mhulet
commented
5 years ago - I agree recaptcha should be ruled out
- We could use a negative captcha (I used to have an hidden field - honeypots - and checking if it was filled in, but I don't know if this is still a relevant technique)
- This must be transparent to the user (no additional question like "2+7=?")
- I prefer to avoid double opt-in as long as possible (I think it is not yet legally required, but TBC)
As the registration form is not managed by the Rails app, we won't be able to use gems like negative-captcha but we can use relevant parts of them.
The first solution I would implement is honeypots, and then wait and see if we have less spam/no spam anymore/no change.
This means that the registration form would include a dummy field (eg. fax number or pet name). We would decline any registration for which this field has been filled in.
What do you think about it, @ollyc?
ollyc
Today we got a rebel signing up with some unusual skills:
Previously I've had a good experience implementing fairly basic anti-spam tricks (nonces, randomized field names etc), that are transparent to the user but seem to stop scripted attacks.
Given the sensitivity of the form, I think services hosted like recaptcha should be ruled out.
Content filtering could be an option too. Even a naive filter with hardcoded rules could be reasonably effective against this sort of spam and have a low risk of false positives.
We could also implement double opt-in email confirmation (shouldn't we be doing this anyway?), but I'd prefer to block spam at source if possible.
I don't know if there are any off-the-shelf solutions in rails, but if there are, or if a custom solution looks easy and someone can give me a push in the right direction, I'd be happy to take this one on.