[Mailman-Users] misleading description

Stephen J. Turnbull stephen at xemacs.org
Sun May 4 01:19:05 CEST 2008


 > On 5/3/08, Zbigniew Szalbot wrote:

 > >              If the unsubscribe script cannot be exploited remotely, then
 > >  I do not see probing as a real threat (especially if additionally secured
 > >  by some captcha code or the like).

Note that people seem to really want one-click unsubscription.
CAPTCHA violates that design goal bigtime.

Brad Knowles writes:

 > CAPTCHAs are not secure.

CAPTCHA-meme, die!  Die, die, die, I say!  Die-die-die-die-die!

Anyway, what Brad said being taken as given, what seems to be the case
is that trivial CAPTCHAs like

<!-- Guess which FAQ-o-matic uses this CAPTCHA, successfully AFAIK! -->
<form>
Please type "CAP-ME" in the box:
<input type="password" size="32"
       name="nobody_would_guess_im_a_captcha_cause_theres_no_image">
<submit>
</form>

give all the protection that a CAPTCHA can give.  This is somewhat
effective, because if the 'bot doesn't expect that particular CAPTCHA,
it will lose.  And that's the best you can do.

What I conclude is that CAPTCHAs are a reasonable way for some low-to-
moderate-traffic sites to shift the burden of spam-fighting to their
users and to other sites, but that if Mailman ever implemented one,
that would immediately make Mailman sites a target for automated
CAPTCHA breaking.  So sites serious about using CAPTCHA to discourage
spamming would need to implement their own, anyway.



More information about the Mailman-Users mailing list