Page 1 of 1

Caching proxy servers... catching users who manipulate IP's

Posted: Fri Dec 16, 2005 5:36 pm
by sbskater10
Hello,

A website I run has a function that adds a count to a page once a day per IP. This is used to help determine the payout for the user.

The problem is if someone is using one of the proxy ip programs they can change their ip and keep refreshing the page. This is fraud and is not permitted, so I would like to stop it as best I can.

I understand their most likely isn't a 100% rock solid solution to this, but even eliminating some of these people would be very helpful.

Thanks,

Jason

Posted: Fri Dec 16, 2005 6:12 pm
by Ambush Commander
Hmmm...

* Tie users to sessions
* Run analysis programs to help determine fraud
* Analyze the request headers (i.e. User Agent)

Posted: Sat Dec 17, 2005 2:52 am
by Maugrim_The_Reaper
See above...

The problem is that IPs are not a unique identifier of users. I know that's the common perception - but its completely false. You should tie a user to a unique session id (this is passed from their Cookie no matter how they change their IP. The problem with this is that they could simply delete the cookie for your sites domain on every request. Unfortunately User Agent is little better.

At best, these will limit the impact of proxies, since most users will be unaware of how or why deleting cookies and changing their user agent strings is necessary to prevent them being recognised even after switching IPs.

That leaves analysis. You need to keep track of unusual levels of unique clicks. Pehaps set an upper limit above which you will get notified by the PHP application, either email or just some log entry stored on a database you can review.

You can also attempt to block the use of anonymous proxies - quite a few ways of doing that. If you do follow that route and scan for known public proxies - I would suggest you be aware that there are legitimate public proxy users (it seems endemic in Australia for reasons unknown...)

As you can see - there's no easy solution. Anything that require unique clicks can be tampered with to one degree or another. There are a number of gaming sites which have simply given up and allow people to publicise automatic clicker programs in Java or other. KingsOfChaos.com is an obvious example - games there are skewed towards whoever are aware of clicker programs and know where to find them - there are even two purpose built clicker bots for that one game!