Registration spam: validate fullname?

One of my Plone sites (5.1.5) is getting a lot (low thousands in 4 days) of spam registrations, done by adding a link and short amount of text to the fullname registration field, which results in an email to the posted address.
I am guessing that a validation which forbade 'http' in the fullname field would fix the problem, given that there appear to be issues with implementing reCaptcha2 in Plone 5, and that we have legit users in China who report problems with captchas.
If this is a bad idea, why?
If it seems sensible, how to implement it?

There is no perfect spam protection. The most suitable approach is likely Recaptcha or HCaptcha with all known problems to privacy, accessiblity or local issues as you mentioned them.

Nowadays, we use collective.easyform for all kind of contact forms. In some case we use a simple question with a simple validation (limited to one question and one answer). Or you could use this as additional norobots fields in easyform:

Also using a form honeypot is easy to implement and works in most cases:

But as said: no solution is perfect and there are always issues and ways to work spam protection measures.

More sophisticated approaches might tracking of requesting IP address, request throttling...

For automatically adding a honeypot field to Plone forms, there is collective.honeypot. Only works on Plone 4 though (and 3, if you care about that). But there is work in progress for Plone 5 (maybe only 5.2): https://github.com/collective/collective.honeypot/pull/4

1 Like

But such a honeypot seems to be a complete accessibility nightmare, right? I.e. screen reader wont get the difference.

There's always a trade-off...

Thanks for the thoughts. Sadly none of them address my problem, which I'll restate:
1: I am working with Plone 5.1.5, using email as username and sending an email on registration for confirmation.
2: I am getting a lot of registration spam which inserts a URL into the 'fullname' field so the 'confirmation' sends spam (with a link to a bad site) to whoever the bot is targeting.
My actual questions:
A: Would adding validation to 'fullname' (to reject any content that is a link) work, and if so how do I add it?
B: Is there really no way of adding reCaptcha2 (which claims a 'safe in China' mode) to Plone 5.1.5?
Many thanks

Plone Foundation Code of Conduct