[Python-Dev] Summary of Tracker Issues
talin at acm.org
Sun May 20 03:41:27 CEST 2007
Josiah Carlson wrote:
> Captchas like this are easily broken using computational methods, or
> even the porn site trick that was already mentioned. Never mind
> Stephen's stated belief, that you quoted, that he believes that even the
> hard captchas are going to be beaten by computational methods soon. Please
> try to pay attention to previous posts.
I think people are trying too hard here - in other words, they are
putting more of computational science brainpower into the problem than
it really merits. While it is true that there is an arms race between
creators of social software applications and spammers, this arms race is
only waged the largest scales - spammers simply won't spend the effort
to go after individual sites, its not cost effective, especially when
there are much more lucrative targets.
Generally, sites are only vulnerable when they have a comment submission
interface that is identical to thousands of other sites. All that one
needs to do on the web side is to make the submission process slightly
idiosyncratic compared to other sites. If one wants to put in extra
effort, you can change the comment submission process on a regular basis.
The real issue is comment submission via email, which I believe RoundUp
supports (although I don't know if it's enabled for the Python tracker.)
Because there's very little that you can do to "customize" an email
submission interface (you have to work with standard email clients after
Do we know how these spam comments entered the system? There's no point
in spending any thought securing the web interface if the comments were
submitted via email.
And has there been any spam submitted since that point? If we're talking
less than one spam a week on average, then this is all a moot point, its
less effort for someone to just manually delete it than it is to come up
with an automated system.
More information about the Python-Dev