Registration spam: validate fullname?

markbarratt · July 27, 2020, 12:57pm

One of my Plone sites (5.1.5) is getting a lot (low thousands in 4 days) of spam registrations, done by adding a link and short amount of text to the fullname registration field, which results in an email to the posted address.
I am guessing that a validation which forbade 'http' in the fullname field would fix the problem, given that there appear to be issues with implementing reCaptcha2 in Plone 5, and that we have legit users in China who report problems with captchas.
If this is a bad idea, why?
If it seems sensible, how to implement it?

zopyx · July 27, 2020, 2:36pm

There is no perfect spam protection. The most suitable approach is likely Recaptcha or HCaptcha with all known problems to privacy, accessiblity or local issues as you mentioned them.

Nowadays, we use collective.easyform for all kind of contact forms. In some case we use a simple question with a simple validation (limited to one question and one answer). Or you could use this as additional norobots fields in easyform:

Also using a form honeypot is easy to implement and works in most cases:

But as said: no solution is perfect and there are always issues and ways to work spam protection measures.

More sophisticated approaches might tracking of requesting IP address, request throttling...

mauritsvanrees · July 27, 2020, 8:37pm

For automatically adding a honeypot field to Plone forms, there is collective.honeypot. Only works on Plone 4 though (and 3, if you care about that). But there is work in progress for Plone 5 (maybe only 5.2): https://github.com/collective/collective.honeypot/pull/4

jensens · July 28, 2020, 10:39am

But such a honeypot seems to be a complete accessibility nightmare, right? I.e. screen reader wont get the difference.

zopyx · July 28, 2020, 11:11am

There's always a trade-off...

markbarratt · July 28, 2020, 11:30am

Thanks for the thoughts. Sadly none of them address my problem, which I'll restate:
1: I am working with Plone 5.1.5, using email as username and sending an email on registration for confirmation.
2: I am getting a lot of registration spam which inserts a URL into the 'fullname' field so the 'confirmation' sends spam (with a link to a bad site) to whoever the bot is targeting.
My actual questions:
A: Would adding validation to 'fullname' (to reject any content that is a link) work, and if so how do I add it?
B: Is there really no way of adding reCaptcha2 (which claims a 'safe in China' mode) to Plone 5.1.5?
Many thanks