How to prevent the most number of cheaters for polls?

Question

On my website we run a contest system and users vote for other user's content. We recently caught someone creating multiple accounts to vote multiple times (consecutive id numbers, and votes within a couple minutes). We would like to prevent that from happening again. Judging how Times handled their "Most Influential Person of the Century" poll, even the big guys get it wrong.

Currently we log User ID's, vote date, and IPv4 addresses (via $_SERVER['REMOTE_ADDR']).

What things can I do to prevent or make it more difficult for someone to vote fraudulently?

Answer 1

Require user reputation. If you associate the right to vote with an user that has to have a certain reputation (i.e. by participating in your community for a certain time, and providing meaningful content), it becomes increasingly difficult for someone to automate the process of creating multiple identities.

In the end it is a balance between sufficient authentication, ease of access, and the value of the result (for you and the user) - and how you present the results.

Answer 2

Unfortunately it is very difficult to prevent fraudulent voting, when there is a will there is a way. However it is all about making it as inconvenient as possible to cheat the system.

Do your accounts require a unique email address with verification before you can use the account?

How often can users vote? If it is only once or once a day you could send off an email to verify the vote, this however could become a pain for legitimate users.

Not sure about the scale of the website, however when you begin talking about extremely large website such as Time's poll it is hard just to judge if consecutive votes are fake by looking at the IP address. Colleges and offices can often have hundreds of people on the same IP address. It is difficult to tell if it is one person behind the votes or if one person is going around to all of his/her friends on the dorm floor telling them to vote (can explain fresh signup/votes from the same IP address all around the same time).

There really is no answer to this question, just keep monitoring logs and remove votes which don't look legit.

Answer 3

As you are already doing, track IP addresses, along with vote times and disallow multiple votes from the same IP in the same time frame. This is only going to affect a few college students at most.

Another easier way to do this with secure voting is to force an email registration and confirmation. Some bot/spam site can still get around this by having their own domain, however you can then block domain registrations and voting from that site. This is the "most annoying" however most time consuming therefore leading to the least likely, in combination with IP addresses, to lead to heavy cheating.

The thing to remember is you aren't going to prevent all cheaters to your system, you can however mitigate them.

Answer 4

Using IPv4 address, with browser signature ($_SERVER['HTTP_USER_AGENT']) hash.

If the vote come from different user, but in the same IP address, with the same browser, in a close timeframe window, it is probably a fraud.

If the time is too close, leading to an automated process, a captcha would solve it (but no one likes captcha on polls).

Answer 5

I would use a combination of IP address vote throttling and cookies. Yeah cookies can be deleted but that'll stop the malicious type of person who also happens to be an idiot.

The IP address throttling will check if someone from that IP address has voted recently (say 10 minutes, whatever you think is fair depending on demographics or number of people voting from large organisation on the same IP address) and stop the vote being counted.

Combine those 2 with your use of User ID's already and it's as much as you can do realistically.