Fighting spam on OpenMRS ID

I thought I’d launch a non-urgent topic to discuss ways to improve spam protection. Today I ran across a comment that made me think a bit about how we do e-mail validation:

It might be worth considering improvements here in addition to our blacklists and other techniques. Please discuss or add other anti-spam ideas to this topic!

Ahhhhh… But it seems there is no other way to verify the emails. And the verification of emails, I think, is majorly used to ensure user are using their own emails, not detect spam.

Anti-bot works should be done during the ‘signup form filling’ process. The current field hashing approach and captcha is good enough to detect simple bots. Of course, we can still improve that, but it seems the current mechanism is working fine, I’m not worrying this.

I think a problem is that it’s not always automated bots that are causing spam registrations, but actual humans.

Some new ideas and improvements in Discourse in later posts:

For example, some maybe interesting ideas for us (long term):

  • JavaScript-based checks on the confirmation page to make sure it’s a real browser and not a script. Make sure the clicks don’t come too fast on the page and maybe ask for some confirmation details.
  • Checking for “too similar” e-mail addresses (a few characters different only) to prevent incremented email addresses.
  • Maybe disallow multiple signups from the same IP address for some amount of time.

Do we have any email domain blacklist that can be edited? It would be nice to prohibit new accounts (or any email address) from an address that matches domain names on the blacklist.