On Fri, 2008-11-28 at 14:27 -0800, Julien Phalip wrote: > Hi, > > I'm building a rating app, so people can rate any kind of object (e.g. > a video, a news entry, etc.). The rating is done anonymously (there's > no user account on that site) and via an Ajax query. The view > currently only takes one parameter, the rating value (a float), so I > don't think I can use something like Akismet. > > To prevent multiple ratings by the same person, a flag is set in the > session. Obviously it means that the person can rate again if she uses > a different browser or if the session expires, but that's not a big > issue. > > Now, what worries me is potential spam attacks. How can I identify if > the request is from a genuine person or a bot? I started implementing > a system which records IP addresses and prevents anybody to rate twice > from the same IP within a given short time. But if genuine persons are > behind a proxy, IP uniqueness cannot be guaranteed and they may be all > mistaken for a bot.
All you can do are social engineering hacks. There's no way for the web protocol to know and Django doesn't ship with anything like that (since it's an arms race -- what works one day in one scenario doesn't work in other places). You have no way of knowing if submissions from the same IP address are from a bot or a human, so you just have to decide whether to allow those or now. Since major bot attacks rarely come from single IP addresses in any case, it's only a first line of defence (really major attacks are done in distributed form, so they come from multiple locations -- but often isn't an issue for normal sites, since you're miles below the radar for such attackers). Rate limit throttling is one fairly easy way to keep things in line. Maximum number per minute on average (keeping a running moving average value is easy) and maximum number per day, for example. > > Are there some algorithms in Django to cope with this kind of > situations? No, for the reason mentioned above. > Maybe passing some kind of key protection in the URL? Anything automatic isn't going to stop a bot, any more than a human. That's why the effective prevention measures are something unpredictable that a human has to do -- from a CAPTCHA style entry to just entering the word "orange" in a box to solving a mathematics problem. Regards, Malcolm --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
