search

mysociety / whatdotheyknow-theme

The Alaveteli theme for WhatDoTheyKnow (UK)
http://www.whatdotheyknow.com/
MIT License
31 stars 26 forks source link

Investigate why the volunteer contact form is generating so much spam #1473

Closed sallytay closed 1 year ago

sallytay commented 2 years ago

Since introducing the new volunteer contact form (https://github.com/mysociety/whatdotheyknow-theme/issues/1179) it has been noted that it generates a lot more spam that the general contact form

For example there have been 33 this month, 12 this week.

It is not clear why this is happening - could we investigate this to see whether there is anything we can do to prevent this?

FOIMonkey commented 1 year ago

We've had 16 this week, and 44 in the past month. It seems to be getting worse, and there are consistently several messages a day that need dealing with.

mdeuk commented 1 year ago

We've had 16 this week, and 44 in the past month. It seems to be getting worse, and there are consistently several messages a day that need dealing with.

The new "Inbox Monster" alpha now has some capability for handling these messages - a one-click "form spam" option which takes corrective action on the thread itself, and then logs it into a spreadsheet.

There's also some bad jokes within! 😇

Related:

HelenWDTK commented 1 year ago

+1 Anecdotally, the spam seems to be getting worse, and the inbox monster data supports this. It'd be good to get the same kind of spam protection on the volunteer form as the main contact one if possible.

HelenWDTK commented 1 year ago

22% of all new threads in the inbox over the past 7 days have been spam received via the volunteer form. The problem is continuing to escalate.

garethrees commented 1 year ago

The honeypot form field definitely works as expected:

diff --git a/app/controllers/help_controller.rb b/app/controllers/help_controller.rb
index 4ddfa8caf..fc6e45f78 100644
--- a/app/controllers/help_controller.rb
+++ b/app/controllers/help_controller.rb
@@ -86,6 +86,7 @@ def contact_params
   end

   def catch_spam
+    puts "CATCHING SPAM: #{params[:contact]}"
     return unless request.post? && params[:contact]
     return if params[:contact].fetch(:comment, '').blank?

When the contact parameter is submitted the controller halts processing via catch_spam and redirects to the homepage:

alaveteli-app-1  | Processing by HelpController#contact as HTML
alaveteli-app-1  |   Parameters: {"utf8"=>"✓", "authenticity_token"=>"", "contact"=>{"name"=>"foo", "email"=>"bar@example.com", "why"=>"drtn", "tasks"=>{"admin"=>"0", "comms"=>"Communications tasks such as blog writing or updating public notes on the site", "legal"=>"0", "user_support"=>"0", "campaign"=>"0", "other"=>"0", "not_sure"=>"0"}, "experience"=>"wec", "age"=>"18 or over", "anything_else"=>"erervervrev", "comment"=>"I AM A HONEYPOT"}, "current_form"=>"wdtk-volunteer", "submitted_contact_form"=>"1", "commit"=>"Send message to WhatDoTheyKnow team"}
alaveteli-app-1  | CATCHING SPAM: {"name"=>"foo", "email"=>"bar@example.com", "why"=>"drtn", "tasks"=>{"admin"=>"0", "comms"=>"Communications tasks such as blog writing or updating public notes on the site", "legal"=>"0", "user_support"=>"0", "campaign"=>"0", "other"=>"0", "not_sure"=>"0"}, "experience"=>"wec", "age"=>"18 or over", "anything_else"=>"erervervrev", "comment"=>"I AM A HONEYPOT"}
alaveteli-app-1  | Redirected to http://localhost:3000/
alaveteli-app-1  | Filter chain halted as :catch_spam rendered or redirected
alaveteli-app-1  | Completed 302 Found in 6ms (ActiveRecord: 0.0ms | Allocations: 2038)

Need to take a look in the logs to see if this spam is getting submitted without filling in the comment field. If so, we'll need a new detection approach.

garethrees commented 1 year ago

I think we can consider this mostly fixed by https://github.com/mysociety/whatdotheyknow-theme/pull/1577.