[Python-Dev] Summary of Tracker Issues

Josiah Carlson jcarlson at uci.edu
Wed May 16 18:38:25 CEST 2007

Talin <talin at acm.org> wrote:
> Terry Reedy wrote:
> > My underlying point: seeing porno spam on the practice site gave me a bad 
> > itch both because I detest spammers in general and because I would not want 
> > visitors turned off to Python by something that is completely out of place 
> > and potentially offensive to some.  So I am willing to help us not throw up 
> > our hands in surrender.
> There are various other solutions. The spammer's client isn't generally 
> a full browser, it's just a bare HTTP robot, so if there's some kind of 
> Javascript that is required to post, then the spammer probably won't be 
> able to execute it. For example, you could have a hidden field which is 
> a hash of the bug summary line, calculated by the Javascript in the web 
> form, which is checked by the server. (For people who have JS turned 
> off, failing the check would fall back to a captcha or some other manual 
> means of identification.)

I'm not sure how effective the question/answer stuff is, but a bit of
javascript seems to be a good idea.

What has also worked on a phpbb forum that I admin is "Stop Spambot
Registration".  As the user is registering, it tells them not enter in
any profile information when they are registering, that they should do
that later.  Anyone who enters any profile information is flagged as a
spammer, their registration rejected, and I get an email (of the 35
rejections I've received, none have been legitimate users, and only one
smart spambot got through, but he had a drug-related name and was easy
to toss). If we include fake profile entries during registration that we
tell people not to fill in (like 'web page', 'interests', etc.), we may
catch some foolish spambots.

Of course there is the other *really* simple option of just renaming
registration form entry names.  Have a 'username' field, but make it
hidden and empty by default, rejecting registration if it is not empty.
The real login form name could be generated uniquely for each
registration attempt, and verified against another hidden form with
minimal backend database support.  While it would only take a marginally
intelligent spambot to defeat it, it should thwart the stupid spambots.

 - Josiah

More information about the Python-Dev mailing list