Cheat Protection Information

Introduction

AutoRank PHP has several methods of cheat protection including complete IP tracking, the gateway page, gateway page sessions, and cookies. Here we will discuss how they work, and what type of cheating they prevent. We will also discuss the cheat log so you can understand how to interpret it.

Complete IP Tracking

The first method of cheat protection is complete IP tracking. Put simply, a log of IP addresses is kept for each member. Each time a new click is sent, the script checks the IP logs to see if that IP has clicked through before. If it has, the click is not counted and a cheat is (optionally) recorded in the cheat log. In the Edit Options interface you can tell the software how often it should clear the IP logs. If you only want one hit per IP per day, set that value to 86400. To keep the software execution times and sever load low, we recommend that you clear the IP logs at least once each day.

Gateway Page

The next cheat prevention mechanism is the gateway page. What this does is to create a gateway page on your server that surfers must click through in order for a hit to be processed. Using this will protect you from <img> tag cheaters. For example, some cheaters will attempt to insert a link to the in.php script in an image tag: <img src="../../../../external.html?link=http://www.yoursite.com/top100/in.php?id=username" height="1" width="1"> This will create an invisible image on the cheater's page, which will load the hit tracking script each time someone visits that page. Without the gateway page, the hits would be counted, and this account would go up in the rankings without even sending visitors to your site. This type of cheat can be done with other type of HTML tags, so we highly recommend that all users enable the gateway page.

Gateway Sessions

If you have the gateway page enabled, it will keep track of sessions. Each time the gateway page is displayed, a new, unique, session will be generated. You will be able to set the amount of time that session is valid for. Once a surfer has clicked on a link to your site, they will have a certain number of seconds to click on the gateway page link before the session expires. If the session expires before they click, the hit will not be counted. If the session does not expire before they click, the hit will be counted. We recommend that you keep the expire time around 45 seconds.

Sessions assist the gateway page to make sure that no HTML tag cheats are being used, and also make it more difficult for automated programs to fool the system. In previous versions, and most other top sites scripts, the HTTP_REFERER information is used to check that the surfer is coming from a valid URL. The problem with this is that the HTTP_REFERER value can be very easily spoofed, and the server will be tricked into thinking the surfer came from a URL which they really did not. This allows an automated program to circumvent the gateway page - with sessions this is not possible. A valid session must be created, and that can only be done by visiting the gateway page.

Cookies

Cookies are very similar to the IP tracking, but are not as reliable. When someone clicks on a link to your site through in.php, a cookie will be set in their browser. You will tell the software how long this cookie should last. If the same browser is used to click through again for the same account, the hit will not be counted.

Some of the drawbacks of cookies are the fact that they can be easily spoofed, they can be deleted easily, and not all browsers have cookies enabled. While this is the weakest of the cheat protection, it will still assist you in getting the most accurate hit count possible. It is very quick to set and check cookies, so we recommend all users enable them. Generally, expire times will be set to one day.

Proxy Checking

What this does is look at the HTTP headers sent with a request to determine if the surfer is using a proxy to make the request. If the headers are there, the hit is ignored. Please note that this is not 100% effective against proxy servers. In our research we found that only about 60% of proxy servers send the extra HTTP headers that are required to determine if it is a proxy server. We will be continuing the effort to eliminate proxy cheating with further improvements in future versions.

Why block proxy servers? Using proxy servers is a way that many automated hitbots will use to increase their hit count. Using a different proxy server for each hit will change the IP address of the hitbot, and the software will think that it is coming from a new user. Because there are many publicly accessible proxy servers, obtaining a large number of unique IP addresses is possible - hitbots can theoretically produce several thousand false hits per day using public proxy servers.

What about valid proxy requests? Some ISPs today do use proxy servers, which means that if you enable the proxy filtering some valid hits will not be counted. This is a side effect of the proxy filtering, but we feel that you would rather block out a few valid hits in order to protect yourself from hundreds or thousands of invalid hits. This may lower your overall total in hit count, but the distribution should be fairly even over all of your members, thus giving a fair ranking result.

JavaScript

Another method of cheat prevention is a small piece of javascript on the gateway page. If your copy of in.php is loaded into a frameset on someones site, the code will immediately break out of the frameset and your gateway page will be the only thing visible. In order for this to work, you must have the gateway page enabled. If you create a custom version of the gateway, be sure to include the following body tag in place of the one you would be using:

<body onLoad="if (self != top) top.location = self.location">

You can add other attributes to this body tag, but make sure that the onLoad statement remains.

Cheat Definitions

In this section we will discuss the entries you will find in the cheat log. Note that just because there is an entry in the cheat log for a specific account does not mean that the account is trying to cheat you. The cheat log should only be used as a resource to help identify cheaters.