Important: A bug fix regarding verifying the origin hosts can break your form. Please verify that you configured your hosts in the project settings correctly and verify the functionality of your form after the upgrade to v1.2. Read more about it in the documentation

New features

Compatibility with PostgreSQL

In January 2024, we received a question from a user if it’s possible to use mosparo with a PostgreSQL database instead of the MySQL database. When we started developing mosparo, we only concentrated on using MySQL because using two database systems would complicate many things (regarding our dependencies on Symfony/Doctrine).

We now took a second look at the options and added a different option to configure the database. With this new approach, our development was almost unchanged, and we were able to add compatibility to PostgreSQL.

With the new version, while installing mosparo, you can decide if you want to use a MySQL or PostgreSQL database.

Suggested by skid9000

Security feature to block repetitive submissions

We received the question of whether blocking repetitive submissions with mosparo is possible. Repetitive submission means that the same form data gets submitted multiple times. Since that was not possible before, we’ve added a fifth security feature to the project security settings, which will block repetitive submissions.

It’s possible to configure the number of submissions and the time frame in which it should be counted. Additionally, it’s possible to configure whether repetitive submissions should be counted based on the IP address or all users.

Suggested by Geremia

Web-based cron jobs

We’ve added the option to enable web-based cron jobs to make it easier to execute the cron jobs. These cron jobs can be enabled in the administration interface and are not enabled by default (for security reasons).

As soon as enabled, you can set up a cron job to request a URL. You can also use an external cron job service to execute the mosparo cron job by defining a cron job with the cron job address.

Inspired by mpaglia0

Changes

Upgrade to Symfony 6.4

The framework we use, Symfony, got upgraded to the latest LTS version, 6.4. We’ve also updated all the other dependencies to the latest version.

While this changed many things in the code, it should not impact the user interface or the functionality of mosparo in general.

Negative spam rating for rules

We received the question of whether it’s possible to reverse a rule, for example, if it’s possible to mark submissions from all countries except one as spam. While we considered this question, we detected that it’s impossible to add rules with a positive effect.

As an easy solution, we’ve adjusted the spam rating value fields for the rule items and changed them to allow negative values. With this change, adding rule items with a negative rating value is now possible.

When the form data is validated, the total number of points is calculated to determine whether a submission is spam or not. A rule with a negative value can reduce the number of points, for example, if the submission is from a specified country or IP subnet.

Inspired by cesare190

Compatibility with reverse proxy subpath setup

We’ve added some adjustments to mosparo to allow using mosparo in a subpath setup with a reverse proxy. With these changes, it’s possible to set up mosparo in a subpath like example.com/mosparo/, as long as you configure it with a reverse proxy.

We still recommend using a domain or subdomain to set up mosparo, but there is no reason not to install it in a subpath with a reverse proxy.

Inspired by davd-edia

Accessibility optimizations

While testing compliance with WCAG 2.1, Access for all found multiple things that could be optimized for better usage of assistance tools. We implemented the majority of these recommendations with v1.2.

• The mosparo box received the `lang` attribute to tell a screen reader which language is visible. If a mosparo box is visible on a page in a different language than the mosparo box, the screen reader reads the text in the wrong language.
• The mosparo logo was not visible if the high-contrast mode was enabled. With this fix, the logo is also visible in the high-contrast mode (as long as the logo’s visibility is enabled in the design settings).
• Since the logo is not added as an HTML image, adding an alternative text to describe the image is impossible. We’ve added an additional text for screen readers after the main label to let the user know that the form is protected by mosparo, as long as the logo is enabled in the project design settings.
• We’ve adjusted the message for screen readers when mosparo validates the form data in the frontend. The message now indicates that the spam protection is validating the data. Before this change, it was unclear what exactly was happening.
• The alert message for screen readers is now linked with the label element to give the user the required context.

Bug fixes

• A bug in the request processing did not verify the hosts correctly. Because of this bug, all origins were accepted for the CORS headers, not only those configured in the project settings. With this fix, the origins are verified correctly. This change can lead to broken forms if your project’s hosts are not set correctly. Please test your forms after upgrading to v1.2. Read more about it in the documentation. Reported by zttom
• Because of a logic bug, it was impossible to edit the login throttling or the access settings when the trust settings were defined in the environment variables. This bug is now fixed.
• A bug in the export functionality led to an incorrect value in the exported security guideline. With this fix, the value in the security guideline is now correctly exported and imported.

Thank you

We thank all of our contributors and testers for their suggestions and work. We could not do such a project without your support and contributions!

If you have any suggestions to enhance or optimize mosparo, you can send them to us by creating a post in the Discussions section on GitHub.

The post New Features & Changes in Version 1.2 appeared first on mosparo.

The two days

The first event occurred on the 20th of April, 2021, on a park bench between two villages in Switzerland. It was late afternoon, and the sun was setting in the background. We, Marc and Matthias, discussed different project ideas. One of these ideas was a very rough one for building a new CAPTCHA solution.

One day later, on the 21st of April, 2021, Matthias (zepich) wrote the concept for a project called “NoSpam”. Later that day, we discussed the concept in a phone call. On the same evening, the first domain was bought, and the project started to take shape.

Some more days later, the name “mosparo” was defined and the project was officially started.

The concept

The concept was written on the 21st of April 2021 and did not receive any adjustment since then. After settling on the name, we did not even update the project name in the concept. The concept describes the essential features and how the verification should generally work.

Of course, mosparo received many more features than we had in our minds three years ago. However, comparing the concept with the final software is interesting because we wrote the concept before we started to develop it and described the technical validation and verification process exactly how we developed it and how it’s still in the software today.

You can read the original concept here: Konzept Project NoSpam (PDF, 97 KB)
The concept is only available in German.

The rest is history

A half year after these two days in April 2021, mosparo was installed on the first website on the internet. It’s our test website for catching spam. Another year later, in August 2022, mosparo’s private beta started with more websites. And finally, another half year later, mosparo was officially released as a public beta.

Thank you for using and supporting mosparo!

If you want to help make mosparo better, you can find all information about contributions on our Contribution page. If you find an issue, please report it as an Issue on GitHub. Please let us know in the GitHub discussions if you have any questions or suggestions. We look forward to hearing from you!

The post Back in time: The start of mosparo appeared first on mosparo.

In recent weeks, “Access for all”, the Swiss foundation for technology adapted to people with disabilities, has tested the mosparo spam protection mechanism for compliance with WCAG 2.1 by the W3C.

Access for all confirms that mosparo is fully compliant with all success criteria at levels of conformance A and AA. To verify compliance, Access for all tested with different experts and different technologies and devices.

Since mosparo was built with accessibility and data privacy in mind, the mechanism of mosparo in the frontend is straightforward and, therefore, not a problem for assistance tools like screen readers and other accessibility tools.

Technical details

Access for all tested the visible and invisible modes of mosparo with version 1.1. We prepared an installation of mosparo and a demonstration form for Access for all. We’ve added some rules to test the spam and non-spam scenarios.

Some optimizations, which Access for all found while testing the mosparo spam protection, were already added with version v1.1.2, while some additional optimizations will be added with mosparo v1.2.

WCAG 2.1 AAA

We’re planning to go a step further and want to verify the compliance with the success criteria at the level of conformance AAA. We will inform you once we have more information about that project.

Accessibility Conformance Declaration

Accessibility conformance declaration WCAG 2.1 A and AA (PDF, 183 KB)

If you want to help make mosparo better, you can find all information about contributions on our Contribution page. If you find an issue, please report it as an Issue on GitHub. Please let us know in the GitHub discussions if you have any questions or suggestions. We look forward to hearing from you!

The post Compliance with WCAG 2.1 A and AA appeared first on mosparo.

New features

Statistical data without a time limit

mosparo stores the submissions of a project for only 14 days. The chart on a project’s dashboard and the statistical API use these submissions to calculate the statistical data. Because of the automatic cleanup, the statistical information is only available for these 14 days. Additionally, if you have a lot of submissions, the calculation of this statistic takes time.

We’ve introduced a separate storage of the statistical values to solve this issue and offer the option to store the statistical information for a longer period. In there, we store the number of valid and spam submissions for each day.

The project owner can decide how long the statistical data should be stored with an option in the project settings. It is possible to let mosparo delete these data after, for example, 14 days or keep them forever.

The dashboard and the statistical API use these separated statistical data to display and return their data. On the dashboard, an additional dropdown allows you to choose the time range in the dashboard. An additional argument in the API allows you to define from which date the data should be returned specifically.

Suggested by Tobi77

Origin-based security settings

The security settings for a project (Honeypot, Minimum time, Delay, and Lockout) are good to limit the damage a spammer can do with very simple things. But they are the same settings for all users around the world. If you have a website focused on users from Australia, users from Switzerland are not your number one priority.

With the newly added IP-based security settings, you can define that users from Australia have not-so-strict security settings (for example, no minimum time, no delay, and very generous lockout settings), while other users worldwide have very strict settings.

You can define as many guidelines as you want to override the needed settings. You can specify the guidelines on the IP subnet or, if you’ve set up GeoIP2, on the country or AS number.

Limit the access to the backend and the API

To enhance the security of mosparo, we’ve added two additional settings in the Administration area to limit access to the mosparo backend and the API (Verification and Statistic).

Previously, you had to set up this limitation in your webserver configuration, which was hard to do since mosparo’s frontend API must be accessible by all users.

With this change, you can manage the limitations of your mosparo installation in the administration interface. You can define which IP addresses or Subnets can access the backend (login form and the management interface) and the API (Verification and Statistic). Usually, only your web server needs access to the APIs so that you can limit that to the IP address of the web server.

Define the language of the frontend

mosparo uses the browser language to define the mosparo box’s language in your form. The idea is to maximize accessibility and show everybody the correct language.

While that can work very well, it also can create other issues. To offer an alternative, we’ve added an option in the JavaScript frontend library, with which you can specify the language that mosparo should use. If you define a language for which mosparo does not have the translations (yet), mosparo falls back to the English translations.

Suggested by brendofreitas

API debug mode

Developing an API client or an integration for mosparo can be challenging since the Verification API is not very talkative and can be complicated.

For this, we’ve added a debug mode. The debug mode can be enabled for every project. If the debug mode is enabled, mosparo will return with more explainable error messages and hints as to why the request was unsuccessful.

With the debug mode, finding the problem in the communication and solving the issue should be a lot easier.

Inspired by OriCat101

Verification simulation mode

Additionally to the added API debug mode, we’ve added a verification simulation mode. It can also be enabled per project.

If enabled, mosparo displays a new button in the top right corner of the submission detail page. When clicking this button, mosparo will show you step-by-step how to verify the submission. You can also see the values the API expects in your API requests.

Inspired by OriCat101

Changes

Active project while using mosparo

Since the beginning of the development of mosparo, we have stored the active project in the user session. This made some things very easy while others got very complicated. After a user reported wrongly stored settings in the project creation wizard, we thought about this setup again. We concluded that we have to change it to eliminate possible issues in the future.

We’ve changed all project-related URLs. The active project is now represented in the URL. This fixes all issues regarding the active project. Additionally, you can now edit multiple projects simultaneously in different browser tabs without any problems. Before, you were able to edit only one project at a time.

We still store the latest active project in the session, so if you visit the account settings or the administration interface, you can quickly return to the latest active project.

With this change, it is also possible to send the URL of a submission, rule, ruleset, or anything else project-related to someone else. After logging in, this person is redirected to the correct object.

Update for the import and export functionality

Since these new features added new options to the project settings, we’ve updated the import and export functionality to represent these options.

Additionally, we added the status of a project to the import and export functionality too. We should have added that in the initial development.

Bug fixes

• On the project dashboard, the button to the project settings was visible to all users, as well as users with lower access levels (like Reader and Editor). These users cannot access the project settings. With the fix, the button is not visible to those users.

Thank you

We thank all of our contributors and testers for their suggestions and work. We could not do such a project without your support and contributions!

As always, we’re looking forward to your feedback. You can send it to us by email (feedback@mosparo.io). You can also post a review on AlternativeTo, or WordPress.org (for our WordPress plugin).

If you have any suggestions to enhance or optimize mosparo, you can send these to us by creating a post in the Discussions on GitHub.

The post New Features & Changes in version 1.1 appeared first on mosparo.

New features

Invisible protection

With the new version, you can switch between the visible mosparo box and the invisible protection. The invisible protection will not show a visible mosparo box in the form. Instead, when the user submits the form, mosparo will come into play and validate the form automatically. mosparo will show a loading overlay over your website or form so the user is informed of what’s happening.

After the automatic validation is successful, mosparo will submit the form automatically.

Suggested by quadcom

Export and Import functionality

With the newly added export and import functionality, it is possible to export the settings of a mosparo project and then import them into another mosparo project (maybe even on a different mosparo installation). You can choose which parts of the settings should be exported and imported.

Suggested by Digi92

Facelift project overview

The project overview page was one of the first pages in mosparo back when the development started. Since then, this page had more or less no adjustments, so it was time for a facelift.

The page generally looks the same, but now it also has a list mode where you see your projects in a table instead of the boxes. Additionally, you can filter the table and search for projects.

We’ve also adjusted the project dropdown in the top left corner and set a max height (if you have many projects) and a search.

Rule tester

You can test how your rules will catch spam with the newly added Rule tester. This tool can help you test the different rule types and factors without waiting for the next spam submission.

Facelift ruleset details

We gave the ruleset detail page a facelift. Before, all the rules and rule items were listed on one page. But if you have a large ruleset, the page will become slow and could crash mosparo (in the worst case).

The new ruleset detail page lists the rules in a table with pagination. You can click on a button if you want to see the items in a rule. You will then see only the rule items of this rule.

Suggested by Digi92

Allow users to create projects

Everybody could create new projects, even simple users, in the old version. With the new version, you have to give users the right to create new projects if they’re not an admin user. Administrators can always create projects.

Rule list filter

If you have a lot of rules, it can be hard to keep the overview. We’ve added a filter to filter the rule list for the rule type you want to see.

Brute force protection for login

To enhance the security of mosparo, we’ve added brute force protection to the login form. That does not entirely prevent a brute force attack but makes it more difficult. If you want maximum security, you should always use two-factor authentication.

Bug fixes

We’ve added multiple bug fixes while developing and testing the new version. One of the most important ones is the one described below.

The automatic update check is not executed when the updates are disabled

Because of a logic issue, the update check was not executed if the updates were completely turned off in an installation. This fix will perform the update check, even if the update functionality is disabled. So you get informed as soon as a new version is available, and then you have to check how to execute the update (if the update system is disabled in your installation).

Thank you

We thank all of our contributors and testers for their suggestions and work. We could not do such a project without your support and contributions!

As always, we’re looking forward to your feedback. You can send it to us by email (feedback@mosparo.io). You can also post a review on Product Hunt, AlternativeTo, or WordPress.org (for our WordPress plugin).
If you have any suggestions to enhance or optimize mosparo, you can send these to us by creating a post in the Discussions on GitHub.

The post New Features & Changes in version 1.0 appeared first on mosparo.

mosparo v0.3

With feedback from our users, we continued to optimize and enhance mosparo. We’ve released four new versions of mosparo. We’ve fixed multiple smaller and larger bugs in these versions and optimized the security. Additionally, we received more translations, especially for the backend. 

mosparo v0.4

The planned features for v0.4 are developed. Right now, we’re working on an update for the update system, which is required since v0.4 will need PHP 8.1.10 or newer, and the update system has to check that before the upgrade is possible. We plan to have the first beta ready in the next week.

Integrations and plugins

Drupal module

In May, we released the first beta version of the Drupal module. With the Drupal module, you can integrate mosparo in the forms from the Contact and Webform module. Additionally, you can use mosparo in the module CAPTCHA.

The module is available in the Drupal module repository:
https://www.drupal.org/project/mosparo_integration

Other updates

Usage of mosparo

We were asked if we plan to extend the compatibility of mosparo, especially with other database systems. The question was unusual and unexpected. After discussing the question, we discovered a need to clarify how mosparo is integrated into a website.

mosparo is a standalone software not integrated into any other system. After you’ve installed mosparo on your web hosting, you have to connect your website with mosparo. You need the integration for your CMS/website, or you have to use the API client and develop your integration if there is no integration or you use a custom-developed website. If you use a programming language for which we do not offer an API client right now, you must develop your API client (or tell us about it here).

We’ve adjusted the about us page and will update the documentation in the future, maybe even with a drawing.

Thank you

We thank all contributors and users for their feedback, translations, pull requests, bug reports, and suggestions!

The post Project update May 2023 appeared first on mosparo.

mosparo v0.3

We added new functionality, fixed bugs, and got different pull requests to optimize the behavior and functionality of mosparo. We’ve released different versions, the latest version, v0.3.15, contains better security headers and additional bug fixes.

mosparo v0.4

The new major version, v0.4, is in development. We’re working on new features and refactoring existing ones. If everything works, we should be able to provide a first beta version at the end of May.

API clients

JavaScript API client

We’ve updated the JavaScript API client and fixed the misleading verification method name. We also released the first official release of the JavaScript API client, which was released as Beta before.

The JavaScript API client is officially released on NPM: https://www.npmjs.com/package/@mosparo/api-client

Python API client

We developed an API client for Python back in January and February. After the Beta phase in the last months, we’re finally happy to announce the first official release.

The Python API client is released as Beta on PyPi: https://pypi.org/project/mosparo-api-client/

Integrations and plugins

WordPress plugin

In April, we released three different versions of the WordPress plugin. First, we’ve fixed some issues with the Formidable and NinjaForm repeater fields. After that, we’ve added a fix for a verification bypass method, and the last version, v1.4, contains an additional module to use mosparo in Elementor Form Builder forms.

The plugin is available in the WordPress plugin repository: https://wordpress.org/plugins/mosparo-integration/

Django integration

Additionally to the Python API client, we’ve also developed a Django integration. With this integration, you can use mosparo to protect your Django form. The integration is released as a Beta version.

You can find the integration on PyPi: https://pypi.org/project/mosparo-django/

Mautic plugin

As requested by quadcom, we’ve developed a plugin to integrate mosparo with Mautic. After you’ve installed the plugin, you can protect your Mautic forms with mosparo. The Mautic plugin was released as a Beta.

You can find more information about it here: https://github.com/mosparo/mautic-plugin

Symfony Bundle (3rd party)

The GitHub user arnaud-ritti developed a bundle to integrate mosparo into a Symfony form. Thank you for your work, arnaud-ritti!

The repository is available here: https://github.com/arnaud-ritti/mosparo-bundle

Other developments

List of ideas and suggestions

Since the start of our private Beta in August 2022, we’ve received some suggestions from our users and had some future development ideas too. We’ve collected these ideas in a list but didn’t make the list publicly available.

We’ve now put all these ideas into topics in the GitHub discussion tab. You can upvote ideas, add your opinion or suggest new ideas there.

You can find the complete list of ideas and suggestions here: https://github.com/orgs/mosparo/discussions

Documentation regarding update

The user tpokorra reported an issue regarding the update process. When we investigated the issue, we found out that the update process of mosparo is described in the documentation but in the wrong place. We’ve updated the documentation and added a separate page to describe the update process. 

You can find the updated documentation here: https://documentation.mosparo.io/docs/installation/update

We want to thank you all for your feedback, work, and time!

The post Project update April 2023 appeared first on mosparo.

If you want to set up mosparo, some requirements must be met before installing it. Maybe you don’t have a web server with PHP available right now, so the alternative to setting everything up manually is to use the Docker image.

With the provided Docker image, you get mosparo together with PHP and nginx, so you do not have to take care of the installation and configuration of PHP. You still need a MySQL database and have to use a reverse proxy (at least for productive environments).

You do not have to take care of the MySQL database using the recommended method with docker-compose.

Please find all information about how to use the Docker image in our documentation: https://documentation.mosparo.io/docs/installation/install/docker/

You can find our Docker images on Docker Hub: https://hub.docker.com/r/mosparo/mosparo

If you have suggestions, issues, or feedback regarding the Docker image or mosparo in general, do not hesitate to send us an issue on GitHub or an email to feedback@mosparo.io.

The post Install mosparo with Docker appeared first on mosparo.

Within a few hours, we got an email from Weblate that someone had added a new language. When we checked the project, we saw that user @kefir2105 added the language for Ukrainian. We then started to ask friends and family to get more languages. In the last two releases, we added more languages, and with the next release, we will increase the number of available translations to at least 16 languages.

Our target is to translate mosparo at least into the 39 most used online languages. We’ve added these languages to our project in Weblate already. 

If you know one of these languages, we ask you to add your translation in Weblate. If you know a language we haven’t added, you can add it to the project anytime. We’re happy to add every language we get.

Since mosparo is an open-source project, Weblate is hosting us for free. Weblate is a web-based localization tool with tight version control integration. You can install and host Weblate on your own server – or use the hosted service by Weblate. This is not an ad for Weblate, but we had an excellent start with Weblate and are grateful for the help of the team of Weblate and the community on Weblate.

We’re also very thankful for everyone who helped us make mosparo better – especially by taking the time to translate the frontend sentences into more languages. Accessibility is one of our most important features, and translating mosparo into more languages means better accessibility. You can find a list of our translators in our GitHub repository: https://github.com/mosparo/mosparo/blob/master/translations/README.md

If you’re interested in helping to translate mosparo into more languages, please find all the information here: https://documentation.mosparo.io/docs/translating

You can find the mosparo Weblate project here: https://hosted.weblate.org/projects/mosparo/

The post Translate mosparo appeared first on mosparo.

Since mosparo is not based on a hosted and managed service and not using any magic, it’s hard to see the actual effectiveness of mosparo.

Last week, we discovered a new use case for mosparo, so we want to give you some examples of when mosparo can be helpful – and when it cannot.

Good use cases

First and most important: Contact form (and any other kind of form)

mosparo is designed and optimized for contact forms on websites (and other forms with text fields). The user enters all the data in the form, confirms the mosparo box, and submits the form. The data gets checked by mosparo and declined if spam is detected. A bot can submit the form if his spammy words are not added to a rule. As soon as the owner of a mosparo installation adds the spam words to a rule, the bot will not be able to submit the form again with the same words.

Newly discovered: Brute Force protection

When we developed mosparo, we only thought a little about this option. But last week, we had to implement a Brute Force protection on a custom website for a client of our day job. Instead of developing all the stuff needed for a Brute Force protection, we just added mosparo and enabled the Auto Delay and the Blocking method with relatively small values. Suppose you add mosparo to a login form, for example. In that case, the username or email address gets transmitted to mosparo, the password is automatically ignored (if the HTML type of the field is ‘password’), and every request to mosparo gets counted. After the user tried too many times, submitting the form with mosparo is not possible anymore for a specified time.

Possible use case (but probably not useful)

(D)DoS protection

Of course, you could use mosparo with the Auto Delay and Blocking features to protect your website from a (D)DoS attack. But, since you have to host mosparo on your server, the attacker will also attack your mosparo installation. The benefit of the well-known NoCAPTCHA solutions, typically used for (D)DOS protection, is that some other company does the hosting for you – and they usually have a lot of experience with (D)DOS attacks.

Bad use case

Detecting humans

mosparo is not designed and is not able to detect humans. Honestly, no CAPTCHA will ever be able to detect real humans. There is a race between developers of CAPTCHA solutions and bot developers, which resulted in the current situation. Almost all CAPTCHA solutions are based on puzzles or collecting data – and in the end, you still get spam through your CAPTCHA-protected forms. From our perspective, it makes no sense to try to detect humans. Instead, it’s much better to define which content you want and which you do not – because that’s all that matters. 

Are you not interested in luxury watches? Good, add a rule, and you will not get information about luxury watches again.

If you have other use cases you used mosparo or planned to use, do not hesitate to tell us more about them. Please send us an email to feedback@mosparo.io.

The post When to use mosparo appeared first on mosparo.