[Mailman-Users] creating hidden field to stop bot spamsubscriptionrequest

Stephen J. Turnbull stephen at xemacs.org
Sun Dec 16 15:29:58 CET 2012

Richard Damon writes:

 > These methods are designed to repel "most" attacks.

Sure, that is understood.  The problem is that if a particular method
is recommended here, there will be a request to add it to Mailman.  At
that point it becomes worth breaking the defense.

 > The idea is these bots are written to do as little processing as
 > needed to find entry vectors. If you are step more difficult than
 > most, then it isn't worth upgrading the bot to beating the defense,
 > as the additional processing to get to you costs a lot more sites
 > not checked.

AFAICS this is a myth.  I think the bots are probably written to do
little processing mostly because the programmers are busy, and parsing
is relatively hard to implement well compared to just POSTing a
request out of the blue.

Certainly the professional spammers lack for neither CPU nor
bandwidth, since they have access to botnets.

 > The one thing the list owner has going is that it is unlikely that
 > they are a big enough of a unique target to attract a dedicated
 > spammer.

Precisely.  That's why these things need to be done on a site by site
basis; discussing them here, and especially putting them into the
Mailman distributions, is likely to decrease their effectiveness.

More information about the Mailman-Users mailing list