[Mailman-Users] Automated Subscription Bots Inundating List Owners With Subscription Requests

[Brad Knowles]

On Oct 23, 2012, at 8:41 AM, jdd <jdanield at free.fr> wrote:

> that said there are some real human paid to catch web site, and against that no luck :-(

There's an old axiom in the security business that no defense can stop a sufficiently motivated attacker with sufficient resources.  The US Secret Service knows this all too well, as they continue to try to protect the President (whomever that might be) against assassination attempts.

The "PlayThru" solution from areyouahuman.com is an interesting concept, but there are some other interesting alternatives as well.  Among other things, I don't think that PlayThru would work for the visually-challenged, but then I've only read part of the FAQs so perhaps this is something they address later.


One interesting concept I've seen has been to use a mathematical function that is easy to compute (on your end), but hard to reverse (on the other end).  Then you do a challenge-response query and they don't even get to see the "submit" button until the calculations are complete (automated via JavaScript, of course).

They could potentially hack the JavaScript, and maybe try to apply algorithms to speed up the calculations, so you have to choose carefully.  Make the problem big enough, and even the biggest Google-enabled "rainbow tables" won't help, and it will be impossible to bypass with human-enabled methods.

The problem there is to *AVOID* making the problem so hard that your "real" customers are also prevented from being able to post -- that would be throwing the baby out with the bathwater.

--
Brad Knowles <brad at shub-internet.org>
LinkedIn Profile: <http://tinyurl.com/y8kpxu>