[Mailman-Developers] UI for Mailman 3.0 update

Eric Bloch Eric.Bloch at marklogic.com
Tue Jun 15 04:56:17 CEST 2010

My experience is not limited nor second hand.  We get scanned by plenty of bots every day.
We also see captchas broken every day by some bots.  Not all bots break the captchas.  Not 
all are trying to, either of course.    But without the captchas, the ones that weren't even trying
would be getting to things we don't want them to get at.  It's that simple.  Not a solution, just a screen door
in the way - one that I don't mind asking my users to open up by hand as they come in.


From: Stephen J. Turnbull [stephen at xemacs.org]
Sent: Monday, June 14, 2010 7:11 PM
To: Eric Bloch
Cc: Cristóbal Palmer; mailman-developers at python.org
Subject: Re: [Mailman-Developers] UI for Mailman 3.0 update

Eric Bloch writes:

 > I am a lurker here and can concur with Cristóbal's sentiments wrt
 > captchas .  I run http://markmail.org where we provide a search
 > index for thousands of public mailman lists (and google groups and
 > other mailing lists as well).  The captchas we use (for a variety
 > of purposes) aren't perfect, but they get rid of a lot of junk.

How do you know?  "Post hoc ergo propter hoc" is a fallacy.

In my (limited and often second-hand) experience, *any* change to a
form reduces "junk" dramatically.  Simply using obfuscated names for
signup fields (such as swapping the email address variable name and
the full name variable name) often reduces signups (presumably the
difference is 'bots) significantly.  I've heard one report that
switching from a homebrew CMS to Drupal (IIRC) was followed by a
dramatic increase in signups ... most of the increase being bogus.
Nothing against Drupal, just that it apparently provides standard
forms for certain purposes, and 'bots take advantage.  Any standard
and common system (eg, Mailman) which recruits members would face the
same problem.

Do cosmetic changes work as well as captcha?  I don't know.  I do know
that about 2 years ago I downloaded one of the gocr-based captcha
breakers and watched it get 5% to 40% success rates against a
star-studded cast (don't recall exactly, but the likes of Google and
Yahoo were in there).  95% "correct" answers may sound good to a
college student taking a final exam, but what that means in the case
of captchas is bogus signups at a maximum rate of about 3/min.  Oops.

My conclusion (lacking other data) is that the cost of annoying my
users is far greater than the potential benefit.  I don't intend to
even try to collect real data on captcha efficacy. ;-)

More information about the Mailman-Developers mailing list