[Mailman-Users] creating hidden field to stop bot spamsubscriptionrequest

Richard Damon Richard at Damon-Family.org
Sat Dec 15 16:59:27 CET 2012 

On 12/14/12 10:58 PM, Mark Sapiro wrote:
> Richard Damon wrote:
>> For other types of bots, having a key on the page that is needed to be
>> returned will help, as it will catch bots that "know" what the
>> subscription form looks like and just go around trying to submit it.
>> Even better is to give out different keys each time, and checking that
>> the key isn't too old or too young (figuring a human will take at least
>> a few seconds to fill out the form, but the bot won't be patient enough
>> to do that).
>
> Except for the "too young" part this is what is implemented by
> <http://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1371>.
> Too young could be a useful addition.
>
> But, as Stephen points out, if the people who deploy these bots are
> really interested in "getting the job done", they will figure out all
> these tricks and deploy new bots that will succeed in spite of us.
>
> The asking of a question which requires an "obvious to a human but
> extremely difficult to a machine" answer is probably the best defence
> as long as the questions and answers aren't fixed over many Mailman
> installations.
>
These methods are designed to repel "most" attacks. The basic idea is
make it difficult enough to "beat the defense" that the spammer goes
elsewhere. The idea is these bots are written to do as little processing
as needed to find entry vectors. If you are step more difficult than
most, then it isn't worth upgrading the bot to beating the defense, as
the additional processing to get to you costs a lot more sites not checked.

Since the whole purpose of the subscription page is to allow an
interested person to subscribe, it becomes very hard to totally block
the spammer, as if they really want YOU, then the cost to have a person
do it manually isn't that extremely high. The one thing the list owner
has going is that it is unlikely that they are a big enough of a unique
target to attract a dedicated spammer. What might be more of a issue
would be a "hacktivist", but that is a totally different type of
protection needed.

-- 
Richard Damon

More information about the Mailman-Users mailing list