It's a test to find out if the agent that requested the page is human or some bot of some sort.
Assuming you can build such a test. Good luck.
That some other programmer can't cheat on. Even gooder luck.
If it's arbitrary, it's generated by some algorithm. If it's generated by some algorithm, I just need to figure out the algorithm and I can always get it.
There is some validity to the "the club" mentality, of "we don't have to fix it, we only have ot make it difficult enough to convince them to annoy someone else". But if we assume we're building the New Defacto Standard Listserver for the Internet here with mailman, that strategy fails, because if we succeed, then it becomes worth their time to find the anti-Club. Security by obscurity only works if you're really obscure, which implies failure of the software to thrive. I'm not interested in that (and even then, you aren't guaranteed success by being obscure).
Another way of looking at it is "I don't have to outrun the lion. I only have to outrun you" -- but that doesn't work if the lion is infinitely hungry and doesn't get tire.d Which defines a spambot.
I'm more and more ocnvinced the answer is simply putting admins behind a web form, and telling site admins to publicize an emergency address (like postmaster), and putting up a watcher on the system to set off alarms when it breaks.
If you've got a database mapping arbitrary number/name/string to an email address, then why not just have a web form that sends mail to that address knowing only the arbitrary value (and never divulge the email address)?
Basically, what I'm proposing. And I'm more and more convinced it's the right way to do this, for all that web forms are less personal than sending email directly. I think admins have to make themselves accessible. I don't think they have to make themselves accessible on the user's terms... Another of those tradeoffs.
-- Chuq Von Rospach, Architech chuqui@plaidworks.com -- http://www.chuqui.com/
The first rule of holes: If you are in one, stop digging.