denkwerk TechTalk

mosparo, the modern open source spam protection

Letters, in the middle a box with a check symbol and the text “I agree that the force entries will be checked for spam and stored in encrypted form for 14 days”.

Spam protection in online forms and comment fields is important: however, many solutions are either not self-hosted or not powerful enough. The open source spam protection software mosparo solves this problem. We explain how in our blog here:

Monty Python sang in a sketch “Spam, spam, spam ...” – and helped the British canned meat to eternal “fame” as a synonym for omnipresent harassment. The spam problem is not only familiar to email users, but also to website operators: Automated comments and inquiries in online forms stifle thousands of serious customer contacts.

The solution: spam filters - but they are not always unproblematic. In the latest TechTalk, Sascha Zander, Senior Software Developer, therefore presented mosparo, a self-hosted open source alternative that can eliminate many difficulties with comment spam – without having to work with annoying captchas.

Challenges of captchas and the better alternative mosparo

The problem: although the ubiquitous captchas in comment fields provide fairly reliable protection against spam, they have several disadvantages: On the one hand, they are generally operated by cloud operators such as Google or Cloudflare, which makes their operation problematic to say the least in terms of data protection legislation. On the other hand, they are often not barrier-free and often prevent people without disabilities from sending a request at all, whether for time reasons or because they cannot solve the captcha. A major denkwerk customer therefore wanted a different solution.

Existing providers either rely on captchas and/or cloud services, but according to Sascha, self-hosted open source solutions often do not deliver the desired performance, especially in terms of accessibility and implementation effort. During his search, he came across mosparo, an anti-spam solution for web servers that can be integrated into forms.

mosparo combines accessibility and data protection

mosparo meets the requirements profile, is accessible in accordance with the WCAG standard, is easy to implement and operate and is GDPR-compliant thanks to the anonymized storage of user data for only 14 days and self-hosting.

The relatively new software – version 1 was only released in summer 2023 - works in a similar way to the filter systems in mail servers using a rating system for spam: certain terms are given a score and the tool uses this to calculate the probability of spam. In addition, information such as source domains, IP addresses, user agents and URLs entered are included in the evaluation of the content of a message.

Example of a rule package with colored code

Bot detection and filtering with mosparo

However, mosparo has two practical functions for recognizing bots, i.e. automated spam postings: Firstly, there is a honeypot field that is not visible to human users, but is visible to bots: if it is filled in, it is clear that an automated system was at work here and the request is almost certainly spam. On the other hand, mosparo also checks the time users need to complete the form: If the form is filled out and sent too quickly, there is also a lot to be said for a spam entry.

According to Sascha, another practical feature of mosparo is that the tool works with a so-called ruleset: This is a JSON file that contains the spam rules created by the server operator. This ruleset is not only transferable, but can even be transferred from another server via URL – ideal for offering a central anti-spam file on denkwerk servers, for example.

Our conclusion

Of course, mosparo is not free from criticism either: the detection quality of the software stands and falls with the quality of the ruleset. Sascha cited an example here in which a user was repeatedly filtered because a part of her name was classified as spam. Accordingly, when in doubt, the ruleset must be gradually adapted to the actual needs of a website or online service.

Conversely, “annoying” contact form requests that are not classic spam - such as contact requests from influencers – can also be filtered very easily in this way. However, rulesets still have to be defined by the users themselves; mosparo does not (yet) have a ready-made list for the German-speaking world: “Unfortunately, German-language spam words still have to be manually collected and entered,” says Sascha.

If you would like to find out more about denkwerk and our projects, simply subscribe to our newsletter: