我将要描述的方法有两个要求。1) Javascript被强制执行2)一个具有有效http://msdn.microsoft.com/en-us/library/bb894287.aspx浏览器会话的web浏览器。

如果没有其中任何一个，你就是“故意”倒霉的。互联网被设计成允许匿名客户查看内容。简单的HTML没有办法解决这个问题。哦，我只是想说，简单的，基于图像的验证码很容易被击败，甚至作者也承认这一点。

Moving along to the problem and the solution. The problem is in two parts. The first is that you cannot block out an individual for "doing bad things". To fix this you setup a method that takes in the browsers valid session and generate a md5sum + salt + hash (of your own private device) and send it back to the browser. The browser then is REQUIRED to return that hashed key back during every post / get. If you do not ever get a valid browser session, then you reply back with "Please use a valid web browser blah blah blah". All popular browsers have valid browser session id's.

现在我们至少有了该浏览器会话的标识(我知道它不会永久锁定，但是通过简单的脚本很难“更新”一个浏览器会话)，我们可以有效地锁定一个会话(例如;让脚本编写人员很难访问你的网站，而不会对有效用户造成任何惩罚)。

Now this next part is why it requires javascript. On the client you build a simple hash for each character that comes from the keyboard versus the value of the text in the textarea. That valid key comes over to the server as a simple hash and has to be validated. While this method could easily be reverse engineered, it does make it one extra hoop that individuals have to go through before they can submit data. Mind you this only prevents auto posting of data, not DOS with constant visits to the web site. If you even have access to ajax there is a way to send a salt and hash key across the wire and use javascript with it to build the onkeypress characters "valid token" that gets sent across the wire. Yes like I said it could easily be reversed engineered, but you see where I am going with this hopefully.

现在为了防止不断的交通滥用。有几种方法可以在给定有效的会话id后建立模式。这些模式(即使使用Random来抵消请求时间)的epsilon比人类试图重现相同的误差范围时要低。由于您有一个会话ID，并且您有一个“看起来像一个bot”的模式，那么您可以用一个简单的轻量级响应屏蔽该会话，该响应是20字节而不是200000字节。

You see here, the goal is to 1) make the anonymous non-anonymous (even if it's only per session) and 2) develop a method to identify bots vs. normal people by establishing patterns in the way they use your system. You can't say that the latter is impossible, because I have done it before. While, my implementations were for tracking video game bots I would seem to think that those algorithms for identifying a bot vs. a user can be generalized to the form of web site visits. If you reduce the traffic that the bots consume you reduce the load on your system. Mind you this still does not prevent DOS attacks, but it does reduce the amount of strain a bot produces on the system.

让用户在原价和更高的价格之间做出选择。 你必须找到某种方法，将按钮与它们各自的价格联系起来——颜色、位置，也许还有按钮的“情感内涵”——这很难通过编程来确定，但只需要用户将按钮与价格联系起来。 对用户来说简单，直观，没有麻烦，但对脚本编写人员来说困难，更重要的是，有风险——特别是如果您改变了关联方法。

为此目的，我使用Cloudflare，因为它不会影响我的网站，但会自动阻止任何恶意用户的验证码，并为您提供更多的功能。

想出一种识别机器人的方法如何，可能是基于IP，但不阻止他们访问网站，只是不允许他们实际购买任何东西。也就是说，如果他们买了，他们实际上并没有得到它，因为机器人违反了使用条款。

我可能没有完全理解这个问题，但我想到了这个主意。使用AJAX以固定的间隔绘制和更新动态内容，同时使用刷新故意减慢整个页面的加载速度。

例如，让整个页面在第一次访问时花整整15秒绘制，之后在设定的时间(比如5秒)后使用AJAX自动刷新动态内容。重载整个页面将是一个主要的缺点。页面可能会定期显示新信息(包括广告)，但是使用重载重绘整个页面会慢得多。

脚本kiddies可以找出AJAX查询并将其自动化，但是，对来自同一IP的请求进行速率限制也很容易。由于标准人类用户没有从浏览器发起这些请求的典型方法，因此很明显，从同一IP向AJAX URL发起的高速率请求将由某种形式的自动化系统发起。

CAPTCHA的问题在于，当你在Woot上看到垃圾促销时，作为消费者，如果你希望收到你的垃圾包，你就必须迅速采取行动。所以，如果你要使用一种形式的验证码，对客户来说必须非常快。

What if you had a large image, say 600 x 600 that was just a white background and dots of different colors or patterns randomly placed on the image. The image would have an image map on it. This map would have a link mapped to small chunks of the image. Say, 10 x 10 blocks. The user would simply have to click on the specific type of dot. It would be quick for end the user and it would somewhat difficult for a bot developer to code. But this alone may not be that difficult for a good bot creator to get past. I would add ciphered URLs.

以前我在开发一个系统，可以对url进行加密。如果这些页面上的每个URL都用随机的IV加密，那么它们对机器人来说都是唯一的。我设计这个是为了迷惑探测机器人。我还没有完成的技术，但我有一个小网站编码，功能在这个庄园。

虽然这些建议并不是一个完整的解决方案，但它们会使构建一个工作机器人变得更加困难，同时仍然易于人类使用。