Mark Sapiro writes:
The League CA Cities wrote:
some of my list are being spammed with bot subscription request. I am looking for a way to add a hidden field to the subscription page of each list that a bot would see but a human user will not.
I would like to have Mailman automatically drop any subscription request that has the hidden field fill out.
This is not a solution to the problem you face. What you want is a hidden field in the form that contains secret data the bot doesn't know. Then you reject the request if the form comes back without the secret.
This won't work if the 'bot is actually visiting the subscription page first; even a CSRF cookie (or any other one-time-key) will fail. This wouldn't be hard for spammers to implement at all. And of course anything you don't tell the 'bot will probably not be known.
Actually, all you want is a custom form requiring the user to enter some data that they won't know unless they actually understand the text of the form (aka CAPTCHA, but there's probably no need to vex your users with distorted images of text as long as it's not a standard Mailman feature). Something like
Tell me again, what list do you want to subscribe to? [ ]