NYCPHP Meetup

NYPHP.org

[nycphp-talk] strategy question: point accrual system and bots

csnyder chsnyder at gmail.com
Sat Oct 1 13:22:53 EDT 2005


On 9/30/05, Marc Antony Vose <suzerain at suzerain.com> wrote:

> I'm interested in people's strategies for preventing scripts or bots
> from continually submitting actions and accruing points for someone.
> In some cases, there are special things I can look for that will be
> the components of these actions, but I'm looking also for some kind
> of general strategy (special hash keys based on some random factor,
> etc. and so on).

>From a purely technical point of view, this is a Really Hard Problem.
You mention hash keys and random factors, but remember that a bot will
necessarily have access to any secrets that you send to its human
owner. You can make scripting difficult, but you will never be able to
make it impossible. If the incentive to cheat is high enough, your
valued users will find ways around javascript voodoo, captchas,
rate-limiting, IP-address limitations and any other barriers you put
in their way.

As Billy Reisinger already pointed out, it is a much better idea to
concentrate on detecting and dealing with fraud rather than preventing
it outright. In other words, the solution to this problem is social
rather than technological.

First, define the acceptable-use envelope: how fast can a user
accumulate points? Are users allowed to team up? Are users allowed to
log in from multiple locations? Are users allowed to sell their points
on e-Bay? Write a plain-language Terms of Service that explains what
is acceptable, what is not, and how you intend to deal with attempts
at defrauding the system.

Then find or build tools to identify marathon sessions, speed-surfing,
repeated access patterns, and other obvious robot-like behavior or
cheating. Keep an eye on the top performers (total points) and the
fastest climbers (points earned in the last 24 hours).

Never underestimate the value of direct contact. If something looks
suspicious, contact the user -- in my experience, most cheaters will
cave in immediately when caught, and describe how they rigged your
system if you promise to fix it so that no one else can get away with
a similar hack.

It's not that rate-limiting and careful session handling are a waste
of time -- they aren't, and they are important for other reasons. They
just aren't particularly effective at preventing the kind of abuse you
are concerned about.

--
Chris Snyder
http://chxo.com/



More information about the talk mailing list