Once my site went live, I started to notice a few users had figured out that they could invite themselves infinitely using multiple email accounts they control (ie - create a bunch of gmail or yahoo accounts and invite them). Since I award 1 point per invite and 10 points per invitee who registers and we give away prizes for points, this can be very lucrative to a user.
And since we can't use the ip address as a check since there might be multiple valid users on a shared ip and there's no way to know based on the email address, the only thing I could think to do was use a cookie. So, this patch for userpoints_invite creates a cookie on the invite action and then checks for it on the escalate/register action. If it exists, then no points are awarded.
Granted, one could use a different browser or computer or clear cookies to get around this, but it should provide some basic level of point fraud protection.
Ideally I'd love to block the entire registration so my users database isn't littered with failed fraud attempts, but that's for a different project and a later time.

CommentFileSizeAuthor
userpoints_invite.module.patch1.56 KBfred0

Comments

kbahey’s picture

Status: Active » Fixed

Committed, with some code reformatting and simplification.

Thank you.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.