对于你的特定问题(而不是一般问题)，一个潜在的解决方案是，如果用户想要看到“垃圾”，就要求他们登录。只向恰好登录的用户显示垃圾奖品。所有其他项目都可以对非登录用户保持可见，就像他们一直以来所做的那样。然后你的忠实用户就会优先考虑这些垃圾。

很明显，你必须通知你的用户这一点，也许会通知他们这是为了增加真正的用户发现垃圾的机会。

如果你的具体问题是机器人收集某种特定类型的物品，那么就采取限制性最小的替代方案，只防御这种特定的攻击。这个选项可以防止验证码和您所关心的可使用性问题。

如果机器人登录并开始发送垃圾邮件，您可以强制他们注销并锁定帐户。

如果他们只是为了得到一袋垃圾，他们会很快离开，你的页面不会受到大量的点击。忘掉那些高度技术性的解决方案吧。

You should have some record of the users who have purchased BOC most often, why not just ban those accounts or something. Sure legit users will be banned in this process but you are a business providing a product and if your are being abused by a group of users and such you have the right to refuse service to them. You have a lot of info on your users including paypal and bank accounts, you could ban those accounts forcing the bot users to get new accounts. Certainly I could come up with a script to buy BOC all the time or just download one from the net, but I have better morals than that. Never actually having successfully purchased BOC, I know the frustration of legit users who would like to receive a BOC in the hopes of getting a great deal. Perhaps instead of offering a BOC as an individual item every once and awhile, you could just give it to random users every day. When they receive an item they get a little note and and an additional item saying they also received a BOC. Then the only way someone could get a BOC is if they legitimately purchased something that only an actual human would have wanted. There would be nothing better than purchasing a coffee maker or something and also receiving a 42" tv or something in addition to your legitimate purchase. I think the majority of script kiddies would no longer be interested in your site if in order to get a BOC they would also have to commit to a purchase of more than 10 dollars.

开发一个首页组件和购物车，它们不能在浏览器中本机运行。如果你使用Flex/Flash或Silverlight之类的东西，就很难抓取，而且你可以完全控制服务器通信，因此可以完全屏蔽脚本编写者的内容。

我有一个解决方案(可能)没有列出(因为我还没有读完这里所有的……)

您可以通过浏览器的User Agent字符串跟踪唯一用户。从本质上讲，通过检查哪些信息是可用的“唯一”，你将能够获得足够的信息来区分不同的人(即使是在相同的IP地址上)。

看看EFF写的这篇文章 以及这个网站(也由EFF)，将“测试”你的独特只是基于你的用户代理从浏览器。

为了获得更好的唯一性，你可以在唯一性和ip地址的信息位之间进行比较，从而真正得到罪犯/机器人的可能性。

也从EFF签出这个pdf

两种解决方案，一种高科技，一种低科技。

First the high-tech: The BOC offerings sell out in a seconds because bots get many of them in the first few milliseconds. So instead of trying to defeat the bots, sell them what they are scanning for: a bag of crap. Worthless crap, of course: bent paper clips and defiled photos of Rosie O'Donnell. Then have built-in random delays on the server for a few seconds at a time. As the sale continues, the actual value of the product sold will increase while the sell price does not. That way the first buyers (bots in the first few milliseconds) will get something worth much less than what they paid (brown onion cakes?), the next buyers (slower bots or faster humans) will get something unspectacular but worth the purchase price (bought on consignment?), and the last buyers (almost all humans) will get something worth more than the purchase price (break out champagne?). That flat-screen TV might be in the very last BOC purchased.

任何等待太久的人都会错过机会，但与此同时，任何购买太快的人也会吃亏。诀窍在于等待一段时间……但不要太多。这里面有一些运气，这是应该的。

低技术含量的解决方案是将中国银行的名称改为人类可以理解但机器人不能理解的名称。酒皮屎?装着臭味的麻袋?与各种商品相邻的拓扑平面?不要重复使用相同的名称，使用稍微不同的图片，并在产品描述中解释实际销售的产品。

Restrict the times at which you release offers: For example: only from 7 minutes to 8 minutes past the start of an hour. Do not deviate from this, and give penalties on the order of a couple seconds to IPs which check a lot in the half hour before the release time. It then becomes advantageous for bot owners to only screen scrape for a couple minutes every hour instead of all. the. time. Also, because a normal person can check a site once every hour but not every second, you put normal people on a much more even footing with the bots.

饼干: 使用仅由唯一ID(数据库表的键)组成的跟踪cookie。对没有cookie的客户端、无效cookie、使用新IP的相同cookie的客户端或频繁使用cookie的客户端给予“发布延迟”。

识别可能的机器人: cookie将导致机器人为它们控制的每个IP请求多个cookie，这是可以跟踪的行为。只有一个发出的cookie的ip很可能是普通的客户端。有许多发出cookie的ip要么是大型NAT-ed网络，要么是一个机器人。我不知道你会如何区分这些，但公司可能更有可能拥有DNS服务器、网页之类的东西。