Re: [Mailman-Users] bots subscribing to lists via web forms to avoidmember-only restrictions
On 6-Jan-2008, at 14:02, Mark Sapiro wrote: Are there plans to enhance the web subscription form with a type of captcha, or other technique to discourage bots? There is no current plan. There really should be. -- I mistoke thee for thy better Hamlet Act III scene 4 -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] bots subscribing to lists via web forms to avoidmember-only restrictions
--On January 16, 2008 11:21:41 AM -0700 LuKreme [EMAIL PROTECTED] wrote: There really should be. To which I reply: It's open source. Start coding and submit a patch. -- Steve Burlingmailto:[EMAIL PROTECTED] University of Michigan, ICPSRVoice: +1 734 615.3779 330 Packard Street FAX: +1 734 647.8700 Ann Arbor, MI 48104-2910 -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] bots subscribing to lists via web forms to avoidmember-only restrictions
LuKreme writes: On 6-Jan-2008, at 14:02, Mark Sapiro wrote: Are there plans to enhance the web subscription form with a type of captcha, or other technique to discourage bots? There is no current plan. There really should be. Why? It's user-unfriendly and botnet-friendly technology (ie, we know that if you throw cycles at the problem you can solve it). You get the worst of both worlds. We need to get out of the arms race with spammers. We aren't President Reagan, we can't spend them into submission. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] bots subscribing to lists via web forms to avoidmember-only restrictions
On 1/16/08, LuKreme wrote: Are there plans to enhance the web subscription form with a type of captcha, or other technique to discourage bots? There is no current plan. There really should be. CAPTCHAs don't work. The best mechanism I've found so far that does work is to moderate (or discard or reject) postings from non-subscribers, and to moderate new subscribers by default. Once they prove they are human beings and capable posting reasonably on-topic messages to the list, you can clear their moderation bit. Nothing else I've seen actually works. -- Brad Knowles [EMAIL PROTECTED] LinkedIn Profile: http://tinyurl.com/y8kpxu -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] bots subscribing to lists via web forms to avoidmember-only restrictions
Matt Domsch wrote: Several times this week I've received spam to my lists which are set to allow postings only by list members. Upon review, something (either bot or human, but I'm betting bot as they hit many lists at once) subscribed the spam sender email to the lists via the web form, sent the spam, then unsubscribed themselves. What is subscribe_policy for these lists? The actual spam message was declared clean by both SpamAssassin and IronPort, so the filtering ahead of MM is quite helpful, but not perfect. Are there plans to enhance the web subscription form with a type of captcha, or other technique to discourage bots? There is no current plan. Anyone else hit by this practice much? I've never seen it on lists with subscribe_policy of either Confirm or Approve. I don't allow open subscribe. -- Mark Sapiro [EMAIL PROTECTED]The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] bots subscribing to lists via web forms to avoidmember-only restrictions
Are there plans to enhance the web subscription form with a type of captcha, or other technique to discourage bots? Anyone else hit by this practice much? Human assisted registration is becoming more popular - apparently there is even setups where they auto farm-out the capcha recognition to pools of people who simply enter the stuff and the system processes everything else automatically. On forums, even with capcha, there is an element that persists. The best solutions have been to ban the most frequent abused mail systems, and potentially block problem IP ranges (like Asia). How much you can do that depends on your list's scope. In short - yes there appear to be human assisted automated spam generation systems in play. Systems with a confirm email have also been mass defeated with software, but most hacks don't bother to build their own and try to use pre-made spamming software. Unless mailman has been targeted by these developers in the past, its unlikely someone is using pure software to automate it. - Looking for last minute shopping deals? Find them fast with Yahoo! Search. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] bots subscribing to lists via web forms to avoidmember-only restrictions
On 1/6/08, Mark Sapiro wrote: Anyone else hit by this practice much? I've never seen it on lists with subscribe_policy of either Confirm or Approve. I don't allow open subscribe. I've seen spammers (or bots) get subscribed to lists and try to spam, then unsubscribe. However, pretty much all the lists I run these days do default moderation for new subscribers, so that I can manually catch these sorts of things before I turn off their moderation bit. This applies to most of the mailman-* mailing lists on python.org, as well as others elsewhere. I also tend to run lists where subscription has to be approved by the list owner. -- Brad Knowles [EMAIL PROTECTED] LinkedIn Profile: http://tinyurl.com/y8kpxu -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] bots subscribing to lists via web forms to avoidmember-only restrictions
Jeffrey Goldberg writes: On the whole, I have found these things so rare that it hasn't been a real problem. However, in principle lists could easily be targeted, so it is worth considering captchas. Captchas have been discussed, and were not considered worthwhile. (1) There are many sites that describe algorithms for automatically getting 50% or better recognition on many common captchas. I've tried a couple using the Gimp, and indeed it looks like it's pretty easy to achieve a filter that gives OCR-able images. Note that a 50% rate is going to be good enough for any spammer if that gives access. (2) Several dodges have been found to get human help for solving captchas (sort of XSS attacks in reverse), and of course you can just hire them. (3) On the other hand, hard to read captchas are exactly that: hard to read. For humans, too. So introducing captchas the score is Spammers 2, Humans 0. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] bots subscribing to lists via web forms to avoidmember-only restrictions
On Jan 6, 2008, at 7:01 PM, Stephen J. Turnbull wrote: Jeffrey Goldberg writes: [...] it is worth considering captchas. Captchas have been discussed, and were not considered worthwhile. [snip of explanation of the lack of effectiveness and annoyance of capchas] Thank you. I've always disliked the things. Now I know that there is actually good reason to. I suspect that with a Confirm subscription policy (which is the minimum anyone should run) there really isn't too much to worry about in that we can always end up requiring approval for subscriptions (or moderate) associated with domains that show a history of allowing spammers to send subscription requests. Cheers, -j -- Jeffrey Goldberghttp://www.goldmark.org/jeff/ -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] bots subscribing to lists via web forms to avoidmember-only restrictions
On 1/6/08 7:01 PM, Stephen J. Turnbull at [EMAIL PROTECTED] wrote: (3) On the other hand, hard to read captchas are exactly that: hard to read. For humans, too. So introducing captchas the score is Spammers 2, Humans 0. Yes indeed. One that takes me two to three tries to match is annoying. I even found one I couldn't get right after half a dozen tries. I gave up. Their loss. -- Larry Stone [EMAIL PROTECTED] http://www.stonejongleux.com/ -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp
Re: [Mailman-Users] bots subscribing to lists via web forms to avoidmember-only restrictions
On 1/6/08, Jeffrey Goldberg wrote: I suspect that with a Confirm subscription policy (which is the minimum anyone should run) there really isn't too much to worry about in that we can always end up requiring approval for subscriptions (or moderate) associated with domains that show a history of allowing spammers to send subscription requests. In my experience, just confirming subscriptions is not enough. There are a few spammers who will get through that test. So far, I have not yet seen much in the way of spammers who get through that filter as well as the moderation filter for new subscribers, but it's probably just a matter of time. -- Brad Knowles [EMAIL PROTECTED] LinkedIn Profile: http://tinyurl.com/y8kpxu -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=showamp;file=faq01.027.htp