[Mailman-Users] creating hidden field to stop bot spam subscriptionrequest

Stephen J. Turnbull stephen at xemacs.org
Sat Dec 15 03:27:27 CET 2012

Mark Sapiro writes:
 > The League CA Cities wrote:

 > >some of my list are being spammed with bot subscription request. I am
 > >looking for a way to add a hidden field to the subscription page of each
 > >list that a bot would see but a human user will not.
 > >
 > >I would like to have Mailman automatically drop any subscription request
 > >that has the hidden field fill out.
 > This is not a solution to the problem you face. What you want is a
 > hidden field in the form that contains secret data the bot doesn't
 > know. Then you reject the request if the form comes back without the
 > secret.

This won't work if the 'bot is actually visiting the subscription page
first; even a CSRF cookie (or any other one-time-key) will fail.  This
wouldn't be hard for spammers to implement at all.  And of course
anything you don't tell the 'bot will probably not be known.

Actually, all you want is a custom form requiring the user to enter
some data that they won't know unless they actually understand the
text of the form (aka CAPTCHA, but there's probably no need to vex
your users with distorted images of text as long as it's not a
standard Mailman feature).  Something like

Tell me again, what list do you want to subscribe to? [       ]

would do.

More information about the Mailman-Users mailing list