consider additional security for forms on www.ietf.org

[ghwood]

Web forms on www.ietf.org currently do not have any mitigation against automated submissions.

Some amount of "spam form" is currently received.

Current published form pages (and submission emails) are:

https://www.ietf.org/forms/wg-webex-account-request/ ([email protected])

https://www.ietf.org/contact/contact-form/ ([email protected])

https://www.ietf.org/forms/keyword-suggestions/ ([email protected])

Additional information about the volume of spam is needed to understand the urgency of the current situation, but some systemic approach to mitigating form spam should be considered.

[JayDaley]

Ask contractor to add recaptcha to the base form so that it can be optionally used in any form

[ghwood]

Any measures should be aligned with https://www.ietf.org/privacy-statement/ and https://www.ietf.org/policies/web-analytics/ particularly with regard to sharing data with third parties and reliance on javascript.

E.g. javascript may not be required for critical website functions.

[holloway]

Note that captcha-style techniques can also have accessibility issues, as 'proving you're human' can be onerous to some users.

Would antispam tech (eg https://akismet.com/ ) also be an appropriate solution to this?

[kesara]

Parking this issue for now, until we find a solution that satisfies privacy concerns and accessibility requirements.

[mgax]

How about a honeypot field in the form? The field would be invisible to the user, but an automated spambot would typically feel obliged to fill all available form fields. The server would then check if the field is filled and silently drop the submission.

It's a simple, privacy and accessibility friendly solution. I've found this SO thread with some ideas to tweak the implementation to make it more effective.

[JayDaley]

Works for me!

[rjsparks]

We can also put rate limits on the forms at cloudflare when we bring the forms back (so that a single IP would get throttled if it attempted to submit many forms)