[Python-Dev] Summary of Tracker Issues

Talin talin at acm.org
Wed May 16 07:51:04 CEST 2007 

Terry Reedy wrote:
> My underlying point: seeing porno spam on the practice site gave me a bad 
> itch both because I detest spammers in general and because I would not want 
> visitors turned off to Python by something that is completely out of place 
> and potentially offensive to some.  So I am willing to help us not throw up 
> our hands in surrender.

Typically spammers don't go through the effort to do a custom login 
script for each different site. Instead, they do a custom login script 
for each of the various software applications that support end-user 
comments. So for example, there's a script for WordPress, and one for 
PHPNuke, and so on.

For applications that allow entries to be added via the web, the 
solution to spam is pretty simple, which is to make the comment 
submission form deviate from the normal submission process for that 
package. For example, in WordPress, you could rename the PHP URL that 
posts a comment to an article to a non-standard name. The spammer's 
script generally isn't smart enough to figure out how to post based on 
an examination of the page, it just knows that for WordPress, the way to 
submit comments is via a particular URL with particular params.

There are various other solutions. The spammer's client isn't generally 
a full browser, it's just a bare HTTP robot, so if there's some kind of 
Javascript that is required to post, then the spammer probably won't be 
able to execute it. For example, you could have a hidden field which is 
a hash of the bug summary line, calculated by the Javascript in the web 
form, which is checked by the server. (For people who have JS turned 
off, failing the check would fall back to a captcha or some other manual 
means of identification.)

Preventing spam that comes in via the email gateway is a little harder. 
One method is to have email submissions mail back a confirmation mail 
which must be responded to in some semi-intelligent way. Note that this 
confirmation step need only be done the first time a new user submits a 
bug, which can automatically add them to a whitelist for future bug 
submissions.

-- Talin

More information about the Python-Dev mailing list