如果你不能打败他们……改变规则!

为什么不提供一个比编剧为自己创造的更好的系统呢? 修改你的网站，让不使用机器人脚本的人更公平。人们注册(CAPTCHA或电子邮件验证)，并有效地进入彩票比赛中获胜!

“获胜”让游戏更有趣。每个人支付一小笔报名费，获胜者就能以更低的价格获得产品

Provide an RSS feed so they don't eat up your bandwidth. When buying, make everyone wait a random amount of time of up to 45 seconds or something, depending on what you're looking for exactly. Exactly what are your timing constraints? Give everyone 1 minute to put their name in for the drawing and then randomly select people. I think this is the fairest way. Monitor the accounts (include some times in the session and store it?) and add delays to accounts that seem like they're below the human speed threshold. That will at least make the bots be programmed to slow down and compete with humans.

这里最重要的事情是改变系统，从你的服务器上移除负载，防止机器人在不让奶瓶商知道你在和他们玩游戏的情况下赢得这袋垃圾，否则他们会修改他们的策略。我认为如果你们不进行一些处理，就没有办法做到这一点。

So you record hits on your home page. Whenever someone hits the page that connection is compared to its last hit, and if it was too quick then it is sent a version of the page without the offer. This can be done by some sort of load balancing mechanism that sends bots (the hits that are too fast) to a server that simply serves cached versions of your home page; real people get sent to the good server. This takes the load off the main server and makes the bots think that they are still being served the pages correctly.

如果这个提议能以某种方式被拒绝就更好了。然后你仍然可以在假服务器上提供报价，但当机器人填写表格时，说“对不起，你不够快”:)然后他们肯定会认为他们还在游戏中。

我将要描述的方法有两个要求。1) Javascript被强制执行2)一个具有有效http://msdn.microsoft.com/en-us/library/bb894287.aspx浏览器会话的web浏览器。

如果没有其中任何一个，你就是“故意”倒霉的。互联网被设计成允许匿名客户查看内容。简单的HTML没有办法解决这个问题。哦，我只是想说，简单的，基于图像的验证码很容易被击败，甚至作者也承认这一点。

Moving along to the problem and the solution. The problem is in two parts. The first is that you cannot block out an individual for "doing bad things". To fix this you setup a method that takes in the browsers valid session and generate a md5sum + salt + hash (of your own private device) and send it back to the browser. The browser then is REQUIRED to return that hashed key back during every post / get. If you do not ever get a valid browser session, then you reply back with "Please use a valid web browser blah blah blah". All popular browsers have valid browser session id's.

现在我们至少有了该浏览器会话的标识(我知道它不会永久锁定，但是通过简单的脚本很难“更新”一个浏览器会话)，我们可以有效地锁定一个会话(例如;让脚本编写人员很难访问你的网站，而不会对有效用户造成任何惩罚)。

Now this next part is why it requires javascript. On the client you build a simple hash for each character that comes from the keyboard versus the value of the text in the textarea. That valid key comes over to the server as a simple hash and has to be validated. While this method could easily be reverse engineered, it does make it one extra hoop that individuals have to go through before they can submit data. Mind you this only prevents auto posting of data, not DOS with constant visits to the web site. If you even have access to ajax there is a way to send a salt and hash key across the wire and use javascript with it to build the onkeypress characters "valid token" that gets sent across the wire. Yes like I said it could easily be reversed engineered, but you see where I am going with this hopefully.

现在为了防止不断的交通滥用。有几种方法可以在给定有效的会话id后建立模式。这些模式(即使使用Random来抵消请求时间)的epsilon比人类试图重现相同的误差范围时要低。由于您有一个会话ID，并且您有一个“看起来像一个bot”的模式，那么您可以用一个简单的轻量级响应屏蔽该会话，该响应是20字节而不是200000字节。

You see here, the goal is to 1) make the anonymous non-anonymous (even if it's only per session) and 2) develop a method to identify bots vs. normal people by establishing patterns in the way they use your system. You can't say that the latter is impossible, because I have done it before. While, my implementations were for tracking video game bots I would seem to think that those algorithms for identifying a bot vs. a user can be generalized to the form of web site visits. If you reduce the traffic that the bots consume you reduce the load on your system. Mind you this still does not prevent DOS attacks, but it does reduce the amount of strain a bot produces on the system.

所以问题似乎是:机器人想要他们的“一袋垃圾”，因为它有很高的感知价值，以较低的感知价格。有时候你提供这个道具，机器人就会潜伏，等着看它是否可用，然后它们就会购买这个道具。

既然机器人所有者似乎正在盈利(或潜在盈利)，诀窍就是通过鼓励他们购买垃圾来让他们无利可图。

首先，总是提供“一袋垃圾”。

其次，确保那些废话通常都是废话。

第三，频繁地轮换垃圾。

简单的,不是吗?

你需要一个永久的“为什么我们的垃圾有时是垃圾?”链接，以向人类解释发生了什么。

当机器人看到有垃圾并且自动购买垃圾时，接收者会因为他们花了10美元买了一根坏牙签而非常沮丧。然后是一个空垃圾袋。然后是你鞋底的泥土。

If they buy enough of this crap in a relatively short period of time (and you have large disclaimers all over the place explaining why you're doing this), they're going to lose a fair "bag 'o cash" on your "bag 'o crap". Even human intervention on their part (checking to ensure that the crap isn't crap) can fail if you rotate the crap often enough. Heck, maybe the bots will notice and not buy anything that's been in the rotation for too short a time, but that means the humans will buy the non-crap.

见鬼，你的老客户可能会很开心，因为你可以把这变成一个巨大的营销胜利。开始发布“垃圾”鲤鱼卖了多少。人们会回来看看机器人被咬得有多厉害。

更新:我预计你可能会接到一些投诉电话。我不认为你能完全停止。然而，如果这杀死了机器人，你总是可以停止它，并在以后重新启动它。

我的解决方案是，通过为“机器人和脚本”设置大约10分钟的延迟，让屏幕抓取变得毫无价值。

以下是我的做法:

记录并识别任何重复作案的人。

你不需要记录每次点击的每个IP地址。大概每20次点击只录一次。一个惯犯仍然会在随机的偶尔跟踪中出现。

保留大约10分钟前页面的缓存。 当重复攻击者/机器人攻击您的网站时，给他们10分钟前的缓存页面。

他们不会马上意识到他们得到的是一个旧网站。他们可以把它刮掉，但他们不会再赢得任何比赛了，因为“真人”会有10分钟的领先优势。

好处:

没有麻烦或问题的用户(如验证码)。 完全在服务器端实现。(不依赖Javascript/Flash) 提供一个较旧的缓存页面的性能强度应该小于活动页面。这样实际上可以减少服务器的负载!

缺点

需要跟踪一些IP地址 需要保持和维护旧页面的缓存。