On 12/14/12 10:58 PM, Mark Sapiro wrote:
Richard Damon wrote:
For other types of bots, having a key on the page that is needed to be returned will help, as it will catch bots that "know" what the subscription form looks like and just go around trying to submit it. Even better is to give out different keys each time, and checking that the key isn't too old or too young (figuring a human will take at least a few seconds to fill out the form, but the bot won't be patient enough to do that).
Except for the "too young" part this is what is implemented by http://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1371. Too young could be a useful addition.
But, as Stephen points out, if the people who deploy these bots are really interested in "getting the job done", they will figure out all these tricks and deploy new bots that will succeed in spite of us.
The asking of a question which requires an "obvious to a human but extremely difficult to a machine" answer is probably the best defence as long as the questions and answers aren't fixed over many Mailman installations.
These methods are designed to repel "most" attacks. The basic idea is make it difficult enough to "beat the defense" that the spammer goes elsewhere. The idea is these bots are written to do as little processing as needed to find entry vectors. If you are step more difficult than most, then it isn't worth upgrading the bot to beating the defense, as the additional processing to get to you costs a lot more sites not checked.
Since the whole purpose of the subscription page is to allow an interested person to subscribe, it becomes very hard to totally block the spammer, as if they really want YOU, then the cost to have a person do it manually isn't that extremely high. The one thing the list owner has going is that it is unlikely that they are a big enough of a unique target to attract a dedicated spammer. What might be more of a issue would be a "hacktivist", but that is a totally different type of protection needed.