mosparo

mosparo is a self‑hosted spam‑filtering service that replaces traditional CAPTCHAs with rule‑based analysis of form data. It operates on the principle that spam bots tend to fill in fields with predictable patterns (URLs, repetitive words, or known malicious payloads). By inspecting each field independently and comparing it against a developer‑defined rule set, mosparo can reject malicious submissions before they reach the application’s backend or inbox. The core of its logic is a lightweight pattern‑matching engine that runs in PHP, allowing developers to craft custom rules using regular expressions or keyword lists.

Key Features

• Rule‑Based Filtering – Developers can create, edit, and combine rules that target specific fields or global patterns. Rules support regex, string matching, and scoring mechanisms to fine‑tune sensitivity.
• Data Minimization – Only the user’s form inputs, IP address, and user‑agent string are captured. All data is encrypted at rest (using OpenSSL or sodium) and purged automatically after a configurable retention period (default 14 days).
• Accessibility‑Friendly – The UI component is a simple checkbox that can be styled to match any site, avoiding visual puzzles or audio challenges. It is fully screen‑reader compatible and works with mouse, keyboard, and touch.
• Open Source & Free – The project is released under an MIT‑style license, enabling unrestricted modification and redistribution. No external tracking or analytics are included.

Technical Stack

Core Capabilities

• Rule Engine – Exposes a DSL to define conditions (field contains "http", score > 5) and actions (reject, allow, log). Rules are compiled into a cache for fast evaluation.
• Submission API – A lightweight endpoint that accepts form data, runs the rule engine, and returns a JSON verdict ({ "spam": true, "reason": "URL detected" }).
• Webhook Support – Developers can subscribe to events (submission.created, submission.spam_detected) via HTTP callbacks, enabling integration with mailers or analytics.
• Admin UI – A web dashboard for managing rules, viewing logs, and configuring retention policies. Authentication is handled via Symfony Security with role‑based access control.

Deployment & Infrastructure

• Self‑Hosting – Can run on any LAMP/LEMP stack that supports PHP 8.1+. The application is distributed as a Composer package, making it easy to integrate into existing PHP projects.
• Containerization – Official Docker images are available (based on php:8.1-fpm). A docker-compose.yml skeleton includes services for the web server, database, and optional Redis cache.
• Scalability – Stateless PHP workers can be horizontally scaled behind a load balancer. The rule cache and optional Redis store reduce database hits, keeping latency low even under high submission volumes.
• CI/CD Friendly – The codebase follows PSR‑4 autoloading, uses environment variables for configuration, and can be deployed via GitHub Actions or custom pipelines.

Integration & Extensibility

• Plugins – The architecture exposes a service container where developers can register custom validators or post‑processing hooks. For example, a plugin could enrich the rule set with external threat intelligence feeds.
• Webhooks – External services (mailers, CRMs) can listen to submission events without polling the database.
• Custom Widgets – The checkbox component is a self‑contained JavaScript snippet that can be embedded anywhere. Developers may replace it with a custom React/Vue component if desired.

Developer Experience

• Configuration – All settings (database DSN, retention period, cache backend) are defined via .env files or environment variables. The application ships with sensible defaults.
• Documentation – Comprehensive guides cover installation, rule syntax, API usage, and advanced topics (caching, encryption). Inline code comments follow Symfony conventions.
• Community – The project maintains an active GitHub repository, issue tracker, and discussion forum. Pull requests are reviewed promptly, and contributors can add new rule types or integrations.

Use Cases

• Contact Forms – Protect inbound mailboxes from spam without burdening users with CAPTCHAs.
• Registration & Login – Prevent bot account creation by validating user input against known spam patterns.
• E‑commerce Checkout – Filter out fake orders or malicious payment data before processing.
• API Gateways – Expose the submission endpoint to other services, allowing centralized spam filtering across multiple applications.

Advantages Over Alternatives