Spam and Anti-bot Protection In Gitlab

The admin of gitlab can enable spam and anti-bot protection in page /admin/application_settings/reporting#js-spam-settings, see the image below:
Three third-party services are included:

Google reCAPTCHA

the recaptcha will appear in five scenarios:

sign up page if the admin ticked the Enable reCAPTCHA checkbox
sign in page if the admin ticked both the Enable reCAPTCHA checkbox and the Enable reCAPTCHA for login
create issue page if the admin ticked the Enable Akismet checkbox and the user tried to submit some spam content
create top level group page if the gitlab started with flag true(https://gitlab.com/gitlab-jh/gitlab/-/blob/main-jh/config/feature_flags/ops/recaptcha_on_top_level_group_creation.yml#L8), for more details see this MR
submit code snippets, see details in https://gitlab.cn/jihulab/jh-infra/saas-feedback/-/issues/5

the recaptcha has three versions: v2, v3, and enterprise, for v2 and v3 it's free with a limitation of 1,000,000 call per month. For v2 and v3 version, users can get keys for deployment on https://www.google.com/recaptcha/admin/create. For enterprise version, the price is $1 per 1000 calls when exceed 1,000,000 calls, and for migration it need to transform the sitekey through gcloud sdk ([doc])(https://cloud.google.com/recaptcha-enterprise/docs/migrate-recaptcha)

the recaptcha service need both the site frontend and backend to request its main domain www.google.com, which unfortunately is blocked is China. The solution is to replace the domain to its global domain www.recaptcha.net which is available in China, the work for gitlab jh version is on progress see this MR

Akismet

Akismet is an anti spam content service. In gitlab, the admin can enable it by ticking the Enable Akismet checkbox, then once the user is trying to submit some spam content in issue like asdasd123123, he or she will be blocked and asked to pass a recaptcha.
Akismet doesn't require the site load any frontend lib, the backend need to send request to rest.akismet.com, this domain is located in USA but is available in China according to the ping test. It need to buy a plan to use it:

Invisible Captcha

Invisible Captcha is an open source anti bot gem lib based on the honeypot principle, which provides a better user experience since there are no extra steps for real users, only for the bots. In gitlab, the admin can enabld it by ticking the Enable Invisible Captcha during sign up checkbox.
This lib doesn't require the site to send any request in frontend nor the backend.

Others

In addition, gitlab.com is also using the cdn provider CloudFlare's anti bot service

Payments

The payment method of Goolge reCAPTCHA enterprice at least support Visa and MasterCard credit card issued in China, and Akismet at least support UnionPay credit card issued in China, not clear about other methods.

@qianzhangxa

由 Qian Zhang (Gary) 编辑于 11月 01, 2021