Pro: good against all methods
  • Con: if the fraud is massive, percentage display and delay won't be effective

Vote flagging

Also a general strategy. If you have some reason to assume that the vote is by a spammer, count their vote and mark it as invalid and delete the invalid votes at the end.

  • Pro: good against all detectable spam attacks
  • Con: skews the vote, harder to set up, false positives

Captcha

Use a CAPTCHA. If your Captcha is broken, use a better one.

  • Pro: good against all automated scripts.
  • Con: useless against pharygulation

IP checking

Limit the number of votes an IP address can cast in a timespan.

  • Pro: Good against random dudes who constantly hit F5 in their browser
  • Pro: Easy to implement
  • Con: Useless against Pharyngulation and elaborate scripts which use proxy servers.
  • Con: An IP address sometimes maps to many different users

Referrer checking

If you assume that one user maps one IP address, you can limit the number if votes by that IP address. However this assumption usually only holds true for private households.

  • Pro: Easy to implement
  • Pro: Good against simple pharyngulation to some extent
  • Con: Very easy to circumvent by automated scripts

Email Confirmation

Use Email confirmation and only allow one vote per Email. Check your database manually to see if they are using throwaway-emails.

Note that you can add +foo to your username in an email address. [email protected] and [email protected] will both deliver the mail to the same account, so remember that when checking if somebody has already voted.

  • Pro: good against simple spam scripts
  • Con: harder to implement
  • Con: Some users won't like it

HTML Form Randomization

Randomize the order of choices. This might take a while for them to find out.

  • Pro: nice to have anyways
  • Con: once detected, very easy to circumvent

HTTPS

One method of vote faking is to capture the http request from a valid browser like Firefox and mimic it with a script, this doesn't work as easy when you use encryption.

  • Pro: nice to have anyway
  • Pro: good against very simple scripts
  • Con: more difficult to set up

Proxy checking

If the spammer votes via proxy, you can check for the X-Forwarded-For header.

  • Pro: good against more advanced scripts that use proxies
  • Con: some legitimate users can be affected

Cache checking

Try to see if the client loads all the uncached resources. Many spambots don't do this. I never tried this, I just know that this isn't checked usually by voting sites.

An example would be embedding <img src="a.gif" /> in your html, with a.gif being some 1x1 pixel image. Then you have to set the http header for the request GET /a.gif with Cache-Control "no-cache, must-revalidate". You can set the http headers in Apache with your .htaccess file like this. (thanks Jacco)

  • Pro: uncommon method as far as I know
  • Con: slightly harder to set up

[Edit 2010-09-22]

Evercookie

  • A so-called evercookie can be useful to track browser-based spammers
like image 185
8 revs Avatar answered Sep 20 '22 08:09

8 revs

Have you tried to do browser fingerprinting? Check this open source from EFF: https://panopticlick.eff.org/ Could be used to identify one person similar to 500-1500 in the world (!).

like image 24
dusoft Avatar answered Sep 22 '22 08:09

dusoft
Sign in to Comment

Related questions

Doctrine and LIKE query
Howto: Install Imagick (for php) on Ubuntu 11.10
PHP: How do you determine every Nth iteration of a loop?
Enabling/installing GD extension? --without-gd
Laravel-5 how to populate select box from database with id value and name value
Use Javascript to access a variable passed through Twig
php - add + 7 days to date format mm dd, YYYY
Laravel 5.2 redirect back with success message
Phpunit tests gives warning no tests found in class
Getting title and meta tags from external website
Detecting negative numbers
Angularjs - simple form submit
What is the difference between iconv() and mb_convert_encoding() in PHP?
Is ini_set('max_execution_time', 0) a bad idea?
Deleting a file after user download it
What does this mean? "Parse error: syntax error, unexpected T_PAAMAYIM_NEKUDOTAYIM"
Can PHP namespaces contain variables?
Run Bash Command from PHP
Laravel Model Events - I'm a bit confused about where they're meant to go
How exactly does if($variable) work? [duplicate]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!