SUBSCRIBE_FORM_SECRET in MM3?
I've been looking into ways to prevent spam on my company's list, and one thing I came across was the SUBSCRIBE_FORM_SECRET option in the Mailman configuration, which embeds a CSRF token into the form, and prevents it from being submitted until five seconds after it renders, to keep bots from subscribing. Unfortunately, the information I found pertained to Mailman 2. Does this option exist in MM3 as well, or is there a similar option?
On 1/30/20 1:50 AM, Gila Halpern wrote:
I've been looking into ways to prevent spam on my company's list, and one thing I came across was the SUBSCRIBE_FORM_SECRET option in the Mailman configuration, which embeds a CSRF token into the form, and prevents it from being submitted until five seconds after it renders, to keep bots from subscribing. Unfortunately, the information I found pertained to Mailman 2. Does this option exist in MM3 as well, or is there a similar option?
This feature in MM 2.1 is not very effective. On mail.python.org, this feature as well as reCAPTCHA is enabled (e.g. <https://mail.python.org/mailman/listinfo/mailman-users>) and we still get periodic attacks of robotic subscribes that get around these measures.
To answer your question, no, this does not exist in Postorius which is an entirely different, Django based web UI. Django may have some protections built in; I'm not sure about that, but there's nothing in Postorius itself like this MM 2.1 feature.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On 2020-01-30 12:01, Mark Sapiro wrote:
On 1/30/20 1:50 AM, Gila Halpern wrote:
I've been looking into ways to prevent spam on my company's list, and one thing I came across was the SUBSCRIBE_FORM_SECRET option in the Mailman configuration, which embeds a CSRF token into the form, and prevents it from being submitted until five seconds after it renders, to keep bots from subscribing. Unfortunately, the information I found pertained to Mailman 2. Does this option exist in MM3 as well, or is there a similar option?
This feature in MM 2.1 is not very effective. On mail.python.org, this feature as well as reCAPTCHA is enabled (e.g. <https://mail.python.org/mailman/listinfo/mailman-users>) and we still get periodic attacks of robotic subscribes that get around these measures.
Human verification vs. verification-defeating countermeasures is an ongoing arms race which, frankly, humans have been losing for a long time. I have more than once commented, not entirely joking, that we're reaching a point where *FAILURE* to complete the CAPTCHA is evidence that you're a human.
We need to come up with a better verification paradigm than presenting increasingly difficult puzzles which AI agents are better overall at solving than humans are.
-- Phil Stracchino Babylon Communications phils@caerllewys.net phil@co.ordinate.org Landline: +1.603.293.8485 Mobile: +1.603.998.6958
participants (3)
-
Gila Halpern -
Mark Sapiro -
Phil Stracchino