假定原则:

第一个屏幕必须是非常简单的低开销HTML，带有一个易于识别的按钮(游戏邦注:无论是机器人还是玩家)，以明确表示“我想要我的垃圾”。因为我们假设了最坏的情况-你有来自机器人和非机器人组合的DOS攻击，所有人都首先点击网站(就可识别性而言)。所以让我们尽快把这些从缓存，良性回声机器人等中分发出去。

(注:就追求者而言，这就是发生的事情;这对用户和Woot来说都是痛苦的，所以任何有助于吸收或缓解首次屏幕获取的内容都符合三方的利益。)

然后，对于非机器人来说，这个过程不需要比现在更糟糕，对于正版机器人来说，不需要额外的步骤(或痛苦)。(关于当前设计的背景说明:当前的wooters通常已经签约，或者可以在购买过程中签约。新买家需要在购买时进行注册。所以实际上已经注册和已经登录会更快。)

为了完成垃圾销售，需要导航一系列交易屏幕(比如5个正负，取决于具体情况)。获胜者是第一个完成全部导航的人。当前进程奖励那些最快完成整个5个屏幕序列的机器人(或其他人);但整个进程都偏向于快速响应(即机器人)。

毫无疑问，机器人将在第一个屏幕上占据优势;无论他们在这一点上取得了什么优势，他们都会在剩下的屏幕上保持下去，再加上身体在其他阶段提供的任何优势。

What if Woot were to intentionally decouple the queuing process after the first screen, and feed every session from that point into a sequence of fixed-minimum-time steps? The second screen wouldn't even be presented until 30 seconds had passed; after it was submitted, same for the following screens. I bet wooters would have no problem if they were told that, after the first screen, they would wait in a queue (which is already true) that would spread the load over time in a way that should take no longer than before, be more robust, and help weed out the bots. At this point you can throw in some of the bot speedbumps listed above (subtle variations in DOM objects, etc.) Just the benefit from the perception that Woot is a little more in control of things would help.

If a much higher proportion of the BOC initial hits could segue into a bot-unfriendlier non-time-critical process on their first hit (or close to it), rather than retrying, then real people who get past that point would have more confidence. For sure it would be less hostile than the current situation. It might cut down on the background-noise-ambient-bot-rate that's going on all the time even under normal Woot-Off circumstances. And the bots would lay off the main page and sit in the queue with each other (and everyone else) where they have no advantage.

Hmmm... The concept "apartment-threaded" comes to mind. I wonder if the pattern is approximately useful? A useful core concept here is being able, after the first screen, to track accumulated total time in queue and be able to adjust to standard. As a bot-mitigation strategy, you would have a little bit of flexibility to maybe fudge the very earliest sessions by maybe 5-10 seconds; doing so would probably be undetectable, but would result in a richer non-bot purchase mix. I'm sure you have statistics to help evaluate stuff like this after the fact. Just for fun, you could (at least for one wootoff) put together your own bot that combines the best features you've seen, and then hand it out to everyone the day before. Then at least everyone would be equally armed. (Then duck ... incoming ...)

没有完全修复，但我在这里还没看到。

跟踪“砰”的地址，并张贴免责声明，说BOC/物品将不会被运送到任何不遵守你的TOS的地址。

这将对一些人产生心理影响，而其他想要利用您的站点的人将不得不切换方法，但您将否定他们的一个途径。

你们为什么不封杀那些被你们认定为机器人的用户的信用卡呢?

在你的网站上发布使用机器人是非法的 找到识别机器人的某些启发式方法(例如，可以通过短期IP跟踪或通过它们检查表单所需的时间来完成) 如果你标记为机器人的人购买了该商品，冻结他的信用卡以备将来使用 下次他想买东西的时候，不让他买，把商品退回库存

我想即使是专业人士最终也会用完信用卡的。

一旦装瓶者放弃你，你的服务器负载就会随着时间而减少。另一个想法是在不同的服务器之间分离页面——例如，RSS提要在一个服务器上，主页在另一个服务器上，结帐在另一个服务器上。

祝你好运。

Go after the money stream. It is much easier than tracking the IP side. Make bots pay too much a few times (announcement with white text on white background and all variants of it) kills their business case quickly. You should prepare this carefully, and make good use of the strong points of bots: their speed. Did you try a few thousand fake announcements a few seconds apart? If they are hitting ten times/second you can go even faster. You want to keep this up as long as they keep buying, so think carefully about the moment of the day/week you want to start this. Ideally, they will stop paying, so you can hand over your case to a bank. Make sure your site is fully generated, and each page access returns different page content (html, javascript and css). Parsing is more difficult than generating, and it is easy to build-in more variation than bot developers can handle. Keep on changing the content and how you generate it. You need to know how fast bots can adapt to changes you make, and preferably the timezone they are in. Is it one botnet or more, are they in the same timezone, a different one, or is it a worldwide developer network? You want your counterattack to be timed right. Current state of the art bots have humans enter captcha's (offered against porn/games). Make it unattractive to react very fast. Use hashes and honeypots, as Ned Batchelder explains.

(编辑) 你不能防御僵尸网络的说法是不对的。特别是我的第二个建议提供了充分的防御自动买家。不过，这需要你彻底重新思考你所使用的技术。您可能希望使用Seaside或直接在c中进行一些实验。

将道具卖给非脚本人。 保持网站运行的速度不被机器人减慢。 不要让“正常”用户完成任何任务来证明他们是人类。

你可能不想听这个，但是第一条和第三条是相互排斥的。

Well, nobody knows you're a bot either. There's no programatic way to tell the whether or not there's a human on the other end of the connection without requiring the person to do something. Preventing scripts/bots from doing stuff on the web is the whole reason CAPTCHAs were invented. It's not like this is some new problem that hasn't seen a lot of effort expended on it. If there were a better way to do it, one that didn't involve the hassle to real users that a CAPTCHA does, everyone would be using it already.

我认为你需要面对这样一个事实，如果你想让机器人远离你的订购页面，一个好的验证码是唯一的方法。如果对你的随机垃圾的需求足够高，人们愿意付出这些代价来获得它，合法用户就不会被验证码吓跑。

为什么不将内容设置为CAPTCHA?

On the page where you display the prize, always have an image file in the same location with the same name, when a bag o crap sale is on, dynamically generate and load an image with the text etc advertising the prize, when no sale is on just have some default image that integrates well with the site. Seems like its the same concept as CAPTCHA... if the bot cannot figure out the meaning of the image they will not be able to "win" it, if they can they would have been able to figure out your CAPTCHA images anyways.