If the bots are indeed targeting SSP, this will not put them off for long.
Maybe it makes more sense to add a captcha to this page?

My idea would be to create a module that, for instance, implements Google Recaptcha. The module would have to provide a 'hook' that will let SSP known which twig-template to embed in the error form and which class to use for verification. The hook will make the module re-usable for other forms, while the modularized setup will allow people to implement other types of captchas.

I wouldn't mind setting up some proof of concept for this. @thijskh Thoughts?

I agree that if bots are being made to attack a feedback form then they will probably evolve inline with small changes on that page. They have the source code after all ;)

I recalled some drop on the limits in recent months for Google Recaptcha which seems to be down to 10k/month on the free tier now. I imagine that even at that reduced rate it is likely to cover error feedback forms.

I just wanted to test the waters on the topic with this harmless merge request first.
However, a modularized captcha based setup would surely be the most future proof. I agree.
Preferably with an easy to overwrite endpoint. We already use paid captcha services in some of our modules and need high accessibility for fully blind users because of government requirements.
If you decide in favor of it, I'd be happy to offer my help in any form. <3

I recalled some drop on the limits in recent months for Google Recaptcha which seems to be down to 10k/month on the free tier

Unless their documentation is outdated, according to this page it's free up to 1 million Assessments / Month .

I've already done some work locally, so I will try and finish my concept this coming weekend.

There were a bunch of sites reporting back in Jan/Feb that the tier was moving from 1 million to 10k per month. And mentions of "reCAPTCHA Lite" as the free tier. Though Google would be the ones to know rather than these other sites.

It might be handy to use the "captcha" support from symfony
https://symfony.com/doc/6.4/the-fast-track/en/16-spam.html

Well, that is just using HttpClient in a method. I assumed there might be some classes in there for this but not according to that page.

I tried that, but that requires us to migrate our forms to Symfony as well, and I couldn't get that to work because our controllers do not extend Symfony's AbstractController.. It a rabbit hole to get even started.