Temporarily block IP addresses caught by honeypot form fields - Githubissues

LemmyNet / lemmy

🐀 A link aggregator and forum for the fediverse

https://join-lemmy.org

GNU Affero General Public License v3.0

13.29k stars 882 forks source link

Temporarily block IP addresses caught by honeypot form fields #4470

Open dullbananas opened 9 months ago

dullbananas commented 9 months ago

Requirements

[X] Is this a feature request? For questions or discussions use https://lemmy.ml/c/lemmy_support
[X] Did you check to see if this issue already exists?
[X] Is this only a feature request? Do not put multiple feature requests in one issue.
[X] Is this a backend issue? Use the lemmy-ui repo for UI / frontend issues.

Is your proposal related to a problem?

After a bot receives an error after submitting a form, there might be a chance that it will try again without the honeypot field set.

Describe the solution you'd like.

Create a table that stores IP address and timestamp when honeypot field is set, and block the IP address from some endpoints for at least 1 day.

Only the first half of IPv6 addresses should be used.

Describe alternatives you've considered.

None

Additional context

No response

dessalines commented 9 months ago

I'm sure we could probably use the rate_limit for this in some way... but it works on the whole route. There is an existing post rate limit tho, that uses IP address.