[Mailman-Developers] CAPTCHA support

Rich Kulawiec rsk at gsp.org
Sat Mar 5 21:37:36 EST 2016


On Sat, Mar 05, 2016 at 04:27:31PM +0530, Aditya Divekar wrote:
> I was looking around the mailman code, and could not find the functionality
> for captcha in the mailing lists subscription pages.

As someone who has been studying email abuse for 30+ years, I strongly
recommend against captchas for several reasons.

First, as noted elsewhere in this thread, they're problematic for impaired
or disabled users.

Second, they've been quite thoroughly defeated by advances in image
processing and character recognition.  We have long since passed the
point where the difficulty of captchas solvable by software has
exceeded the difficulty of captchas solvable by humans.

Third, as often noted elsewhere, it is relatively easy to conscript
humans (knowingly or unknowingly) into the mass solving of captchas.

Fourth, either a given instance is or is not a target of interest
to adversaries. If it is not, the captchas are of course not needed.
If it is, then they will not help: any modestly-clueful adversary
will go through them like they're not even there.

Bottom line: captchas are, at best, wishful thinking.  There is zero
operational reason to deploy them in 2016.

---rsk


More information about the Mailman-Developers mailing list