search

onOffice-Web-Org / oo-wp-plugin

onOffice for WP-Websites
https://wp-plugin.onoffice.com
GNU General Public License v3.0
9 stars 9 forks source link

Honeypot #446

Closed jmaas-onoffice closed 1 year ago

jmaas-onoffice commented 1 year ago

Discussed in https://github.com/onOffice-Web-Org/oo-wp-plugin/discussions/436

Originally posted by **jmaas-onoffice** February 1, 2023 > Time-tracking ticket: T#3492809 ## Customers receive spam Recently, customers have been increasingly complaining about spam from our forms. It appears that much of that spam comes from simple bots, not dedicated attacks. As a first countermeasure we want to add honeypots, because they are the easiest to implement, do not annoy the users and might catch simple spam bots already. Later, we will improve our support for more advanced spam countermeasures like third-party captchas. ## Add a honeypot to all forms There are many different variations. We want to achieve the following: - Focus on simple bots, not too complex. If we can reduce spam with a simple honeypot, that would be preferable. If not, we can try to increase the complexity and difficulty for bots bit by bit. - Be hidden with `display: none` from a CSS file, not inline CSS. This makes it more difficult for bots, because they have to load the CSS to detect that the field is not shown. - The `name` of the field should be something like `name="message"`, so that bots are encouraged to fill it out. The real message field needs to be renamed to something else, like `name="tmpField"`, and the backend needs to know that the real message is in that renamed field. - The honeypot should have an authentic label like "Message:". We will rely on the `display: none` to hide it from all users, including screen readers. When the form is submitted, the plugin needs to check on the server side if this field has any content. If it is empty, it is a real user. If it has content, it was filled out by a spam bot. When a spam bot was detected, nothing should be done (no emails sent, no data created in enterprise). We also want to show a success message, not an error message, so that the bots cannot try leaving out fields to figure out which is the honeypot. ‌ ## Add an option In case there are issues with the honeypot, users should have the option to disable it. We want to add a global option in onOffice > Settings. ![image](https://user-images.githubusercontent.com/90763364/216103774-39328db9-62cb-45dd-ab5f-55a7ea2a0bee.png) The option should be active by default on new and existing installations. When the checkbox is not checked, the honeypot should not appear in any form. Only if the checkbox is set, should the honeypot be added.
dai-eastgate commented 1 year ago

@jmaas-onoffice I added honeypot for all forms, you can watch video and give me feedback

https://files.fm/u/85xmh99gh

dai-eastgate commented 1 year ago

@jmaas-onoffice I have added honeypot to all forms, but I find adding honeypot to application search form doesn't help at all because this form doesn't create new contact nor send email.

jmaas-onoffice commented 1 year ago

@dai-eastgate Correct, application search form does not need it. 👍

I'll have a look at the video soon, thanks!

jmaas-onoffice commented 1 year ago

@dai-eastgate I tried out the PR and it works pretty well, thanks! I have a few suggestions:

  1. Could we change the setting's description and add a disclaimer like this: image
  2. When I activate the honeypot and have a message field, it seems to break: image
  3. The class to hide the honeypot fields contains the word "honeypot". We should make it a bit more difficult for the bots and name it for example "message". image
dai-eastgate commented 1 year ago

yes, I will fix it now

dai-eastgate commented 1 year ago

@jmaas-onoffice I have edited it according to your suggestions. You can watch the video below and give me feedback. https://files.fm/u/r5ew9j6dz

jmaas-onoffice commented 1 year ago

Look good, thanks!

jmaas-onoffice commented 1 year ago

Linked PR was merged.