On 2020-01-30 12:01, Mark Sapiro wrote:
On 1/30/20 1:50 AM, Gila Halpern wrote:
I've been looking into ways to prevent spam on my company's list, and one thing I came across was the SUBSCRIBE_FORM_SECRET option in the Mailman configuration, which embeds a CSRF token into the form, and prevents it from being submitted until five seconds after it renders, to keep bots from subscribing. Unfortunately, the information I found pertained to Mailman 2. Does this option exist in MM3 as well, or is there a similar option?
This feature in MM 2.1 is not very effective. On mail.python.org, this feature as well as reCAPTCHA is enabled (e.g. <https://mail.python.org/mailman/listinfo/mailman-users>) and we still get periodic attacks of robotic subscribes that get around these measures.
Human verification vs. verification-defeating countermeasures is an ongoing arms race which, frankly, humans have been losing for a long time. I have more than once commented, not entirely joking, that we're reaching a point where *FAILURE* to complete the CAPTCHA is evidence that you're a human.
We need to come up with a better verification paradigm than presenting increasingly difficult puzzles which AI agents are better overall at solving than humans are.
-- Phil Stracchino Babylon Communications phils@caerllewys.net phil@co.ordinate.org Landline: +1.603.293.8485 Mobile: +1.603.998.6958