Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add mechanisms to reduce registration spam #15276

Merged
merged 6 commits into from
Dec 10, 2020
Merged

Add mechanisms to reduce registration spam #15276

merged 6 commits into from
Dec 10, 2020

Conversation

ClearlyClaire
Copy link
Contributor

This PR introduces several techniques to limit registration spam:

  • Honeypot fields which, when filled, automatically reject applications.
    To avoid legitimate users filling them in, they have distinctive labels/placeholders, have a display: hidden style, and are cleared via javascript on form submission.
  • Submissions happening less than 3 seconds after the form was initially displayed are automatically rejected.

Those techniques have not been widely tested on Mastodon instances yet, so neither their efficiency or their downsides have been fully tested yet, but I expect it to significantly cut down on generic spam bots (which seem to be very prevalent on instances with approval-based registrations, because of the textarea).

Note that rejecting registration attempts is important for two reasons:

  • lowering the workload on admins, especially when approval-based registrations are in effect
  • lowering the mail of confirmation emails sent, especially during large spam waves

@ClearlyClaire ClearlyClaire force-pushed the features/registration-spam branch from ffa5e55 to 4a7b05c Compare December 5, 2020 20:57
@ClearlyClaire ClearlyClaire marked this pull request as ready for review December 7, 2020 12:52
@ClearlyClaire
Copy link
Contributor Author

For now, those counter-measures seem to have worked very well. Time will tell whether those where generic spam bots or Mastodon-specific ones that could easily adapt to the new countermeasures, though.

Gargron
Gargron reviewed Dec 7, 2020
View reviewed changes
app/javascript/packs/public.js

// Empty the honeypot fields in JS in case something like an extension
// automatically filled them.
delegate(document, '#registration_new_user,#new_user', 'submit', () => {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this not going to help bots that execute JS, i.e. headless Chrome?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It probably is… I don't know how prevalent those are.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suspect those that execute JS would ignore fields with display: none anyway

@ClearlyClaire
Add honeypot fields to limit non-specialized spam
8a2797a 
Add two honeypot fields: a fake website input and a fake password confirmation
one. The label/placeholder/aria-label tells not to fill them, and they are
hidden in CSS, so legitimate users should not fall into these.

This should cut down on some non-Mastodon-specific spambots.
@ClearlyClaire
Require a 3 seconds delay before submitting the registration form
6da63a3
@ClearlyClaire
Fix tests
d23f90a
@ClearlyClaire ClearlyClaire force-pushed the features/registration-spam branch 2 times, most recently from cf8dbe3 to 9de3e77 Compare December 9, 2020 23:17
@ClearlyClaire ClearlyClaire force-pushed the features/registration-spam branch from 9de3e77 to 2a0eacf Compare December 9, 2020 23:40
@ClearlyClaire ClearlyClaire force-pushed the features/registration-spam branch from 6df31c7 to 3f689ca Compare December 10, 2020 00:36
Gargron
Gargron reviewed Dec 10, 2020
View reviewed changes
app/views/about/_registration.html.haml
@@ -10,6 +10,9 @@
= f.input :password, placeholder: t('simple_form.labels.defaults.password'), required: true, input_html: { 'aria-label' => t('simple_form.labels.defaults.password'), :autocomplete => 'off', :minlength => User.password_length.first, :maxlength => User.password_length.last }, hint: false, disabled: closed_registrations?
= f.input :password_confirmation, placeholder: t('simple_form.labels.defaults.confirm_password'), required: true, input_html: { 'aria-label' => t('simple_form.labels.defaults.confirm_password'), :autocomplete => 'off' }, hint: false, disabled: closed_registrations?

= f.input :confirm_password, as: :string, placeholder: t('simple_form.labels.defaults.honeypot', label: t('simple_form.labels.defaults.password')), required: false, input_html: { 'aria-label' => t('simple_form.labels.defaults.honeypot', label: t('simple_form.labels.defaults.password')), :autocomplete => 'off' }, hint: false, disabled: closed_registrations?
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there any point localizing the "Password" intended to catch bots?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not really I guess, but there's not really any harm either, it's not a new string

@Gargron Gargron merged commit 49eb4d4 into mastodon:master Dec 10, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Gargron Gargron Gargron approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ClearlyClaire @Gargron