[Mailman-Developers] UI for Mailman 3.0 update

Rich Kulawiec rsk at gsp.org
Wed Jun 9 04:12:18 CEST 2010

On Sun, Jun 06, 2010 at 04:29:14PM -0400, Crist?bal Palmer wrote:
> The ability to use reCAPTCHA or other CAPTCHA systems as part of the
> web signup would also significantly reduce spammy signups, so if we
> could have MM3 ship with a CAPTCHA system and/or support for a class
> of CAPTCHA systems in the default web UI, that would be super.

No, it won't.  Spammers have quite thoroughly defeated these, years
ago, via an assortment of techniques.  Yes, some deployments don't
see this: they're not considered important enough to attack.  But
as Yahoo most recently found (and they're only the most recent entry
in a long parade) when spammers or other abusers decide it's time,
they can rapidly solve them by the tens of thousands.

Moreover, there's really no need for spammers to trouble themselves
with this approach.  If the goal is address-harvesting, then there
are far more efficient ways that yield much better results.  If the
goal is to spam the list, then it's much easier to hijack an
already-subscribed account -- particularly if it's located at one
of the many freemail providers whose security is weak, but alternatively
by via the subscriber's own system.

There does not exist a truly effective defense against these attack
vectors for lists of substantial size.  (Very small lists can be defended
by limiting membership, mail account location and operating system but
these are clearly special cases and these tactics don't scale.)
This isn't surprising, nor is it Mailman's fault: when the adversary
owns so much infrastructure, it's just not going to be possible to
craft defenses that work other than temporarily and accidentally.

One mitigation step -- and it's not a terribly good one, but at least
it's one with minimal impact -- is to employ the policy that list
subscribers posting from freemail providers are always moderated.
Of course this only intercepts one vector and of course it requires
manual intervention -- which is why I *said* it's not terribly good.
But experiments I've run indicate that at least for the moment, it
deals with the most likely attack vector, and it has the virtue of
using an existing mechanism.

But, captchas?  Pre-defeated.


More information about the Mailman-Developers mailing list