[Python-Dev] Summary of Tracker Issues

[Talin]

Josiah Carlson wrote:
> Captchas like this are easily broken using computational methods, or
> even the porn site trick that was already mentioned.  Never mind
> Stephen's stated belief, that you quoted, that he believes that even the
> hard captchas are going to be beaten by computational methods soon.  Please
> try to pay attention to previous posts.

I think people are trying too hard here - in other words, they are 
putting more of computational science brainpower into the problem than 
it really merits. While it is true that there is an arms race between 
creators of social software applications and spammers, this arms race is 
only waged the largest scales - spammers simply won't spend the effort 
to go after individual sites, its not cost effective, especially when 
there are much more lucrative targets.

Generally, sites are only vulnerable when they have a comment submission 
interface that is identical to thousands of other sites. All that one 
needs to do on the web side is to make the submission process slightly 
idiosyncratic compared to other sites. If one wants to put in extra 
effort, you can change the comment submission process on a regular basis.

The real issue is comment submission via email, which I believe RoundUp 
supports (although I don't know if it's enabled for the Python tracker.) 
Because there's very little that you can do to "customize" an email 
submission interface (you have to work with standard email clients after 
all).

Do we know how these spam comments entered the system? There's no point 
in spending any thought securing the web interface if the comments were 
submitted via email.

And has there been any spam submitted since that point? If we're talking 
less than one spam a week on average, then this is all a moot point, its 
less effort for someone to just manually delete it than it is to come up 
with an automated system.

-- Talin