我们有一项服务,我们实际上是免费赠送金钱的。
当然,滥用服务的时机已经成熟。为了防御这种情况,我们执行以下操作:
现在,让我们面对现实吧——这一切都无法阻止坚定的用户。
显然,IP 地址可以通过代理更改(可以通过 akismet 将其列入黑名单),但如果用户拥有动态 IP,或者如果多个用户位于 NAT 网络后面(我们可以说几乎所有人吗?),则无论如何都会更改 IP
地址每小时注册数千个唯一的电子邮件地址——这不是防御措施。
我可以输入从街道地址和电话号码列表中获取的虚假信息。
我可以从验证码解决服务购买验证码(1000 美元 5 美元)。
bhos 似乎只对可下载软件有效 - 这是一个网站 还有
哪些其他方法可以防止多个用户滥用该服务?所有 PPC 人员如何控制点击欺诈?
我知道我们实际上可以给这个人打电话,但我认为我们不会很快这样做。
谢谢,
We have a service where we literally give away free money.
Naturally said service is ripe for abuse. To defend against this we do the following:
-
log ip address
-
use unique email addresses (only 1 acct/email addy)
-
collect more info like st. address, phone number, etc.
-
use signup captcha
-
BHOs (I've seen poker rooms use these)
Now, let's get real here -- NONE of this will stop a determined user.
Obviously ip addresses can be changed via a proxy (which could be blacklisted via akismet) but change anyways if the user has a dynamic ip or if more than one user is behind a NAT'd network (can we say almost everyone?)
I can sign up for thousands of unique email addresses each hour -- this is no defense.
I can put in fake information taken from lists for street addresses and phone numbers.
I can buy captchas from captcha solving services (1k for $5).
bhos seem only effective for downloadable software -- this is a website
What are some other ways to prevent multiple users from abusing the service? How do all the PPC people control click fraud?
I know we could actually call the person but I don't think we are trying to do that anytime soon.
Thanks,
发布评论
评论(8)
生成大量可以发送和接收短信的虚假电话号码非常困难。短信验证对于减少欺诈大有帮助。当然,这也限制了你向手机所有者免费赠送金钱。
It's pretty difficult to generate lots of fake phone numbers that can send and receive SMS messages. SMS verification could go a long way towards cutting down on fraud. Of course, it also limits you to giving away free money to cell phone owners.
我认为唯一的方法是将您的用户帐户绑定到“现实世界”信息,例如他/她的护照号码。当然,您需要确保信息安全存储并找到某种方法来验证它。
I think only way is to bind your users accounts to 'real world' information, like his/her passport number, for instance. Of course, you'll need to make sure that information is securely stored and to find some way to validate it.
回复:注册新的电子邮件帐户...
用户甚至不需要这样做。请随时将您的邮件发送至[email protected],或[电子邮件受保护] 或 [电子邮件受保护],或 [电子邮件受保护]。我还没有注册任何电子邮件地址,但它们都可以使用。
这些域由 ManyBrain 所有,他们(可能还有其他人)将域设置为接受任何电子邮件用户。 ManyBrain 特别是让这些电子邮件的收件箱无需任何注册即可公开访问(通过电子邮件中的文本删除所有内容并删除旧邮件)。查看一下:[电子邮件受保护]的电子邮件收件箱!
其他人提到了尝试保持用户身份唯一性的方法。这只是不信任电子邮件地址的又一个原因。
Re: signing up for new email accounts...
A user doesn't even need to do that. Please feel free to send your mail to [email protected], or [email protected], or [email protected], or [email protected]. I haven't registered any of those email addresses, but all of them will work.
Those domains are owned by ManyBrain, and they (and probably others as well) set the domain to accept any email user. ManyBrain in particular then makes the inboxes for those emails publicly accessible without any registration (stripping everything by text from the email and deleting old mail). Check it out: [email protected]'s email inbox!
Others have mentioned ways to try and keep user identities unique. This is just one more reason to not trust email addresses.
首先,我想(希望)你不会真正地免费赠送金钱,而是用它来使用你的服务或类似的东西。
这很重要,因为用户试图从你那里获得免费的钱,他们可以花在购买昂贵的汽车上,而用户只花在你的服务上,这会受到更多的限制。
显然,在前一种情况下,比在后一种情况下,更多的用户会尝试欺骗系统。
为什么这很重要?因为这完全取决于您的控制与用户烦恼之间的平衡。我看到很多答案都集中在控制部分,所以让我们经历一下烦恼,好吗?
记录IP地址。如果我是网上商店的计算机上的下一个人,而我之前的人已经使用了该 IP,该怎么办?另一个人留下了我现在看到的热门页面,但我被搞砸了,因为 IP 被阻止了。是的,我可以转到另一台计算机,但这很烦人,而且我可能还有其他事情要做。
收集实际地址。为了什么???你要来看我吗?或者开始向我发送垃圾邮件?让我猜猜,您通常会收到最多是打印错误的地址,最坏的是收到假地址。事实上,对我来说,给你假地址并且不处理任何可能的垃圾邮件对我来说要少得多的麻烦,我必须以环保的方式回收。 :)
收集电话号码。再说一次,我为什么要相信你的网站?这是真实的故事。我把手机号码交给了不起眼的网站,后来我开始偶尔收到充满废话的消息,比如“打苍蝇”。我干脆删除了。只是后来偶然发现我实际上被收取了 2 欧元来接收这些消息!我想承受这些麻烦吗?显然不是!所以,不,伙计,很抱歉让您失望了,但我不会向您的网站提供我的电话号码,除非您的公司名为 Facebook 或 Google。 :)
使用注册验证码。我喜欢那个:)。那么我们想在这里实现什么目标呢?决心滥用您的服务的用户在输入几个验证码时是否会遇到问题?我对此表示怀疑。但“好用户”又如何呢?您知道验证码对于许多用户来说有多烦人吗???视力受损的用户怎么办?但即使没有它,大多数验证码都很糟糕,让你感觉自己视力受损!我能给出的最好建议 - 如果您关心用户体验,请避免使用验证码作为瘟疫!如果您有任何疑问,请先进行在线研究!
请参阅此处有关控制与烦恼的更多讨论和这里有一些关于用户友好的更多想法。
First, I suppose (hope) that you don't literally give away free money but rather give it to use your service or something like that.
That matters as there is a big difference between users trying to just get free money from you they can spend on buying expensive cars vs only spending on your service which would be much more limited.
Obviously many more user will try to fool the system in the former than in the latter case.
Why it matters? Because it is all about the balance between your control vs your user annoyance. I see many answers concentrating on the control part, so let's go through annoyance, shall we?
Log IP address. What if I am the next guy on the computer in say internet shop and the guy before me already used that IP? The other guy left your hot page that I now see but I am screwed because the IP is blocked. Yes, I can go to another computer but it is annoyance and I may have other things to do.
Collecting physical Adresses. For what??? Are you going to visit me? Or start sending me spam letters? Let me guess, more often than not you get addresses with misprints at best and fake ones at worst. In fact, it is much less hassle for me to give you fake address and not dealing with whatever possible spam letters I'll have to recycle in environment-friendly way. :)
Collecting phone numbers. Again, why shall I trust your site? This is the real story. I gave my phone nr to obscure site, then later I started receiving occasional messages full of nonsense like "hit the fly". That I simply deleted. Only later and by accident to discover that I was actually charged 2 euros to receive each of those messages!!! Do I want to get those hassles? Obviously not! So no, buddy, sorry to disappoint but I will not give your site my phone number unless your company is called Facebook or Google. :)
Use signup captcha. I love that :). So what are we trying to achieve here? Will the user who is determined to abuse your service, have problems to type in a couple of captchas? I doubt it. But what about the "good user"? Are you aware how annoying captchas are for many users??? What about users with impaired vision? But even without it, most captchas are so bad that they make you feel like you have impaired vision! The best advice I can give - if you care about user experience, avoid captchas as plague! If you have any doubts, do your online research first!
See here more discussion about control vs annoyance and here some more thoughts about being user-friendly.
正如鲁本斯所说,你必须将他们的信息与“现实世界”的东西绑定起来。当然,您还需要能够验证这些信息(如果您不检查以确保它们正确的话,我可以整天编造护照号码)。
你如何交付钱?也许您可以将其从 PayPal 帐户、邮寄地址或您将资金汇往的任何地方建立索引?
You have to bind their information to something that is 'real world', as Rubens says. Of course, you also need to be able to verify this information (I can just make up passport numbers all day if you don't check to make sure they're correct).
How do you deliver the money? Perhaps you can index this off the paypal account, mailing address, or whatever you're sending the money to?
有时,防止人们滥用系统的唯一方法就是从一开始就不拥有该系统。
如果你正在做你所说的事情,“给人们捐钱”,那么令人惊讶的是,将会有大量的人有更多的时间来尝试寻找游戏系统的方法,而不是你需要修复的时间它。
Sometimes the only way to prevent people abusing a system is to not have the system in the first place.
If you're doing what you say you're doing, "giving away money to people", then surprise surprise, there will be tons of people with more time available to try to find ways to game the system than you will have to fix it.
我想永远不可能有一个识别虚假身份的识别系统:
但我认为你可以防止用户也有许多(可以说是一个相当随机的数字:超过 50 个)帐户。
您可以结合使用以下方法:
I guess it will never be possible to have an identification system which identifies fake identities that is:
But I think you could prevent users from having too many (to say a quite random number: more than 50) accounts.
You might combine the following approaches:
我们最近在我们的网站上也遇到了类似的问题,如果您提供的是一次或每月重复的免费积分系统,那么解决这个问题确实很麻烦。
我们使用欺诈检测解决方案 https://fraudradar.io 一段时间,这对我们的清理工作有很大帮助大多数垃圾邮件活动。它是相当可定制的:
我建议检查一下。
We had a similar issue recently on our website, it is really a hassle to solve this issue if you are providing a business over one time or monthly recurring free credits system.
We are using a fraud detection solution https://fraudradar.io for a while and that helped us a lot to clean out most of the spam activities. It is pretty customizable with:
I would suggest to check that out.