Our rails app allows users who are not logged in to message registered users which creates a message object, stores it in our database and then emails the contents to a registered user. On our staging app, we have started to receive a lot of spam from bots that are crawling our site. We are worried about 2 things:

1. The inconvenience to our users
2. SQL injection or any other security vulnerabilities that we are not thinking about that could occur in this context

What are some good ways to combat this problem? I understand that we could implement a captcha system but that is not ideal from a user-experience perspective. We could also block IPs in places like China (or wherever the attacks are originating from) but we also might want to serve users in China.

Also, I believe that rails has built-in functionality to sanitize query strings and prevent SQL injection but is this on by default? Are there other things we should be concerned about preventing in this case that rails does not handle by default?

Any suggestions?

You may wish to implement a honeypot in your forms. It is essentially a blank, hidden field in your form that no user would fill in (since it's hidden), but a spam bot would likely fill in. Be sure to label the field accordingly though for accessibility.

Rails is able to protect against SQL injections in most cases, you can read more about it in the Rails guide on security. That entire guide page is a good read.

Try 'honeypot-captcha' gem -- easiest way to add honeypot captchas to rails forms. Works pretty well.