top | item 42617805

(no title)

@Oia20 One challenge with form -> email solutions is staying ahead of spam. I've been deep in this space with Kwes Forms [1] and have seen some pretty insane rates of spam usage. If you ever want to chat about some of the techniques I've used for prevention (everything from intelligent rate limiting to now a user scoring service that updates based on data about the user and following actions they take which autobans if they hit a score threshold).

With the self-hosted service, I guess that's up to the hoster but likely something you'll run into on your hosted version.

[1] https://kwesforms.com

discuss

j45|1 year ago

That would be a nice blog post to read - not because it's proprietary, but dealing with spam traffic is so common.

Sometimes rate limiting individual sessions, and IPs, and combinations of them, and even using fingerprinting on suspected sessions of certain kinds.. to discover in some cases that a lot of small walls can sometimes cause some automated bots to move on.

andershaig|1 year ago

Absolutely. I was surprised both in the scale of spam attempts in certain scenarios and how quickly it died with different mitigation measures. It's a challenging thing to blog about because some of the heuristics can be fixed. To be super vague, when you have a certain amount of data about a user if metadata A should be correlated to metadata B and it isn't, that bumps the score. It's not enough on it's own if there are legitimate reasons it doesn't have to be correlated.

I'm always happy to chat through some of the details individually.

rendx|1 year ago

What has been working surprisingly well for the sites I maintain is to have a simple but custom "captcha" like "Enter 294 here:" (it can even be static), and to exclude the pages that have submission forms from search engine indexing.

chrismorgan|1 year ago

It may not even need to be a positive action.

I had a form that got about one spam message per day. In late 2021, I added a trivial hidden-by-CSS “If you are human, leave this field blank (required)” <input name=username> honeypot. (More details: <https://news.ycombinator.com/item?id=37058847>.)

For two and a half years, this filtered out all spam, except for one message in early 2023.

But I started this comment with “may not” because since 2024-02-10, I’ve received approximately 268 spam messages, of a few different patterns (still all very easy to identify visually). So some refinement of the idea may be needed. (I have no idea how many more have been filtered out; I never bothered tracking that. But I imagine that it’s still doing something useful.)

This is, of course, low-value-target stuff, scattergun spam rather than targetted spam.

andershaig|1 year ago

Definitely. Any kind of unique check (another example is just a uniquely named version of a classic hidden honeypot field like https://dev.to/felipperegazio/how-to-create-a-simple-honeypo...) is usually enough on it's own until you're a higher value target.