从没想过我会推荐闪光灯，但是闪光灯呢?不管是不是交易时间，让服务器发送异步加密内容到flash文件信号。只要响应是相同大小的交易或没有交易，机器人就不能分辨它是哪一个。

在更一般的层面上，您需要关注人类和浏览器拥有的资源，而脚本机器人没有，并利用对人类/浏览器来说容易而对机器人来说很难的东西。验证码显然是一个简单的尝试，但不适合你的网站，因为你说。Flash将淘汰大量的机器人，只留下驱动真正浏览器的(较慢的)机器人。解决方案可能比验证码简单得多，如果它只需要用户点击正确的位置。

利用人类的大规模并行图像处理能力!

Provide an RSS feed so they don't eat up your bandwidth. When buying, make everyone wait a random amount of time of up to 45 seconds or something, depending on what you're looking for exactly. Exactly what are your timing constraints? Give everyone 1 minute to put their name in for the drawing and then randomly select people. I think this is the fairest way. Monitor the accounts (include some times in the session and store it?) and add delays to accounts that seem like they're below the human speed threshold. That will at least make the bots be programmed to slow down and compete with humans.

所以问题似乎是:机器人想要他们的“一袋垃圾”，因为它有很高的感知价值，以较低的感知价格。有时候你提供这个道具，机器人就会潜伏，等着看它是否可用，然后它们就会购买这个道具。

既然机器人所有者似乎正在盈利(或潜在盈利)，诀窍就是通过鼓励他们购买垃圾来让他们无利可图。

首先，总是提供“一袋垃圾”。

其次，确保那些废话通常都是废话。

第三，频繁地轮换垃圾。

简单的,不是吗?

你需要一个永久的“为什么我们的垃圾有时是垃圾?”链接，以向人类解释发生了什么。

当机器人看到有垃圾并且自动购买垃圾时，接收者会因为他们花了10美元买了一根坏牙签而非常沮丧。然后是一个空垃圾袋。然后是你鞋底的泥土。

If they buy enough of this crap in a relatively short period of time (and you have large disclaimers all over the place explaining why you're doing this), they're going to lose a fair "bag 'o cash" on your "bag 'o crap". Even human intervention on their part (checking to ensure that the crap isn't crap) can fail if you rotate the crap often enough. Heck, maybe the bots will notice and not buy anything that's been in the rotation for too short a time, but that means the humans will buy the non-crap.

见鬼，你的老客户可能会很开心，因为你可以把这变成一个巨大的营销胜利。开始发布“垃圾”鲤鱼卖了多少。人们会回来看看机器人被咬得有多厉害。

更新:我预计你可能会接到一些投诉电话。我不认为你能完全停止。然而，如果这杀死了机器人，你总是可以停止它，并在以后重新启动它。

You should have some record of the users who have purchased BOC most often, why not just ban those accounts or something. Sure legit users will be banned in this process but you are a business providing a product and if your are being abused by a group of users and such you have the right to refuse service to them. You have a lot of info on your users including paypal and bank accounts, you could ban those accounts forcing the bot users to get new accounts. Certainly I could come up with a script to buy BOC all the time or just download one from the net, but I have better morals than that. Never actually having successfully purchased BOC, I know the frustration of legit users who would like to receive a BOC in the hopes of getting a great deal. Perhaps instead of offering a BOC as an individual item every once and awhile, you could just give it to random users every day. When they receive an item they get a little note and and an additional item saying they also received a BOC. Then the only way someone could get a BOC is if they legitimately purchased something that only an actual human would have wanted. There would be nothing better than purchasing a coffee maker or something and also receiving a 42" tv or something in addition to your legitimate purchase. I think the majority of script kiddies would no longer be interested in your site if in order to get a BOC they would also have to commit to a purchase of more than 10 dollars.

2件事:

服务器层解决方案:mod_eveful(如果你使用apache)

http://www.zdziarski.com/projects/mod_evasive/

前端解决方案:反向验证码，或其他非侵入式验证码

http://www.ccs.uottawa.ca/webmaster/reverse-captcha.html

为此目的，我使用Cloudflare，因为它不会影响我的网站，但会自动阻止任何恶意用户的验证码，并为您提供更多的功能。