The best method to protect against this is to make the "email" field a unique field in your database. That way the user will also have to register multiple email addresses which is cumbersome.
A "verified" email address is one method, but we compliment using heuristic algorithms and monitoring solutions. If you are operating a paid membership site, there are other considerations of course.
other then ip address you really don't have much easy option. then again people can clear the cache to overcome it.
How do you handle access from a network (i.e. library, school, corporation, AOL, etc) which uses a proxy? Also, I cannot clear the cache to change an IP address. Either I have a fixed IP or a dynamic IP address with lease. How do you handle anonymous proxies?
i am looking into something more than ip and cookie because i notice that even my own ip changes a few times within a day and cookie can be deleted. How does a ppc detect self click? Can we get the computer information of the user?
You could setup a logging system. Account a logs in it sets a cookie to the PC. When they go to login to account b it picks up that a cookie already exists and puts a log in for you to check the 2 accounts regardless of ip since they can proxy, and bots can be made to auto generate emails on gmail and other systems. TJ
PPC like adsense-adwords uses a complex technique to detect multiple account and fake clicks. They have employed thousands of employees, who are monitoring day and night. A script cannot detect this at all. Because, the trace-passers and rule brokers are always clever than a script. Just for an example: Suppose a person has 2 adsense accounts. Google logs the urls where adsense codes are pasted (actually google can log this, whenever the ad block gets an impression). If a match is found in URLs of 2 different ad blocks (of 2 different accounts), some script sends a notification to moderators. Moderators then manually checks, whether it is possible, that the URL can contain ads of 2 different accounts or not. (ie. if it's a forum like digital point, here google ads come from different accounts or it may be a personal blog, where it's mostly possible that only one adsense account is serving ads). If it seems that, the URLs should not contain different account's ads, google verifies the 2 accounts' information. A bad match can be like, adresses are neighbouring, email prefixes are same but from different providers, dates of birth are same, passwords are same or both of the accounts are accessed on same date (with 10-20 mins time lag), but from different ips. If such matches occur (people often make mistakes in these cases), google marks the 2 accounts and starts deep monitoring. Concerns like Google, Yahoo is really using some extra ordinary techniques (by investigating human behaviours) to avoid fraud. So it's hard to apply, if you're not as BIG as they are.