9

I'm founder of a major, so-called 'toplist'. The users can submit their website to the toplist and gain a higher position by obtaining votes for their toplist entry.

The average visitor is young, mainly between 13-20 years old. They bring benefits, but also disadvantages. Over the past 5 years I've been actively fighting 'cheaters' who're using robots to obtain votes. These robots used proxies, different user-agents and even managed to solve multiple kind of CAPTCHA questions (reCAPTCHA, SolveMedia and custom captcha's). The use of these robots has dramatically decreased since I've introduced a new system that makes a random lay-out and loads 1 out of 15 different CAPTCHA-systems each page load. It doesn't seem to be an issue any longer.

People have now moved onto manual cheating. They're using browser plugins that change their IP address on pretty much every page load (e.g.: https://addons.mozilla.org/en-us/firefox/addon/ipflood/). I really can't seem to find a way to fight this, but it's a very big issue. It's hard to believe, but these kids are even manually solving 5000 captcha questions, that's taking ages.

My question is, can anybody help me think of a way to solve this issue? I've been using cookie and session setting, but they've started to notice and remove them. I'm going to introduce user accounts and make it more interesting to vote through an account, but I don't want to require accounts. I doubt there is, but is there any other way left to fight the cheating (maybe like a Java web-app that evades browser-set proxies and passes the real IP to the page, if possible?)? Or should I just give up and hire people to do daily checks to see if it's possible for the site to gain so many votes?

Jason
  • 439
  • 1
  • 6
  • 21
  • Where there's a will, there's a way. Make your voters login and also store there ip they login with if it changes 5k times per day your know also set CSRF tokens for every vote, in session and in a cookie, detect bots by checking if they also download assets like images,css. – Lawrence Cherone Nov 24 '12 at 14:28
  • I just realized I forgot to mention voting is only possible once every 24 hours.I don't want to require user login, I doubt there's a million people willing to make an account, the majority would stop using my website for sure. I'm making it more interesting to use an account though, like removing waiting times and the captcha. They seem to like it. Limiting to 1 vote per 24 hours is easy because I can check on usernames instead of IPs. – Jason Nov 24 '12 at 14:36

1 Answers1

5

I would recommend you to implement some kind of IP trustworthiness mechanism, because IP adresses used by open proxies are often used for illegal things.
So many of these adresses get caught by honeypots and are blacklisted by several organisations. Have a look at the honeypotproject for example:
https://www.projecthoneypot.org/
It's a huge database and can be easily implemented in PHP using DNS lookup functions. also
http://www.stopforumspam.com/
is pretty good and provides a REST interface if i remember it correctly.
In addition to that there are hundreds of DNSBLs that blacklist various kinds of activities, have a look at some proxy-dnsbls:
http://spamlinks.net/filter-dnsbl-lists.htm or http://dnsbl.tornevall.org/ or http://www.sorbs.net/

Last but not least you can use common PHP methods for proxy blocking (the most simple one qould be checking for the HTTP-X-Forwarded header, not all proxies provide it though)
Continue reading here: https://meta.wikimedia.org/wiki/Proxy_blocking or here: Detect clients with Proxy Servers via PHP

Community
  • 1
  • 1
Stefan
  • 2,164
  • 1
  • 23
  • 40
  • Those links are really useful, thank you! I've just looked up some IP addresses who've voted for suspicious entries, and I've discovered quite few are known as proxies in the honeypotproject. I'm going to look into those databases, seems like a great method to me. – Jason Nov 24 '12 at 14:50