与其阻止可疑的ip，不如随着点击率/分钟的上升而减少你提供给一个地址的数据量。因此，如果机器人击中你超过一个秘密随机变化的阈值，它将不会看到数据。登录的用户总是能看到这些数据。经常访问服务器的登录用户将被迫重新验证身份，或者被给予验证码。

为什么你们不每次提供中行的时候都改一下名字和图片呢?看最新版本的BOC将成为追求乐趣的一部分。

Go after the money stream. It is much easier than tracking the IP side. Make bots pay too much a few times (announcement with white text on white background and all variants of it) kills their business case quickly. You should prepare this carefully, and make good use of the strong points of bots: their speed. Did you try a few thousand fake announcements a few seconds apart? If they are hitting ten times/second you can go even faster. You want to keep this up as long as they keep buying, so think carefully about the moment of the day/week you want to start this. Ideally, they will stop paying, so you can hand over your case to a bank. Make sure your site is fully generated, and each page access returns different page content (html, javascript and css). Parsing is more difficult than generating, and it is easy to build-in more variation than bot developers can handle. Keep on changing the content and how you generate it. You need to know how fast bots can adapt to changes you make, and preferably the timezone they are in. Is it one botnet or more, are they in the same timezone, a different one, or is it a worldwide developer network? You want your counterattack to be timed right. Current state of the art bots have humans enter captcha's (offered against porn/games). Make it unattractive to react very fast. Use hashes and honeypots, as Ned Batchelder explains.

(编辑) 你不能防御僵尸网络的说法是不对的。特别是我的第二个建议提供了充分的防御自动买家。不过，这需要你彻底重新思考你所使用的技术。您可能希望使用Seaside或直接在c中进行一些实验。

我同意OP在这里-请不要验证码-这不是一个非常woot的做事方式。

首先设置一些机器人陷阱。我会在主页上更经常地提到BOC，让机器人看起来不智能，所以每次措辞都不同。“中行投诉上升!”所以扫描关键词的机器人会被困住。

然而，我认为真正的问题是双重的，首先是你需要解决的性能问题，今天是机器人造成了一个问题，但它向我表明，有一个性能问题需要解决。

其次，这是一个商业机会，可以把一些真正的垃圾转化为利润。所以我将保持整体woot风格并声明“我们检查机器人”。如果我们认为你是机器人，你就会得到一盒垃圾。”

机器人检查将在销售完成后的某个时间离线完成，使用机器人陷阱，IP号码，cookie，会话，浏览器字符串等。对你获得的购买者数据做一些认真的分析，以决定谁得到了废话。如果你决定发布垃圾，那么你就可以把一些正常的垃圾卖给别人。

可能没有一个神奇的银弹来照顾机器人，但这些建议的组合可能有助于阻止他们，并将他们减少到一个更易于管理的数量。 如果您需要对这些建议进行任何澄清，请告诉我:

Any images that depict the item should be either always the same image name (such as "current_item.jpg") or should be a random name that changes for each request. The server should know what the current item is and will deliver the appropriate image. This image should also have a random amount of padding to reduce bots comparing image sizes. (Possibly changing a watermark of some sort to deter more sophisticated bots). Remove the ALT text from these images. This text is usually redundant information that can be found elsewhere on the pages, or make them generic alt text (such as "Current item image would be here"). The description could change each time a Bag of Crap comes up. It could rotate (randomly) between a number of different names: "Random Crap", "BoC", "Crappy Crap", etc... Woot could also offer more items at the "Random Crap" price, or have the price be a random amount between $0.95 and $1.05 (only change price once for each time the Crap comes up, not for each user, for fairness) The Price, Description, and other areas that differentiate a BoC from other Woots could be images instead of text. These fields could also be Java (not javaScript) or Flash. While dependent on a third-party plug-in, it would make it more difficult for the bots to scrape your site in a useful manner. Using a combination of Images, Java, Flash, and maybe other technologies would be another way to make it more difficult for the bots. This would be a little more difficult to manage, as administrators would have to know many different platforms. There are other ways to obfuscate this information. Using a combination of client-side scripting (javascript, etc) and server-side obfuscation (random image names) would be the most likely way to do it without affecting the user experience. Adding some obfuscating Java and/or Flash, or similar would make it more difficult, while possibly minimally impacting some users. Combine some of these tactics with some that were mentioned above: if a page is reloaded more than x times per minute, then change the image name (if you had a static image name suggested above), or give them a two minute old cached page. There are some very sophisticated things you could do on the back end with user behavior tracking that might not take too much processing. You could off-load that work to a dedicated server to minimize the performance impact. Take some data from the request and send it to a dedicated server that can process that data. If it finds a suspected bot, based on its behavior, it can send a hook to another server (front end routing firewall, server, router, etc OR back-end web or content server) to add some additional security to these users. maybe add Java applets for these users, or require additional information from the user (do not pre-fill all fields in the order page, making a different field empty each time randomly, etc).

看看ned Batchelder的这篇文章。他的文章是关于阻止垃圾邮件机器人的，但是同样的技术可以很容易地应用到您的站点。

而不是阻止机器人 人们可以识别自己，我们可以 通过增加难度来阻止机器人 为了让他们的帖子成功，或者 通过让他们无意中识别 他们自己就是机器人。这将删除 负担从人而来，而离去 评论形式免费可见的反垃圾邮件 措施。 这个技巧就是我预防的方法 这个网站上的垃圾邮件。它的工作原理。的 这里描述的方法不查看 根本就是内容。

其他一些想法:

创建一个官方的自动通知机制(RSS feed?Twitter?)当你的产品上市时，人们可以订阅它。这减少了人们编写脚本的需求。 在新商品上市前改变你的迷惑技巧。因此，即使编剧可以升级军备竞赛，他们也总是落后一天。

编辑:为了完全清楚，Ned在上面的文章中描述了通过防止BOT通过表单提交订单来防止自动购买物品的方法。他的技术并不能阻止机器人通过抓取主页来判断什么时候有Bandoleer of carrot出售。我不确定防止这种情况是否真的可能。

关于你对内德策略有效性的评论:是的，他讨论了蜜罐，但我不认为那是他最强的策略。他对SPINNER的讨论是我提到他的文章的最初原因。对不起，我在最初的帖子中没有说清楚:

转轮是一个隐藏字段，用于 一些东西:它将A哈希在一起 防止的值的数目 篡改和重播，并已习惯 模糊的字段名。旋转器是 MD5哈希值: 时间戳, 客户端的IP地址， 被评论的博客条目的条目id，以及 一个秘密。

以下是你如何在WOOT.com上实现它:

每次有新商品出售时，更改作为散列一部分的“secret”值。这意味着，如果有人打算设计一个BOT来自动购买物品，它只会在下一个物品开始销售之前起作用!!

即使有人能够快速重建他们的机器人，所有其他实际用户都已经购买了BOC，你的问题就解决了!

他讨论的另一个策略是不时地改变蜜罐技巧(同样，当新产品上市时改变它):

Use CSS classes (randomized of course) to set the fields or a containing element to display:none. Color the fields the same (or very similar to) the background of the page. Use positioning to move a field off of the visible area of the page. Make an element too small to show the contained honeypot field. Leave the fields visible, but use positioning to cover them with an obscuring element. Use Javascript to effect any of these changes, requiring a bot to have a full Javascript engine. Leave the honeypots displayed like the other fields, but tell people not to enter anything into them.

我想我的总体想法是在每个新产品上市时改变形式设计。或者至少，当一款新的中行上市时，它会有所改变。

一个月几次吗?