GuestNo new alerts

Rate Limiting

- Updates96
 
I'm working on a simple general ratelimiter to deploy across many features in Gosora to curb the amount of abuse that Gosora might receive.

I'm trying to keep it fairly loose for regular users unlike certain naive systems in MyBB, etc. (even Reddit to some extent) which punish legitimate users for using the software too heavily or in certain ways, but I'd also like to restrict any machines which do manage to get through.

For other rate limiter related things~

I've made the rate limiting rules for password resets a little stricter, although I did this by making it stricter over larger time intervals (e.g. one email per hour, three per six hours, etc), so I'm hoping it won't be too stringent on users using the form a few times to resend an email which didn't arrive.
 
I thought by rate limiting you are focusing spamming by excessive no. of threads and posts in a short period of time.
 
Hm. It really depends on what you mean by that.

Some newer communities are using forums for shorter form posts with quick bursts of messages. It's not unusual to see thousand post threads for Discourse.
Also, time-outs can be very strict and over the top elsewhere and sometimes you don't even realise it because you're an administraotr and the administrator is exempt from the rules.

A balance could probably be struck somewhere, plus mitigations against a little incident I saw on one site where the spambots make precisely one post per thirty seconds and still manage to fill a thread with thousands of advertisements for pharmaceuticals.

Ratelimits are also needed to implement things like sitemaps as a large number of downloads of a sitemap by bad actors can easily take down a site. Or even a misbehaving or overly aggressive bot.