I have an upload form that we are using in-house to allow customers to upload photos of their broadband setups (as an aid to diagnostic checking) and I am currently thinking of security concerns.
I initially thought of an elaborate IP banning if more than 5 uploads in X minutes solution, but as I thought more about it - I don't need that. Does the honeypot technique still work? (hidden form input via CSS, process as spam if it has an entry).
What are your opinions on the best way to try and mitigate users trying to upload faux pics, I thought of a simple IP ban, this wouldn't get bots as they tend to change their IPs each attack, but it would stop most ordinary users.
Please bare in mind that the photos once uploaded are not visible to a user, they are only visible to our staff, behind a login script. I don't want to go overboard with security on such a simple system - but I don't want to make it easy for regular users to mess with us.
While this is a highly opinionated question and therefore it is not necessarily ideal for StackOverflow, I will provide my personal opinion/suggestion for this:
I would recommend a combination of temporary IP blocks and Google's reCAPTCHA (as Samuel mentioned in the comments). While this is a barrier for users, it is also one of the most effective methods against automated spamming and automated uploading. Combined with IP blocks, this would prevent both spamming bots and malicious/annoying human users that simply want to flood your website by uploading tons of images.
Also, bear in mind that reCAPTCHA has come quite a ways from having to type in grainy letters and numbers. Nowadays, a user simply has to click a checkbox and, occasionally, select a few images that contain some item/object. It's still a hinderance, but for a human user, this takes no more than 5-15 seconds (if they have to select images at all), and it will block nearly any automated bot.
Further, I would advise against the honeypot technique. The operating principle of the hidden field is that a bot will still fill out the hidden field because it won't run the JavaScript, but this has changed quite a bit. While there are still some bots that may fall for it, bots can be easily written that run atop a web browser (which will execute the JavaScript to hide the "honeypot" field) and only interact with visible elements on the page. As such, this may stop a small portion of bots, but I would doubt its effectiveness nowadays.
Of course, as stated, this is highly opinionated, so your mileage may vary and other users may have different opinions.