@redsocs/spam-warden 1.1.4 → 1.1.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +17 -1
- package/dist/spamwarden.js +521 -428
- package/dist/spamwarden.min.js +2 -2
- package/package.json +3 -1
package/README.md
CHANGED
|
@@ -85,6 +85,22 @@ Traditional spam filters (like Akismet or ReCaptcha) often:
|
|
|
85
85
|
|
|
86
86
|
**SpamWarden** exists to provide a **local, fast, and Thai-centric** alternative that stops spam at the source: the user's input field.
|
|
87
87
|
|
|
88
|
+
# Security & Active Defense
|
|
89
|
+
|
|
90
|
+
> [!WARNING]
|
|
91
|
+
> **Honesty First:** All client-side code is inherently bypassable by a sufficiently motivated human. However, we have engineered this library to be an absolute nightmare for automated bots and script kiddies.
|
|
92
|
+
|
|
93
|
+
We do not rely solely on "Security through Obscurity." SpamWarden employs a **Hostile Active Defense** architecture:
|
|
94
|
+
|
|
95
|
+
1. **The Ghost Tarpit (Honeypot):** We intentionally deploy a "Poison Pill" decoy. If a bot or attacker attempts to bypass or tamper with the script, they are redirected into this trap, which is designed to actively retaliate by crashing headless browsers (Puppeteer/Playwright) and wasting attacker compute credits.
|
|
96
|
+
2. **Build-Time Randomization (The Moving Target):** The real machine-learning engine is hidden inside an isolated closure and bound to the DOM using a randomized cryptographic key generated during compilation. The internal execution path changes on every release, defeating static bypass scripts.
|
|
97
|
+
3. **Brutal DOM Protection:** By utilizing Document-Level Capturing Phase listeners, Prototype Monkey-Patching, and MutationObservers, SpamWarden intercepts submissions before they reach the form element. This defeats trivial bypasses like form cloning or direct `document.forms[0].submit()` calls.
|
|
98
|
+
4. **Aggressive Obfuscation:** The final distribution is run through high-entropy obfuscation (Control Flow Flattening, String Shifting) to protect the model weights and heavily penalize reverse engineers trying to step through the code.
|
|
99
|
+
|
|
100
|
+
If you require absolute, mathematically unbroken security, client-side protection will never be enough. You **must** validate payloads on your backend:
|
|
101
|
+
- **For WordPress:** Use our [SpamWarden WP Plugin](https://redsocs.com/spam-warden) to protect your server at the PHP layer (Paid).
|
|
102
|
+
- **For Node.js/Custom Stacks:** Grab this NPM package directly, bundle it internally, and run the `spamcheck()` function on your backend server before hitting your database (Free).
|
|
103
|
+
|
|
88
104
|
# Local Simulation & Testing
|
|
89
105
|
|
|
90
106
|
You can spin up a local simulation server to test the DOM auto-blocking behavior and inspect the SIEM telemetry payloads in real time:
|
|
@@ -115,7 +131,7 @@ You can spin up a local simulation server to test the DOM auto-blocking behavior
|
|
|
115
131
|
|
|
116
132
|
# About
|
|
117
133
|
|
|
118
|
-
- **Version:** 1.1.
|
|
134
|
+
- **Version:** 1.1.7 (Engine v11.06)
|
|
119
135
|
- **Author:** [RedSocs](https://github.com/RedSocs)
|
|
120
136
|
- **License:** MIT
|
|
121
137
|
- **Model Origin:** Trained via [RedSocs/spam-labeler](https://github.com/RedSocs/spam-labeler)
|