可能没有一个神奇的银弹来照顾机器人，但这些建议的组合可能有助于阻止他们，并将他们减少到一个更易于管理的数量。 如果您需要对这些建议进行任何澄清，请告诉我:

Any images that depict the item should be either always the same image name (such as "current_item.jpg") or should be a random name that changes for each request. The server should know what the current item is and will deliver the appropriate image. This image should also have a random amount of padding to reduce bots comparing image sizes. (Possibly changing a watermark of some sort to deter more sophisticated bots). Remove the ALT text from these images. This text is usually redundant information that can be found elsewhere on the pages, or make them generic alt text (such as "Current item image would be here"). The description could change each time a Bag of Crap comes up. It could rotate (randomly) between a number of different names: "Random Crap", "BoC", "Crappy Crap", etc... Woot could also offer more items at the "Random Crap" price, or have the price be a random amount between $0.95 and $1.05 (only change price once for each time the Crap comes up, not for each user, for fairness) The Price, Description, and other areas that differentiate a BoC from other Woots could be images instead of text. These fields could also be Java (not javaScript) or Flash. While dependent on a third-party plug-in, it would make it more difficult for the bots to scrape your site in a useful manner. Using a combination of Images, Java, Flash, and maybe other technologies would be another way to make it more difficult for the bots. This would be a little more difficult to manage, as administrators would have to know many different platforms. There are other ways to obfuscate this information. Using a combination of client-side scripting (javascript, etc) and server-side obfuscation (random image names) would be the most likely way to do it without affecting the user experience. Adding some obfuscating Java and/or Flash, or similar would make it more difficult, while possibly minimally impacting some users. Combine some of these tactics with some that were mentioned above: if a page is reloaded more than x times per minute, then change the image name (if you had a static image name suggested above), or give them a two minute old cached page. There are some very sophisticated things you could do on the back end with user behavior tracking that might not take too much processing. You could off-load that work to a dedicated server to minimize the performance impact. Take some data from the request and send it to a dedicated server that can process that data. If it finds a suspected bot, based on its behavior, it can send a hook to another server (front end routing firewall, server, router, etc OR back-end web or content server) to add some additional security to these users. maybe add Java applets for these users, or require additional information from the user (do not pre-fill all fields in the order page, making a different field empty each time randomly, etc).

2件事:

服务器层解决方案:mod_eveful(如果你使用apache)

http://www.zdziarski.com/projects/mod_evasive/

前端解决方案:反向验证码，或其他非侵入式验证码

http://www.ccs.uottawa.ca/webmaster/reverse-captcha.html

以下是我的看法。攻击机器人所有者的投资回报率，这样他们就会做你想让他们做的合法事情，而不是欺骗。让我们从他们的角度来看。他们的资产是什么?显然，无数的一次性机器、IP地址，甚至可能还有大量不熟练的人愿意做无聊的工作。他们想要什么?总是在其他合法的人得到它之前得到你提供的特别交易。

The good news is that they only have a limited window of time in which to win the race. And what I don't think they have is an unlimited number of smart people who are on call to reverse engineer your site at the moment you unleash a deal. So if you can make them jump through a specific hoop that is hard for them to figure out, but automatic for your legitimate customers (they won't even know it's there), you can delay their efforts just enough that they get beat by the massive number of real people who are just dying to get your hot deal.

The first step is to make your notion of authentication non-binary, by which I mean that, for any given user, you have a probability assigned to them that they are a real person or a bot. You can use a number of hints to build up this probability, many of which have been discussed already on this thread: suspicious rate activity, IP addresses, foreign country geolocation, cookies, etc. My favorite is to just pay attention to the exact version of windows they are using. More importantly, you can give your long-term customers a clear way to authenticate with strong hints: by engaging with the site, making purchases, contributing to forums, etc. It's not required that you do those things, but if you do then you'll have a slight advantage when it comes time to see special deals.

Whenever you are called upon to make an authentication decision, use this probability to make the computer you're talking to do more-or-less work before you will give them what they want. For example, perhaps some javascript on your site requires the client to perform a computationally expensive task in the background, and only when that task completes will you let them know about the special deal. For a regular customer, this can be pretty quick and painless, but for a scammer it means they need a lot more computers to maintain constant coverage (since each computer has to do more work). Then you can use your probability score from above to increase the amount of work they have to do.

To make sure this delay doesn't cause any fairness problems, I'd recommend making it be some kind of encryption task that includes the current time of day from the person's computer. Since the scammer doesn't know what time the deal will start, he can't just make something up, he has to use something close to the real time of day (you can ignore any requests that claim to come in before the deal started). Then you can use these times to adjust the first-come-first-served rule, without the real people ever having to know anything about it.

The last idea is to change the algorithm required to generate the work whenever you post a new deal (and at random other times). Every time you do that, normal humans will be unaffected, but bots will stop working. They'll have to get a human to get to work on the reverse-engineering, which hopefully will take longer than your deal window. Even better is if you never tell them if they submitted the right result, so that they don't get any kind of alert that they are doing things wrong. To defeat this solution, they will have to actually automate a real browser (or at least a real javascript interpreter) and then you are really jacking up the cost of scamming. Plus, with a real browser, you can do tricks like those suggested elsewhere in this thread like timing the keystrokes of each entry and looking for other suspicious behaviors.

So for anyone who you know you've seen before (a common IP, session, cookie, etc) you have a way to make each request a little more expensive. That means the scammers will want to always present you with your hardest case - a brand-new computer/browser/IP combo that you've never seen before. But by putting some extra work into being able to even know if they have the bot working right, you force them to waste a lot of these precious resources. Although they may really have an infinite number, generating them is not without cost, and again you are driving up the cost part of their ROI equation. Eventually, it'll be more profitable for them to just do what you want :)

希望这对你们有帮助，

Eric

大多数纯技术解决方案已经提供。因此，我将提出这个问题的另一种看法。

据我所知，这些机器人是由真正想买你卖的包的人设置的。问题是——

其他不操作机器人的人应该有购买的机会，而你提供的是有限数量的包。 你想要吸引人们到你的网站，而只是销售包包。

你可以让潜在的包包买家订阅电子邮件，甚至短信更新，以便在交易发生时收到通知，而不是试图避开机器人。你甚至可以给他们一到两分钟的时间(一个销售开始的特殊URL，随机生成，并随邮件/短信发送)。

当这些买家去购买他们在你的网站上，你可以向他们展示你想要的任何东西。那些运行机器人将更喜欢简单地注册到您的通知服务。

机器人运行者可能仍然会在你的通知中运行机器人以更快地完成购买。一些解决方案可以提供一键购买。

顺便说一下，你提到你的用户不是注册的，但听起来那些购买这些包的人不是随机的买家，而是期待这些销售的人。因此，他们可能愿意注册，以便在试图“赢得”一个包时获得优势。

从本质上讲，我的建议是试着把这个问题看作一个社会问题，而不是一个技术问题。

Asaf

这里最重要的事情是改变系统，从你的服务器上移除负载，防止机器人在不让奶瓶商知道你在和他们玩游戏的情况下赢得这袋垃圾，否则他们会修改他们的策略。我认为如果你们不进行一些处理，就没有办法做到这一点。

So you record hits on your home page. Whenever someone hits the page that connection is compared to its last hit, and if it was too quick then it is sent a version of the page without the offer. This can be done by some sort of load balancing mechanism that sends bots (the hits that are too fast) to a server that simply serves cached versions of your home page; real people get sent to the good server. This takes the load off the main server and makes the bots think that they are still being served the pages correctly.

如果这个提议能以某种方式被拒绝就更好了。然后你仍然可以在假服务器上提供报价，但当机器人填写表格时，说“对不起，你不够快”:)然后他们肯定会认为他们还在游戏中。

将道具卖给非脚本人。 保持网站运行的速度不被机器人减慢。 不要让“正常”用户完成任何任务来证明他们是人类。

你可能不想听这个，但是第一条和第三条是相互排斥的。

Well, nobody knows you're a bot either. There's no programatic way to tell the whether or not there's a human on the other end of the connection without requiring the person to do something. Preventing scripts/bots from doing stuff on the web is the whole reason CAPTCHAs were invented. It's not like this is some new problem that hasn't seen a lot of effort expended on it. If there were a better way to do it, one that didn't involve the hassle to real users that a CAPTCHA does, everyone would be using it already.

我认为你需要面对这样一个事实，如果你想让机器人远离你的订购页面，一个好的验证码是唯一的方法。如果对你的随机垃圾的需求足够高，人们愿意付出这些代价来获得它，合法用户就不会被验证码吓跑。