当前位置: 文江博客话题详情

有哪些技术可以防止多次提交竞赛?

发布于 2024-11-02 16:05:30 字数 523 浏览 1 评论 0原文

项目

我们有一个用 PHP 编写的竞赛,使用 CodeIgniter。该表格对电子邮件地址和手机号码进行了验证。该页面本身托管在不同域的 iframe 内(这是代理-客户关系)。

问题

我们为用户提供了数千个条目。我们知道它们是假的,因为:

  1. 他们使用相同的手机号码 - 假设他们找出一个通过验证的手机号码,然后每次都使用它。
  2. 这些电子邮件地址都位于奇怪的域中,其中一些域重复了多次。

然而,IP 地址是唯一的,条目分布在几天内,域本身有 MX 记录,用户代理看起来很正常。

客户不想做任何可能导致条目减少的事情。

问题

验证码等方法的优点和缺点是什么?您使用过哪些有效的 UI 和代码模式?

我读到的一种方法是允许可疑的条目,以便垃圾邮件发送者的条目被接受,但他们的数据有一个“可疑”标志,然后手动检查。我可以检查哪些数据来确定是否可疑?

原文

The Project

We have a competition coded in PHP, with CodeIgniter. The form has validation on email addresses and mobile numbers. The page itself is hosted inside an iframe on a different domain (it's an agency-client relationship).

The Problem

We get users with 1000s of entries. We know they are fake because:

  1. They use the same mobile number - assumedly they figure out a mobile number that passes the validation and then use that every time.
  2. The email addresses are all on weird domains, with some of the domains repeated multiple times.

However, the IP addresses are unique, the entries are spread over a few days, the domains themselves have MX records, the user-agents look normal.

The client doesn't want to do anything which could result in fewer entries.

The Question

What are the pros and cons of methods like Captcha? What UI and code patterns have you used that worked?

One method I read is to allow entries that are suspicious, so that spammers entries are accepted, but their data has a 'suspicious' flag against it, which is then checked manually. What data can I check to see whether it is suspicious?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

老娘不死你永远是小三 2024-11-09 16:05:30

您可以使用的一些方法:

  • 验证码:阻止机器人提交表单
  • 电子邮件验证:向他们发送一封包含唯一链接的电子邮件,以激活他们的参赛资格。停止无效的电子邮件地址。
  • 手机号码验证:向他们发送一条带有激活码的短信。停止无效的电话号码。

在我看来,您的方法不应该是阻止提交条目,而应该要求对输入的详细信息进行一定程度的验证。

Some methods you could use:

  • Captcha: Stops bots submitting the form
  • Email Validation: Send them an email with a unique link to activate their competition entry. Stops invalid email addresses.
  • Mobile Number Validation: Send them a text message with an activation code. Stops invalid phone numbers.

In my opinion your approach should not be to prevent submission of entries but to require a level of validation on the details entered.

回复 原文
淡水深流 2024-11-09 16:05:30

验证码的缺点:

  1. 用户讨厌它,如果实施不当(例如,失败的验证码会重置其他表单字段),它可能会令人沮丧。
  2. 当字母难以阅读时,合法用户可能很难完成。
  3. 并不总是有效。几个月前,有人通过击败 ReCAPTCHA 来诈骗 Ticketmaster实例*。
  4. 丑陋的、需要实现的代码更多,并且它将负担或责任从您身上转移到了用户身上。 “证明你是人类”不是我在发送表格时希望看到的,非常侮辱。

@Nick 的想法是正确的,使用文本/电子邮件验证。 IP 检查有时可以,但正如您所说,您会使用相同的手机号码获得唯一的 IP,因此它不可靠。

这里有很多关于验证码替代方案的精彩帖子,如果您打算使用它,绝对值得一读。您可能必须在让用户轻松(鼓励提交)和前端安全技术之间找到平衡。

但为什么不能简单地忽略重复的手机号码或手机号码 + IP 组合呢?仅仅因为他们可以多次提交并不意味着您必须接受它。如果是人,让他们认为他们正在发送多张选票:)

*Ticketmaster使用了各种手段
试图阻止怀斯盖的行动
在某个时刻切换到某项服务
称为 reCaptcha,也使用
通过脸书。这是第三方的
提供验证码挑战的验证码
给网站的访问者。当顾客
尝试购买门票,
Ticketmaster 的网络发送一个独特的
代码到 reCaptcha,然后

客户。

但据称被告是
也能够阻止这一点。他们
编写了一个模拟用户的脚本
尝试访问 Facebook,并且
下载了数十万
可能的验证码挑战来自
检察官坚称,reCaptcha 是这样的。
他们识别了每个文件的文件 ID
验证码挑战并创建了
验证码“答案”数据库
对应每个ID。机器人会
然后识别a的文件ID
在 Ticketmaster 和 feed 上挑战
返回相应的答案。机器人
还模仿了人类的行为
偶尔会犯打字错误
当局表示,答案是这样的。

CONS of CAPTCHA:

  1. Users hate it, and it can be frustrating when implemented poorly (failed captcha resets other form fields for instance).
  2. Can be difficult for legit users to complete when the letters are hard to read.
  3. Doesn't always work. Someone just scammed Ticketmaster by beating ReCAPTCHA a few months ago for instance*.
  4. Ugly, more code to implement, and it passes the burden or responsibility from you to the users. PROVE YOU ARE HUMAN is not what I want to see when sending a form, very insulting.

@Nick's got the right idea, use text/email validation. IP checking can be OK sometimes, but as you said, you're getting unique IPs with the same mobile number, so it's not reliable.

There are lots of great posts here regarding CAPTCHA alternatives, definitely worth a read if you plan on employing it. You'll probably have to find a balance between making it easy for the user (encouraging submissions) and front end security techniques.

Why though, can't you simply disregard duplicate mobile numbers or phome number + IP combination? Just because they can can submit multiple times doesn't mean you have to accept it. If it is a human, let them think they are sending in multiple votes :)

*Ticketmaster used various means
to try to thwart Wiseguy’s operation,
at one point switching to a service
called reCaptcha, which is also used
by Facebook. It’s a third-party
Captcha that feeds a Captcha challenge
to a site’s visitors. When a customer
tries to purchase tickets,
Ticketmaster’s network sends a unique
code to reCaptcha, which then
transmits a Captcha challenge to the
customer.

But the defendants allegedly were
able to thwart this, as well. They
wrote a script that impersonated users
trying to access Facebook, and
downloaded hundreds of thousands of
possible Captcha challenges from
reCaptcha, prosecutors maintained.
They identified the file ID of each
Captcha challenge and created a
database of Captcha “answers” to
correspond to each ID. The bot would
then identify the file ID of a
challenge at Ticketmaster and feed
back the corresponding answer. The bot
also mimicked human behavior by
occasionally making mistakes in typing
the answer, authorities said.

回复 原文
独享拥抱 2024-11-09 16:05:30

验证码在垃圾邮件防护方面非常完美,但同时又经常让人们感到困惑。

但有一个解决方法 - 您可以使用 JavaScript 为真实用户隐藏验证码(使用打开 JavaScript 的浏览器),而对于垃圾邮件机器人(没有 JS)来说,验证码始终“可见”。这很简单 - 只需使用 JS 您将验证码所在的 div 设置为显示:无,并创建一个隐藏输入,其值包含来自验证码图像的值...

最强的方法可能是电子邮件验证 - 但这意味着有时需要重新撰写申请书。如果用户提交他的回复,您将其注册为无效并向他发送一封验证电子邮件到所提供的电子邮件地址。如果它是有效的,点击链接后,他将验证他的电子邮件答案,您可以将他的回复设置为活动状态...

对于用户来说,防止刷新时重新提交表单的一个很好的解决方法是将用户重定向到该答案提交和处理表单后的同一页面...是的,需要一两秒的时间才能查看结果,但它更安全...

Captcha is perfect in spam protection while confusing people very often.

But there is a workaround - You can use JavaScript to hide the captcha for real users (using browsers with JavaScript turned ON) while it will always be "visible" for spam bots (that do not have JS). It's quite simple - just by using of JS You set the div where the captcha is held to display:none, and create a hidden input with value containing that from captcha image...

Strongest approach may be the email validation - but then it means sometimes the rwritting of application. If user submit his reply You register it as not active and send him a validation email to the email address provided. If it is valid, after clicking on the link he will validate his email answer and You can turn his reply to status active...

Also a good workaround for users to prevent the re-submitting of forms on refresh is to redirect users to that same page after the form is submitted and processed... Yes, it takes a second or two longer to view the result, but it's much safer...

回复 原文
~没有更多了~

关于作者

软糖

暂无简介

0 文章
0 评论
23 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

烙印

文章 0 评论 0

singlesman

文章 0 评论 0

给自己一个微笑

文章 0 评论 0

独孤求败

文章 0 评论 0

晨钟暮鼓

文章 0 评论 0

我是自愿种绣球花的

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文