search

engelsystem / engelsystem

Shift planning system for chaos events.
https://engelsystem.de
GNU General Public License v2.0
429 stars 239 forks source link

Protect the registration against bots / Confirming users #1339

Open nilsnolde opened 7 months ago

nilsnolde commented 7 months ago

I'm actually surprised this becomes a problem only now for us: we have a bunch of bots registering on our Engelsystem. They should be pretty harmless, I doubt any of those idiots out there wants to bomb OSS conferences.

Still, maybe it'd be a good idea to add some form of protection to the registration site, such as a captcha, email confirmation or others.. If it helps, mediawiki has an extension written in PHP: https://github.com/wikimedia/mediawiki-extensions-ConfirmEdit.

nilsnolde commented 7 months ago

Or how do others protect their Engelsystem from bots registering?

MyIgel commented 7 months ago

Up to today i haven't heard of problems regarding bots that register accounts. Do you know if its some more specialized "attack" or generic "create a user and have a look what sticks"? The generally more helpful way would be to implement email confirmation and deletion of accounts that are not confirmed (which is a goal to be implemented soon(TM)).

If they are "generic" bots something like adding another "hidden" form that gets filled out by bots but can't be seen by humans might be an option too. The basic point hereby is: Nowadays most captchas that have to be solved by users are even easier solved by bots so if its a targeted attack we are screwed anyway but if its "by chance" / "random" we might get away by using pretty "dumb" counter measures.

nilsnolde commented 7 months ago

From what I saw when I opened this, it was the “generic” kind, not very targeted. I guess more like “hey there is a registration form, let’s do that” and that was it. That’s why I’m thinking it’s pretty harmless, but could of course lead to bogging down the server if it’s done at scale.

Agreed, that email confirmation & removing unconfirmed accounts after some grace period goes a long way too. However, that QuestyCaptcha from Mediawiki seems quite effective, esp for conferences where you can expect registering people to have some context knowledge to set up the right questions, and expect bots to not use serious ML😄 I think Wikipedia had their share of learning over the years, but of course that doesn’t make it “2023 proof” necessarily. We’re running it with the QuestyCaptcha as well, and I can’t see any obvious bot accounts there.

I’ll observe over the next weeks and report back.