List and Item spam protection

[justin-capalbo]

Lists and items don't have very much that makes them unique - you can create a bunch of them for the same user very rapidly. A few ways to approach this problem.

• Hard cap on number of items in a list, this is pretty arbitrary. 100? 200?
• Hard cap on number of lists for an account? This is a little harder to pin down. This number * the max items also determines the records per user.

Another way to go - limit the # of lists that can be created per day, and cap items at 200. Not sure what the use case would be for a user creating more than a few lists per day, so a sanity cap on lists/day might be good as an alternative/extra precaution.

[justin-capalbo]

An alternative strict "limits" is to set up rate tracking and flag problem accounts. This is probably the way I will go. Of course with an open source project it should be pretty trivial for vulnerabilities to be exposed but that's good.

Spam protection is going to have two parts.

1. Account Statistics When items or lists are created, tracking can be done on the User table or a table adjacent to the user such as UserMetrics. A rolling average of the time between list and item creation can be tracked, and thresholds can be defined for acceptable values for these rates on another table of constants that are seeded into the DB. Later, these can be editable through an admin page.

Testing

• Artificially set up a fake time frame for posts (see if we can spoof created_at in testing) to see if user metrics are tracked correctly. This should be simple math.
• Behave like a "realistic user" and get an idea of what good settings are.

2. Flagging When the values in UserMetrics exceed the values in the application's SpamSettings, an e-mail will go out to the administrator.

Testing

• Email testing will need to be set up to test the mailer.
• SendGrid needs to be used again.