I've been contemplating such limitations as potential solutions myself, but I am afraid all such limitations will only create incentives for either even more fake accounts or just using vpn-connections to change IPs.

I'm afraid it's really almost impossible to build a static set of rules that would be exploit-proof.