Python job board may need a submission throttle control

[malemburg]

On Thanksgiving (2015-11-26), we were hit by an obviously scripted attack to submit lots of junk job postings. Here's an example:

Title:    3
Company:  */netsparker(0x005D0D);/*

Posted:   26 November 2015
Category: Administrator
Contact:  3 <netsparker@example.com>

Description:

We may want to prevent such attacks by e.g. not allowing more than one posting per minute, or only allow postings by logged in users. A captcha may also help.

[matrixise]

+1 for logged users,
+1 captcha ?

posting per minute, how will you implement that ?

[malemburg]

@matrixise Postings per minute can be throttled by simply checking whether the user has submitted a posting within the last 1-2 minutes. This only works for logged in users, of course. For anonymous users, we'd have to use the IP address.

[pneff]

Alternatively for anonymous submissions this can even be done globally. i.e. treat all anonymous users as one bucket for which no more than 3 postings per 10 minutes are allowed.