[Mailman-Developers] UI for Mailman 3.0 update

[Stephen J. Turnbull]

Eric Bloch writes:

 > My experience is not limited nor second hand.  We get scanned by
 > plenty of bots every day.

Heck, I can beat that: some of my sites get scanned by more bots than
they have actual users.<wink>  The question of "limited" is "how many
different sites/kinds of sites do you have experience (eg, log access)
on?"  In my case, it's a half dozen or so, plus the talk I hear from
other admins in the LUGs etc I hang out with.  You can surely beat
that, but does your experience generalize to a large fraction of
Mailman lists, so that it should be a standard option provided by
Mailman?

"Not every three-line patch needs to be a standard feature."  Or
300-line patch, for that matter.  But some do.  Are captchas a feature
that ordinary Mailman users need?  Or are they something that "if you
know enough to know why you need them, you know enough to code an
appropriate Handler"?  (Or snaffle one from the CheeseShop, for that
matter.)  I have my opinion ;-), but I'm willing to be corrected. :-|

 > We also see captchas broken every day by some bots.  Not all bots
 > break the captchas.  Not all are trying to, either of course.

This is the post hoc part.  Of course, you see this, I was assuming
you do.

 > But without the captchas, the ones that weren't even trying would
 > be getting to things we don't want them to get at.  It's that
 > simple.

This is the propter hoc part.  It's not that simple.  Captcha-using
pages are *different* from non-captcha pages.  What is it in your
experience that shows that the captcha has any additional effect
compared to *other* differences that are less annoying to bona fide
users?

I subscribe to a *lot* of Mailman lists.  I would be mildly annoyed if
uninformed list owners started using captchas just because they're
easy to configure and because a lot of big names use them.  At this
point, I don't see a good reason to make it easy to annoy millions of
subscribers that way.  Or lose them, for that matter; I'm an Anonymous
Coward on more than one site because I couldn't be bothered to use my
"neural network" to break the captchas.  Especially in open source
development, the "frivolous" contributions (eg, one-off bug reports)
add up --- we really don't want to encourage "features" of known cost
to the individual subscriber and dubious benefit to the list community.

Not to mention that this is an "arms race game": the more captchas are
used, the more 'bots will be programmed to recognize *and break* them.
You admit that you already see successful break-ins "every day", and
the rate will only increase.  They're really mostly suitable for well-
informed admins who understand concepts like "defense in depth".  (But
again, those folks can typically cons up a patch pretty quickly.  These
parts of Mailman are not that hard to modify, especially in Mailman 3.)

I guess my bottom line is that if a captcha feature is provided
standard in Mailman 3, I believe that

(1) it should be configurable per list (and off by default);

(2) it should need to be enabled by the site admin (and off by
    default);

    The rationale for this is not just to make it harder to use the
    feature, but that the site admin is likely to be more expert in
    general to understand the limitations of the feature, and also
    some of the benefits and costs accrue to the site rather to the
    list community, so the site admin should have some input.

(3) both configuration tools should have documentation indicating that
    captchas do not provide security; what they do is chase off the
    frivolous (both bona fide users and would-be abusers).  This is a
    genuine benefit in several ways for many lists; it's just not real
    security because serious abusers will get through.