Honeypot #436
Honeypot
#436
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Customers receive spam
Recently, customers have been increasingly complaining about spam from our forms. It appears that much of that spam comes from simple bots, not dedicated attacks.
As a first countermeasure we want to add honeypots, because they are the easiest to implement, do not annoy the users and might catch simple spam bots already. Later, we will improve our support for more advanced spam countermeasures like third-party captchas.
Add a honeypot to all forms
There are many different variations. We want to achieve the following:
display: nonefrom a CSS file, not inline CSS. This makes it more difficult for bots, because they have to load the CSS to detect that the field is not shown.nameof the field should be something likename="message", so that bots are encouraged to fill it out. The real message field needs to be renamed to something else, likename="tmpField", and the backend needs to know that the real message is in that renamed field.display: noneto hide it from all users, including screen readers.When the form is submitted, the plugin needs to check on the server side if this field has any content. If it is empty, it is a real user. If it has content, it was filled out by a spam bot.
When a spam bot was detected, nothing should be done (no emails sent, no data created in enterprise). We also want to show a success message, not an error message, so that the bots cannot try leaving out fields to figure out which is the honeypot.
Add an option
In case there are issues with the honeypot, users should have the option to disable it.
We want to add a global option in onOffice > Settings.
The option should be active by default on new and existing installations.
When the checkbox is not checked, the honeypot should not appear in any form. Only if the checkbox is set, should the honeypot be added.
Beta Was this translation helpful? Give feedback.
All reactions