I was right! I wrote about how PayPerPost was starting to feel like a first person shooter. Here’s an excerpt:
It almost feels like there are a bunch of people running bots out there, automatically snatching up the ops for their owners.
Well yesterday came confirmation of my suspicions. It seems PayPerPost has been battling bots for a while now. They’re now giving up the manual intervention strategy and are going to implement captchas upon trying to take an op. There’s just one problem with that strategy. Captchas don’t work.
In one of the comments on the PPP post, you’ll find a link to an article that describes an off the shelf program that defeats most captchas. Given that the only reason you’d use a bot on PPP is to earn more money, the minor up front investment would be well worth it. The thing is though, that’s off the shelf software. When was the last time you found the good pirate/ninja/Chuck Norris material on the shelf. There are quite likely far more advanced tools floating around in the nefarious regions of the Internet.
So what’s the answer. Profiling. Bots leave a footprint when they’re trying desperately to be the first to get something from a page. They’re normally very blunt instruments and evidence of their use can readily be found. Since they’ve been banning bots for a while, they should have data to start building their profile. I’m sure you’re thinking, “why wouldn’t the bot owners slow it down, make it more random to avoid being profiled?” That’s a great question.
The reason that circumventing a good profiler won’t work isn’t that it will still catch the bot. If a bot behaves like a human, there’s no way to tell it’s a bot. But, if a bot is behaving like a human, you’ve negated the advantage of using a bot. The problem isn’t so much that people are using bots, it’s that bots are giving people an unfair advantage. While the ideal scenario has no one using bots at all, getting to a point where using a bot is no longer an advantage is a nice intermediary goal. Users will feel less cheated and the cheaters really won’t gain anything by using their unfair advantage.
So that’s the answer. How do you profile a bot? Well that’s a bit more complicated. It’s not easy but it’s very possible, especially in this case since the bot must be aggressive in order to succeed.
captcha, PayPerPost
(No Ratings Yet)
Loading ...
4 responses so far ↓
1 Ian // Aug 10, 2007 at 4:35 pm
The response to that is to have bots pretending to be many humans, thereby letting them hammer the server all day long.
A perfect solution isn’t needed, just one that raises the bar. A decent captcha will weed out the lesser abusers. That should make it easier to track and identify the ones remaining and deal with them.
When has a technological arms race ever ended well? A captcha will probably be fine. Many captchas will probably be better. A smarter captcha (ie identify all the pictures that are dogs) would be better still.
… and so on and so forth.
2 Marc // Aug 10, 2007 at 8:33 pm
Normally that would work, but we’re dealing with an authenticated system here. They would all be traced back to the same username regardless of what IPs they came from. That being said, you raise an excellent point in that no system will be perfect.
3 Ian // Aug 10, 2007 at 11:42 pm
If it’s an authenticated system, then just rate limit users. Reload more than X times in Y minutes? Flag the account. Repeated flag = ban.
4 Marc // Aug 11, 2007 at 1:20 pm
That could be a solution too. A little more manual since legitimate people would likely be flagged often enough due to the nature of the system. But it certainly could work.