Blocking IPs [...]:, and they're so easy to fake only the technically dull bad people will be affected.

Wow. It is easy for you to fake an IP and have the results sent back to you? You'll have to explain that before I believe you.

If you are using IP for security, then the only risk from faking IPs is that someone can send you data with a forged IP in hopes of getting you to act on it. Simply requiring a minimal dialogue that includes repeating hard-to-predict data is enough to make such extremely unlikely.

An attacker having control over a block of IP adresses is a separate issue.

Wow. It is easy for you to fake an IP and have the results sent back to you? You'll have to explain that before I believe you.

Lack of clarity on my part. I meant that faking a proxy is easy.

You pretend to be a legitimate caching proxy and fake the Via and X-Forwarded-For headers. Mix in a bot browsing the site with a few legitimate accounts and it becomes almost impossible to tell the difference between good and evil proxies (unless you start hammering the site with thousands of registrations.)

So you're either faced with blocking proxy IPs, which is bad for legitimate proxy users, or blocking the IPs delivered by the fake proxy headers which will have no effect.

If you are using IP for security, then the only risk from faking IPs is that someone can send you data with a forged IP in hopes of getting you to act on it.

Yup.

A denial of service attack is an especially annoying form of this if one of your possible acts is automated IP blocking. EvilPerson sends bad requests using the faked IP addresses of legitimate users. Legitimate users get banned.

Adrian & Tye,
you chaps are quite right, I had forgotten about the whole unreliability thing with IPs for a moment there, it creates a lot of issues. And the danger of blocking proxies, very tricky. Hmmm. What I was attempting to address is the possibility to just brute the form by selecting all the options sequentialy. Or one could just exhaust the list of questions and pay someone to handball the results </blackhat> Hmm, OK. Let's say we immediately change to another question, but we also present the choices in a random order each time, that's an improvement.

@ Nkuvu, Sorry, it was a flippant example, in reality we would choose something far simpler. Besides it was a trick question, there is one there that you _KNOW_ doesn't have a moustache, but he's not a real dictator. Also all the others were democratically elected in a valid vote at least once in their political careers and _then_ went crazy :)

I have heard other ideas too, such as getting the client to solve a costly puzzle (in code) so that a bot wouldn't be able to get up much speed. Unfortunately this makes the presumption that the client will let the server instruct it to execute arbitary code, which is obviously bad.

I think what I am trying to say is, as a general principle you need to find a puzzle that humans can easily solve but a machine cannot. In the end, if you make too many hoops for users to jump through they will just go to another site as Nkuvu says.