Add anti-spam protection to account creation process

[BethanOFN]

What is the need / problem?

In the UK we are seeing a decrease in our email sender reputation seemingly due to increased spam reports. This appears to be spam bots creating accounts, which the recipient/'victim' then reports as spam when they receive the 'confirm your account' email.

Which type of users does this problem affect (and how many, if known)?

All users as our email reputation is affected. Also putting off potential users who are the victims of spam account creation.

Potential solutions that will solve the problem?

Add anti-spam protection to the sign-up modal. The obvious but flawed option is reCAPTCHA. There is an OSS alternative called mosparo however this requires 'rules' to be set to detect spam, and as we only have two fields (email & password) this doesn't seem workable. Interested to hear others' opinions and suggestions for alternatives.

Connected wishlist and discovery discussions

Additional context

As the OFN platform grows this will only become more of an issue. I've had a search on github but I can't find any previous discussions on this

[dacook]

I had a look at mosparo, and found it hard to understand the benefits. It appears to be a separate system to manage, and doesn't have a Ruby plugin so I think would require building a custom integration. So not an option.

I found some other alternatives: hCaptcha and Cloudflare's Turnstile. Like reCAPTCHA, they're free but with some restrictions, notably:

Free up to 1 million Assessments / Month*

Another very simple method is called "Honeypot". But that has potential downsides (https://wpmailsmtp.com/anti-spam-honeypot-alternatives). As it's an old method, I'm assuming it's not worth it.

So yeah, Google reCAPTCHA is probably the choice. There's 3 versions (v2, v3 and Enterprise). They all require a Google account, and generation of a site-specific key, so I think that we'd need need to create an instance config option. It could be an option under admin/general_settings/edit, or just an environment variable on the server.

Enterprise requires a Google Cloud account, but v2 and v3 might be slightly easier to set up, with a "classic" key (https://www.google.com/recaptcha/admin/create). So I'm tempted to suggest v3 because it seems easier, but it would be good to get a second opinion.

As far as dev effort goes, it looks easy, with a little bit of javascript and HTML added, plus a simple text field config option.

[mkllnk]

We have free Google accounts and can go for the Enterprise version. I would also opt for adding the key as env variable.

[RachL]

I'm sorry I don't think Google can be an option :( It's very hard to communicate this choice to users (like no one understand why the map is on Gmaps for example) and for EU instance it would have an impact on our privacy policy as recaptcha is fetching data while you browse the website. The French GDPR authority ruled against recaptcha last year: https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000047346903?isSuggest=true

And it looks like hcaptcha is doing the same :face_with_head_bandage: EDIT: actually I went down a rabbit hole, I'm not sure I found a realable source of truth regarding data privacy and hcaptcha.

On wordpress I'm using Icon-captcha, I don't know if it's usable in ruby or if there are equivalients?

https://github.com/fabianwennink/IconCaptcha-PHP

[RaggedStaff]

There are a few rails options in the toolbox

Surprise, surprise... the top one is reCatpcha, but the Humanizer might be enough, for now ? :shrug:

The only public ruby repo on github in the captcha-alternative category is this one.

Also seen some ppl recommending Invisible Captcha - which adds an invisible field to your forms, that bots fill in and hence are filtered out. May have accessibility implications. :confounded:

Wondering if we have any idea of the size of this :question:

[mkllnk]

Invisible Captcha

I think that we should try this first. I've always implemented my own hacky invisible honeypot captcha in the past and found that effective. One of my learnings was to respond with 200 success when a bot is detected so that they don't try again and the mentioned gem is doing the same. So they got some experience.

I also like that the real user won't notice and it's not affecting privacy at all.

[RachL]

Thanks everone! I've created https://github.com/openfoodfoundation/openfoodnetwork/issues/12045 for main repository (given we had quite a discussion here I chose to keep this wishlist unedited and not to transfer it).

Closing here, we can reopen if needed.