You know, I've been thinking about this. It'd be pretty easy to automate the process such that it'd be undetectable. Use an HTTP session spoofer that carries forward cookies so they can't catch you not having the right cookies. Spoof any XHTTP requests going any direction. Use an actual browser's user-agent so as a client you come off as a browser rather than a robot. Simulate human-like delays between each request in case they log for throttle stuff--incidentally, most of MS's Xbox 360 mod detection features involved timing measurements on the disc drive / firmware. Load all the extraneous assets that a browser would load to make the requests so they can't accidentally catch you by requiring you to load some non-cached image before you submit a request as form of
knocking. I guess one thing they could do is have you execute arbitrary javascript client-side, because most of the HTTP spoofing libraries don't have proper JS engines, but it's still doable if you did have a proper JS engine, and the alternative would be re-writing whatever code they make you execute in your given language so the actual transmission/verification of the results would be the same.
I haven't written any of the code, but I'm reasonably confident that there's basically no line of attack they could use that would identify someone automating this stuff. Like, I think to get caught it'd be because you were choosing to sacrifice fidelity for speed--like for example people who would write a high-speed market scraper to snipe mispriced rare items would be caught by the frequency of their checks and the speed with which they go through the buying process.
I'd love if any other programmers could weigh in if there's a detection method they think Valve could use to identify this kind of use case.
