> not really what you asked indeed, but interesting.

Thanks for sharing!

didn't know about Cookie Clicker; that's a nice one too. Yeah, idea would be to have only real clicks ...

well unless you'll make people record themselves clicking it's impossible to do - even if you are completely able to detect the software, people can still exploit the system by building additional hardware. if you want only real clicks, you could just limit the clicks to 1/ip address and then have only country ranking visible

> if you want only real clicks, you could just limit the clicks to 1/ip address and then have only country ranking visible

Sounds like a good proposal! Will think about that. How hard do you think would be for users to change the IP address and bypass this idea?

In spite of perfect detections of fake clicks is impossible, at lest trying to detect and filter them is a nice problem.

I don't expect advanced solutions against your site. It's not a bank, nobody would get a huge profit with fake clicks. You need to fight against script kiddies, not specialized hardware.

So I guess some easy heuristic to detect people that clicks too fast or do not sleep for a week will be enough.

Indeed. Thanks for advice. I will implement it. I will first work on a throtting system will and a way to detect programmed clicks. This should already drastically reduce spam.

Those two Spanish accounts look very suspicious...

Indeed.

Good observation; should I remove it? I'm also learning that's hard to detect click bots, one approach might be to identify all clicks with the same frequency, but that's can be easily bypassed by using writing a bot that click the button with random intervals.

A smart way of going about it would be to just implement ratelimits based on human ability of clicking a mouse button - I'm sure no human is able to click a button 100 times a second. And of course ban people that are consistently at the gates of the ratelimit.

Thank you. That's what I will do (and write a blog post about it)

I got to think a bit more on that ... and: what about doing the complete opposite? i.e to encourage automatic clicks with the final goal of making stonks go even more up?

Yes, I made it. The primary goal was to learn how to make a real-site that can also scale. Yes, there were a few interesting problems, especially how to make it support a large load; the solution has been to use socket.io and Redis. I'm thinking about writing a blog post about it. I'm validating all usernames, for now I don't have problems caused by ASCII characters. For now the website is supporting well the loads. client and server communicate via websockets (using socket.io), and this drastically reduce requests. Moreover, I'm using NGINX as a load balancer to further improved the load support.