Rate limiting and spam prevention


#1

Hey guys,

I have a site that allows guest users (not logged in) to post to the site. I’d like your opinions on creative ways to handle spam prevention and rate limiting. I already plan on using the reCAPTCHA package to make sure people are human, but I’d like to know a way to prevent a trolling user to post 100 times.

I found this DDPRateLimiter package on the Meteor Github page and I think it might be able to do the trick. I could possibly set the limit for this particular method to be something like 10 minutes or even an hour. Does this sound reasonable? Has anyone dealt with this before?


#2

If you just want to throttle postings by any user to every 10 minutes, why not just have a lastPostedTime and check against that every time a user posts?


#3

+1 for this.

@csauer your requirement is not rate limiting, but rather a policy enforcement case. Your policy being anonymous users may not post twice within given time interval or something similar.

But, the problem lies with identifying the individual anonymous posters.

You can use a combination of one or more of:

  • connection id
  • ip address
  • a token in localstorage
  • a cookie

I guess https://atmospherejs.com/artwells/accounts-guest can help you with that to some extent.

PS: Having thought it through while writing this reply, come to think of it, yeah, rate limiting might as well work out fine :smile:


#4

@mordrax because my users are anonymous. But given the recommendation by @serkandurusoy to use the accounts-guest package, this might be possible.

Thanks guys.


#5

Sorry, missed that! I thought it couldn’t be that easy :stuck_out_tongue: