13 Jun 2018, at 11:52pm, Bob Friesenhahn <bfrie...@simple.dallas.tx.us> wrote:

> The problem is knowing what "one" means.  The subscription request is likely 
> submitted via http/https into the web form and using a bogus email 
> subscription address (of the "victim").  A botnet is able to submit these 
> requests from hundreds of IP addresses.

First you accept only one request per IP address for every twentyfour hours.  
You might as well just wipe your address list at midnight rather than do the 
tricky programming to implement a rolling 12 hour window.

Second you have the form page generate a random number every time it shows the 
form.  The submission has to include the number sent to that IP address, and it 
has to be done at least five seconds after the number was generated.  This ties 
up that bot (though not the whole botnet) for five seconds.  One assumes that 
humans take more than 5 seconds to type their password twice and hit 'submit' 
so they won't even notice the difference.  People who copy-and-paste their 
email address into the 'verify' field deserve what they get.

Third you accept only one request per email address per week.

The second of the above defeats a lot of bots.  They submit the request without 
ever downloading the form in the first place.

For all the above you need two tables of data and some python programming.  
Unfortunately I don't know Python.

sqlite-users mailing list

Reply via email to