[Mailman-Users] creating hidden field to stop bot spamsubscriptionrequest
Stephen J. Turnbull
stephen at xemacs.org
Sun Dec 16 15:29:58 CET 2012
Richard Damon writes:
> These methods are designed to repel "most" attacks.
Sure, that is understood. The problem is that if a particular method
is recommended here, there will be a request to add it to Mailman. At
that point it becomes worth breaking the defense.
> The idea is these bots are written to do as little processing as
> needed to find entry vectors. If you are step more difficult than
> most, then it isn't worth upgrading the bot to beating the defense,
> as the additional processing to get to you costs a lot more sites
> not checked.
AFAICS this is a myth. I think the bots are probably written to do
little processing mostly because the programmers are busy, and parsing
is relatively hard to implement well compared to just POSTing a
request out of the blue.
Certainly the professional spammers lack for neither CPU nor
bandwidth, since they have access to botnets.
> The one thing the list owner has going is that it is unlikely that
> they are a big enough of a unique target to attract a dedicated
Precisely. That's why these things need to be done on a site by site
basis; discussing them here, and especially putting them into the
Mailman distributions, is likely to decrease their effectiveness.
More information about the Mailman-Users