Richard Damon writes:
These methods are designed to repel "most" attacks.
Sure, that is understood. The problem is that if a particular method is recommended here, there will be a request to add it to Mailman. At that point it becomes worth breaking the defense.
The idea is these bots are written to do as little processing as needed to find entry vectors. If you are step more difficult than most, then it isn't worth upgrading the bot to beating the defense, as the additional processing to get to you costs a lot more sites not checked.
AFAICS this is a myth. I think the bots are probably written to do little processing mostly because the programmers are busy, and parsing is relatively hard to implement well compared to just POSTing a request out of the blue.
Certainly the professional spammers lack for neither CPU nor bandwidth, since they have access to botnets.
The one thing the list owner has going is that it is unlikely that they are a big enough of a unique target to attract a dedicated spammer.
Precisely. That's why these things need to be done on a site by site basis; discussing them here, and especially putting them into the Mailman distributions, is likely to decrease their effectiveness.