[Mailman-Users] creating hidden field to stop bot spam subscriptionrequest

[Richard Damon]

On 12/14/12 12:52 PM, Mark Sapiro wrote:
> The League CA Cities wrote:
>> some of my list are being spammed with bot subscription request. I am
>> looking for a way to add a hidden field to the subscription page of each
>> list that a bot would see but a human user will not.
>>
>> I would like to have Mailman automatically drop any subscription request
>> that has the hidden field fill out.
>
> This is not a solution to the problem you face. What you want is a
> hidden field in the form that contains secret data the bot doesn't
> know. Then you reject the request if the form comes back without the
> secret.
>
Actually that is a well know method to stop many bots. They will crawl
the web looking for subscription forms, and when they find one, fill it
out. If you add a field to the form that humans with normal web browsers
will not see, and thus not fill out, then a bot that is filling out most
fields (as it might be a required field, and they don't want to make the
effort to try to parse a reply back) will trip up and fill in the
honeypot field.

Normally this is done by using CSS to hide the field, using the
attribute display:none

For other types of bots, having a key on the page that is needed to be
returned will help, as it will catch bots that "know" what the
subscription form looks like and just go around trying to submit it.
Even better is to give out different keys each time, and checking that
the key isn't too old or too young (figuring a human will take at least
a few seconds to fill out the form, but the bot won't be patient enough
to do that).

-- 
Richard Damon