So... after we implemented Captcha on the voting site. Still people hammered it with votes... obviously since any sort of voting system without any form of authentication control is flawed. So we gave in to the customer and implemented another restriction ontop of the Captcha one. We included a restriction that only one vote can be received from any one IP for a given duration. As we wondered about what duration to implement I reminded the team that the competition is targeted for college students, therefore their friends would be
spamming honestly voting for them in the computer labs, which since there's no way a college or instituition would normally have any reason to have more than one outward bound IP to serve the students.
Therefore if we put in a long limit it'd be a deterant to the competition. But if we put in too short a limit... well we'd be right back where we started. Anyway we put in a time limit which I felt wasn't good enough to deter spamming but it stop votes from skyrocketing to incredible numbers which was what the client didn't like to see. So they stopped worrying and we just bowed our heads down hoping that no one figures out what we did.
Now when I think about it, if there where multiple contestants from the same college and Contestant A's friends are quicker on the vote button than Contestant B's. There'd be a denial of service to vote for Contestant B.. hmmmmm.... interesting.
Oh in case you're wondering why is it that I didn't implement any form of user signup/identification process and have to rely on such methods like cookies and IP filtering for votes? The customer wanted it to be EASY and CONVINIENT to vote, hence... NO LOGIN required for voting!!
In any case, I feel asking the general population to vote and choose who's the best singer/actor/artist never works out. Look at American Idol, so many of the candidates that the judges feel had talent and skill got voted out... so what does that leave us with?
So.. Friday evening while I'm sitting at home finishing up some work I get an email from the project manager, it was a mail from the client. Someone had complained to them that IP addressses could be changed and my PM just wanted confirmation of how that could be done? Well I could think of a few things off my head.. public proxies... redialiing StreamyX.. annynoumous gateways.. etc. etc.
I have a feeling we are going to be asked to make changes again... This time I'll most likely use the technique which I was discussing with my team previously before we went with the IP filtering alternative, the client didn't like the idea cause it's too tedious on the voter's part to vote. But.. that's exactly how you deter people from spaming an online voting box, you either make it easy to track them down (via registration or identification) or make it more TEDIOUS to submit a vote other than just pressing a button.
If the client still doesn't want to go with that idea and still refuses to use voter registration, I'm totally out of ideas then!