-
Notifications
You must be signed in to change notification settings - Fork 676
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add error report spam protection honeypot #2040
base: master
Are you sure you want to change the base?
Add error report spam protection honeypot #2040
Conversation
If the bots are indeed targeting SSP, this will not put them off for long. My idea would be to create a module that, for instance, implements Google Recaptcha. The module would have to provide a 'hook' that will let SSP known which twig-template to embed in the error form and which class to use for verification. The hook will make the module re-usable for other forms, while the modularized setup will allow people to implement other types of captchas. I wouldn't mind setting up some proof of concept for this. @thijskh Thoughts? |
I agree that if bots are being made to attack a feedback form then they will probably evolve inline with small changes on that page. They have the source code after all ;) I recalled some drop on the limits in recent months for Google Recaptcha which seems to be down to 10k/month on the free tier now. I imagine that even at that reduced rate it is likely to cover error feedback forms. |
I just wanted to test the waters on the topic with this harmless merge request first. |
Unless their documentation is outdated, according to this page it's free up to 1 million Assessments / Month . I've already done some work locally, so I will try and finish my concept this coming weekend. |
There were a bunch of sites reporting back in Jan/Feb that the tier was moving from 1 million to 10k per month. And mentions of "reCAPTCHA Lite" as the free tier. Though Google would be the ones to know rather than these other sites. |
6004a77
to
58bf8db
Compare
5c9fb2c
to
0970efc
Compare
c27831c
to
71e49f4
Compare
I have been experiencing an increase in spam mails via the error report form.
I agree with the comments and closing of #1211. However, bot farm requests from different origins are now creating almost daily Tickets across our SSP instances.
This patch adds a simple Honeypot with the common input name "name".
I have added it to some of our prod-instances and have not received any spam error reports and no false positives from them ever since.
It is easy to test by setting the "name" input value to a non-empty string via the browsers Inspect-function before submitting the report and does not effect real error reports due to the input element being invisible to human users.