Hunting cheaters in a voting competition

Question

Currently we are running a competition which proceeds very well. Unfortunately we have all those cheaters back in business who are running scripts which automatically vote f

Answer 1

Direct feedback elimination

This is more of a general strategy that can be combined with many of the other methods. Don't let the spammer know if he succeeds.

You can either hide the current results altogether, only show percentages without absolute number of votes or delay the display of the votes.

• Pro: good against all methods
• Con: if the fraud is massive, percentage display and delay won't be effective

Vote flagging

Also a general strategy. If you have some reason to assume that the vote is by a spammer, count their vote and mark it as invalid and delete the invalid votes at the end.

• Pro: good against all detectable spam attacks
• Con: skews the vote, harder to set up, false positives

Captcha

Use a CAPTCHA. If your Captcha is broken, use a better one.

• Pro: good against all automated scripts.
• Con: useless against pharygulation

IP checking

Limit the number of votes an IP address can cast in a timespan.

• Pro: Good against random dudes who constantly hit F5 in their browser
• Pro: Easy to implement
• Con: Useless against Pharyngulation and elaborate scripts which use proxy servers.
• Con: An IP address sometimes maps to many different users

Referrer checking

If you assume that one user maps one IP address, you can limit the number if votes by that IP address. However this assumption usually only holds true for private households.

• Pro: Easy to implement
• Pro: Good against simple pharyngulation to some extent
• Con: Very easy to circumvent by automated scripts

Email Confirmation

Use Email confirmation and only allow one vote per Email. Check your database manually to see if they are using throwaway-emails.

Note that you can add +foo to your username in an email address. username@example.com and username+foo@example.com will both deliver the mail to the same account, so remember that when checking if somebody has already voted.

• Pro: good against simple spam scripts
• Con: harder to implement
• Con: Some users won't like it

HTML Form Randomization

Randomize the order of choices. This might take a while for them to find out.

• Pro: nice to have anyways
• Con: once detected, very easy to circumvent

HTTPS

One method of vote faking is to capture the http request from a valid browser like Firefox and mimic it with a script, this doesn't work as easy when you use encryption.

• Pro: nice to have anyway
• Pro: good against very simple scripts
• Con: more difficult to set up

Proxy checking

If the spammer votes via proxy, you can check for the X-Forwarded-For header.

• Pro: good against more advanced scripts that use proxies
• Con: some legitimate users can be affected

Cache checking

Try to see if the client loads all the uncached resources. Many spambots don't do this. I never tried this, I just know that this isn't checked usually by voting sites.

An example would be embedding <img src="a.gif" /> in your html, with a.gif being some 1x1 pixel image. Then you have to set the http header for the request GET /a.gif with Cache-Control "no-cache, must-revalidate". You can set the http headers in Apache with your .htaccess file like this. (thanks Jacco)

• Pro: uncommon method as far as I know
• Con: slightly harder to set up

[Edit 2010-09-22]

Evercookie

• A so-called evercookie can be useful to track browser-based spammers

Answer 2

Sorry for the double post, but I wasn't allowed to post two URLs in the same post...

If you're looking at building your own tracking, maybe this link might provide some inspiration: https://panopticlick.eff.org/ Turns out that a lot of browsers can be uniquely identified, even without any form of tracking cookies. I'm guessing a vote-bot might give a very specific fingerprint?

Answer 3

The Vote to Promote pattern (you may be aware of it) has a section on how to mitigate against gaming - but it is a tricky one to avoid altogether. Given your actions to date I would consider using weighting, for example consider a reasonable level of voting over a time period, say 10 votes per ting per hour (just an example not a guide) and for surplus votes weight the next 10 at 90% (ie only count 9), the next 10 at 80% and so on. This is Yahoo's advice on gaming within this pattern:

Community voting systems do present a number of challenges. Particularly the possibility that members of the community may try to game the system, out of any number of motivations:

• malice - perhaps against another member of the community and that member's contributions.

• gain - to realize some reward, monetary or otherwise, from influencing the placement of certain items in the pool)

• or an overarching agenda - always promoting certain viewpoints or political statements, with little regard for the actual quality of the content being voted for.

There are a number of ways to attempt to safeguard against this type of abuse. Though nothing can stop gaming altogether. Here are some ways to minimize or hinder abusers in their efforts:

• Vote for things, not people. In keeping with Yahoo's general strategy, don't offer users the ability to directly vote on another user: their looks, their likeability, intelligence, or anything else. It's OK for the community to vote on a person's contributions, but not on the quality of their character.

  • Consider rate-limiting of votes. o Only allow the user a certain number of votes within a given time-period. o Limit the number of times (or the rate at which) a user votes down a particular user's content. (To prevent ad-hominem attacks.)

  • Weigh other factors besides just the number of votes. Digg, for instance, does not calculate their Digg-score solely on the number of votes a submission receives. Their algorithm also considers: "story source (is it a blog repost, or the original story), user history, traffic levels of the category the story falls under, and user reports." They update this algorithm frequently. Consider keeping the exact algorithm a secret from the community, or only discuss the factored inputs in general terms.

• If relationship information is available consider weighting user votes accordingly. Perhaps prohibit users with formal relationships from voting for each other's submissions.

While this is currently a popular pattern on the Web, it is important to consider the contexts in which we use it. Very active and popular communities (Digg is an excellent example) that enable community-voting can also engender a certain negativity of spirit (mean comments, opinionated cliques, group attacks on 'outlier' viewpoints).

Answer 4

I use a combination of CAPTCHA, IP verification and LSO (Flash Local Shared Objects, hard to find and delete for common people).

Answer 5

So if everyone ever wants to make a competition where people can win something and wanna use a community driven rating system... here i share some experiences:

The bad:
1) First it cant be made secure for 100%
2) to reach a mass of users which filters out all the nonsense ratings is very hard 3) Forget about star ratings in that case... their is always either 5 Stars or 1 Star

The good
1) Dont give them orientation about where they stand... We replaced the "Order by place" view with a random presentation of the TOP 100 (only the top 30 wll win a price)... This really helped because a lot of users lost their interest as soon as they didnt see where they stood.

2) Don't allow votings like: 1x5_Stars 40x1_Star... Just allow users which vote in a fair way...

3) Most of them act a little bit stupid... You'll see them in your logs and can trace down who votes fair and who unfair... Search for patterns...

**GOOD LUCK ;-) **

Answer 6

To prevent the bots from voting you can use CAPTCHA.