Avoiding "double" subscriptions

Question

I am working on a website that requires a bit of marketing; let me explain.

This website is offering a single, say, iTunes 50$ voucher to a lucky winner.

To be entered in the draw, you need to invite (and has to join) at least one friend to the website. Pretty straightforward.

Now, of course it would be easy for anyone to just create a fake account and invite that account so, I was thinking of some other way to somehow find out of possible cheating.

I was thinking of an IP check on the newly subscribed (invited) user, and if there is the same IP logged in the last 24 hours, and if that's the case, investigate more about it.

But I was thinking that maybe there is a more clever way around this issue. Has anyone ever though about this? What other solutions did you try?

Thanks in advance.

You could explain that the expected value of each subscription is $ 0.0001, but I suppose that would screw up the whole campaign. — ddyer, Sep 20 '12 at 23:00
@John - This question cannot be answered. There is no answer to this question, because for every solution you implement, I guarantee you I can think of a way around it. For example I can get around it using a FREE VPN Connection to recruit myself twice. — Ramhound, Sep 21 '12 at 15:49
same as any other programming solution. As programmers, we know perfectly that any system, for how much it could be "safe", there will *always* be a way around it. Then what? we don't produce anything because any system can be evaded? — john smith, Sep 21 '12 at 15:59

score 9 · Accepted Answer · answered Sep 21 '12 at 08:58

It only works if the account is hard-tied to something valuable and verifyable which uniquely identifies its owner.

Things that don't work:

IP addresses

These are neither unique (think corporate firewalls, internet cafes, reused dynamic IPs on mobile networks, proxies, etc.), nor constant (many internet connections have dynamic IPs, especially mobile). An IP check is also easy to circumvent: most people these days have at least two internet connections available to them (mobile and home, or home and work, etc.), and if you don't, finding a suitable proxy service isn't hard at all. Those still on dialup can just close and re-open their connection, which usually gives them a different IP address. If all else fails, Tor provides a steady stream of ever-changing IP addresses to use.

Cookies

These are ridiculously easy to circumvent - just clear your cookies, and you're good for another fake account.

User agent strings

While user agent strings are interesting bits of information these days, and close to unique, they are just as easy to spoof as cookies and similar information.

Other schemes that rely on the absence of something

All the above have in common that they verify that something does not yet exist, which is easy to bypass by simply removing or changing the thing you're checking against. Whatever you come up with yourself, if it checks that the user does not have something, it will not work. It's like trying to restrict access to a theater by giving everyone who has already been a ticket, and then refusing access to everyone who can produce a valid ticket.

Other services

You could use an account at another service (e.g., OpenID, Facebook, Twitter, etc.), but then you're just shifting the problem - if people can create fake accounts at your site, they can do so at another. E-mail doesn't work either: setting up fake e-mail accounts is just as easy as setting up fake twitter accounts, if not easier, and the world is full of throwaway-email providers.

Things that might work

Paid accounts.

The safest way is to turn your thing into a paid service; if people have to pay for their accounts, they can't just open dummy accounts. But most likely, you don't want that.

Real-world identification.

Tie accounts to real-world objects. Cellphones work well, as these cost money and can be verified by sending text messages. Credit cards work, too, but they increase the trust threshold - people won't just give you their credit card data as willingly as their cellphone number or e-mail address. You'll also be subject to more restrictive requirements on your end. Passport numbers and social security numbers would be great if only you could verify them; but most likely, you can't. Snail mail would theoretically work, but it would make for a cumbersome registration process, and I'd expect it to scare more people away than what you'd win through the promotion.

Valuable accounts.

If your site has some sort of 'karma' feature (like reputation on Stackexchange, or karma points on reddit), you can limit the promotion to accounts that have collected a minimum amount of karma points, both on the person spreading it and the new account - for example, a new account may only count after collection 100 points, and only existing accounts with 1000 points or more would be eligible. This way, building a large number of harvesting accounts would take a lot of effort, and if your karma system actually works, exploiting the promotion only makes your site better. Similar mechanisms can be used for sites that involve content (e.g. a minimum number of uploaded pictures, etc.), but you have to be careful - people can just upload anything, so just the fact that there is content is not enough to make it valuable.

You've given me great ideas! What I could do then is the following: allow users to invite as many people as they want, but still in the draw, it will count as one (so that it will be impartial). This way if a user wants more chances, he would have to invite from the newly created (invited) account, and so on. Then, a week after the end of the promotion period, draw only from the people who have logged on in the last week. Do you think this might work? — john smith, Sep 21 '12 at 11:42
by the way, "valuable accounts" seems to be the way to go! The whole karma thing sounds great for marketing, too. more users with more (and better) content is a great way to enhance the whole experience on the site. — john smith, Sep 21 '12 at 14:21
@johnsmith: No, that won't work. If someone can script a bunch of dummy account creations, what's stopping them from also scripting a bunch of dummy account logins and a bit of fake activity? Logging in alone does not create enough value to stop people from abusing, you need *some* kind of human validation, either directly, or through community moderation (karma), or by linking real-world assets to the account. — tdammers, Sep 22 '12 at 09:47

score 8 · Answer 2 · edited Apr 12 '17 at 07:31

8

You Can't

There is absolutely no way to do this.

Look at the amount if Spam being pushed around the internet today. Simply put, the people trying to stop spammers are facing an easier task than you. The Anti-Spammers a looking for Robots pretending to be different people. You are looking for people pretending to be different people. The anti-spammers are loosing, you have no chance.

You also run the risk of people creating multiple fake accounts each recommending another fake account. So all you need is one jerk (who knows what they are doing) to create 100's of fake accounts making 100's of fake recommendations.

If there is a realistic chance this promotion would generate a large amount of junk accounts in your system, I would cancel it.

Also See: How can I prevent users from creating multiple accounts on a web site?

edited Apr 12 '17 at 07:31

Community

1

answered Sep 21 '12 at 01:43

Morons

14,674
4
37
73

what if I'd give only ONE chance per invite? like allowing people to invite as many people as they want but, not altering their chances (counting always as if they invited only one person) – john smith Sep 21 '12 at 13:15
@johnsmith They could invite a Fake person, or they can create 20 fake account and have each of those invite a another 20 fake accounts. (I'm not saying this will happen, i'm just saying it can. IMHO Your reward is too small to push someone to go to this length, but if you where offering $50k I guarantee it will happen ) – Morons Sep 21 '12 at 13:50
in the draw, I could pick only the people who connected in the last week (or month). By ending the participating a week (or month) before drawing, people who created more than one account would have only one choice (I believe). Only of course if one (and only) chance has been given to everyone in the first place, as described in my first comment. What do you think? Might I be missing something? I think this might actually work. – john smith Sep 21 '12 at 14:08
@johnsmith If that is the "Terms" of the contest, you must state it as so. Running Lotteries is no Simple task, there are a **TON** Of legalities involved. Needless to say, once these terms are public it looses its effectiveness. (I would also like to reiterate that I don't think you will have a problem because of the relativity small incentive offered here) – Morons Sep 21 '12 at 14:41
Can this even be called a lottery? It is free to participate. I don't think it has ever been illegal to give away stuff for free: I am free to give away my things to whoever I want, if he/she is willing to get them. If it is clearly stated or not in the terms, that's another thing of course. I understand that all the rules should be clear. – john smith Sep 21 '12 at 14:57
@johnsmith It's NOT free, "bringing in a member" is Consideration (a legal term, look it up). then Consult a lawyer. – Morons Sep 21 '12 at 15:07
ouch, didn't think of that! might actually have to cancel the draw for legal issues then! aha! – john smith Sep 21 '12 at 15:17
@johnsmith - As others have pointed out. One person could create 100 accounts all linked to one other. You wouldn't be able to determine what accounts were real and what accounts are fake. – Ramhound Sep 21 '12 at 15:52
but given the solution I though of, he would need to be active with all of the created fake accounts (read comments one and three of this answer) – john smith Sep 21 '12 at 16:01

score 2 · Answer 3 · answered Sep 21 '12 at 00:27

2

I have seen solutions checking IP addresses before. This generally works because most people don't know or cannot be bothered using proxies. However users from universities, corporates, Internet cafes etc where many people share the same public IP will be adversely affected. Too many false positives.

Cookies are used in some solutions too. However sophisticated cheaters can usually get around that. False negatives if cheaters know how.

I myself use mobile authentication where users need to enter a code sent to their mobile phone. This prevents the vast majority of cheats, though requires some more infrastructural work.

You can also consider requiring users to log in with Facebook etc, which would largely increase the efforts required to cheat.

And after all, displaying a highly visible banner on the entry page stating that if double entry is found all entries from the user will be voided may deter some potential cheaters.

answered Sep 21 '12 at 00:27

Xeon

109
3

Cookies are arguably better since corporate offices routinely NAT a single public IP for the whole office. If someone is going to bother clearing their cookies just to sign up, you're probably dealing with a determined and sufficiently sophisticated enough user to try other things, too. – msanford Sep 21 '12 at 01:46
Getting around cookies requires no sophistication at all. Just clear your cookies and go again. Or install Web Developer Toolbar or something like that to clear individual cookies. – tdammers Sep 21 '12 at 08:37
You are correct, tdammers, clearing cookie is nothing hard for programmers like us. However, not every average computer user knows how. – Xeon Sep 21 '12 at 09:28
@Xeon - Its a checkbox in Firefox, IE, and Chrome to clear cookies when the tab is closed. – Ramhound Sep 21 '12 at 15:55

score 0 · Answer 4 · answered Sep 21 '12 at 07:23

You have to link it to something that's hard to replicate freely. Cash is good. A cellphone text message is also good (one reg code per cell phone number). Of course, you'll scare away a large percentage of your potential subscribers. Or outsouce the problem to a bigger web site - use facebook login and let facebook decide who is real.