Who's the Spanish jerk draining the Faucet?

I just shut down freebitcoins.appspot.com; it looks like somebody in Spain is being a jerk and getting a new IP address, bitcoin address, and solving the captcha.  Over and over and over again:

Those IP addresses all map to Telefonica de Espana.  If it was you:  give them back, please: 15VjRaDX9zpbA8LVnbrCAFzrVzN7ixHNsC

Now that 5 bitcoins is worth a fair bit, I'm thinking I need more cheating countermeasures.  I can think of four things to try:

1. Rate limit based on the first byte of the IP address (79. or 81. in this case).
2. Rate limit based on the USER-AGENT string ("Opera/9.8..." in this case).
3. Rate limit based on last two domains of reverse DNS lookup of the IP address (rima-tde.net in this case).
4. Make the standard amount given away 0.5 Bitcoins (Bitcoins have gone up 10 times in value since I started the Faucet).

If you get rate limited, you'll get a message that asks you to try again tomorrow.

BitcoinFX: thanks again for the donation to the faucet; I'm going to drain the Faucet below 500 coins temporarily, and will refill it with your donation after the new cheating countermeasures are in place.

You know the same thing crossed my mind that you could drain the faucet by grabbing a new ip address. I figured most of the people would be honest enough to not do it or there was something behind the scenes preventing it. One idea might be Browser finger print and a 81.x.x.x or 71.x.x.x limit. http://panopticlick.eff.org was something the eff did to show just how easy it is to finger print your browser (it checks your os build, Browser build, java, flash, other add-on versions, etc). If you were to combo detect the the browser id's and the first ip block it would be a fairly good way, though it would probably be a fair bit of work.

Another idea would be to add a delay to the coins being sent out, like say an hour after they are cleared the coin goes out. This wouldn't give someone instant satisfaction and would allow you to prevent the coins going out during that hour (Add a check to email yourself if a large number of transactions come through or something like that). Also dropping the coins being given out to 1 or 0.5 would significantly decrease the incentive of doing such a thing.

I would make it give out 0.001% of the total bitcoins with a minimum of ฿0.02 and I would move those two decimal points to the left whenever the official client changes to displays another precision point. Thanks for the service, it's very useful to new users. I hope you can stay one step ahead of the cheaters.

What if they just use different proxy's, than the checking the first byte of the IP is useless.

You could make a registration form on the site where they first got to activate they're email address, and than get a login code.
After login than they can request the free coins, of course there is a limit of one request for one email address and you keep on checking the ip.

So if you want a lot of coins, you first got to register a lot of email adresses and than you got to register with all those addresses, you really got to have no life to do all that trouble just to drain down the Faucet

Whoever cheats to take free bitcoins wins this award.



It is the douche-bag of the year.

Yeah, I shoulda anticipated problems when Bitcoins went from 0.005 USD each to 0.06 each.  If it takes somebody two minutes to go through the "get a new IP, get a new BC address, solve the captcha" process then they'd make 5*30=150 bitcoins an hour, which is $9 USD an hour, which, if you're unemployed, bored, and/or 13 years old is easy money.

Sadly, I don't think there's a viable anti-abuse system when you have an automated system dispensing coins for free.  (anonymous, irrevocable coins)

The only countermeasure that makes sense is to slow down the value and pace of the whole faucet to where someone has a chance to manually keep an eye on flow.

But coming back to the roots of why it's neat, and what people reasonably get from it, the specific value is not really important.  I see it as more a "system test", where someone can watch coins come in, transfer them to another computer, and so on.  It's not supposed to be "what can I buy with these", but test coins.  Having 0.02 coins is much more fun than having zero.

To that end, a system that dispenses BTC 0.02 and has a significant delay (30 mins?) is less likely to be attractive to even automated abuse plots.

Perhaps it would help to be more clear about the Faucet operating on an honor principle, and that no one is really allowed more than 5.05 bitcoins (or 0.55 bitcoins if you change it to that).  When I revisit the site today it says "Right now the rule is 0.05 bitcoins given per unique IP address."  Such language could be interpreted as if it was actually OK to get more payouts from the Faucet using several unique IP addresses, since it would not be "against the rules".  Improving the technical system to prevent cheating is probably a good idea anyway, since there are probably cheaters who don't care about being cheaters.  But some may actually think they are just being clever, maximizing their benefit without breaking any rules.

Silently failing would look bad.

Definitely needed.  What rate are you thinking of?  Ultimately, it's better to rate limit it than to let it all drain out.

That might work surprisingly well.  If it works, it keeps them from hitting the rate limit, but the rate limit is there as the last line of defence.

Definitely time to lower it.