[gentoo-project] Spam reduction proposal - switching lists to a web-form for subscription

[gentoo-project] Spam reduction proposal - switching lists to a web-form for subscription

[Robin H. Johnson]

[-- Attachment #1: Type: text/plain, Size: 959 bytes --]

Lately we've been seeing a LOT of spam being sent to the mailing list
subscribe mechanism, with the side effect that the subscribe mechanism
responds to the From header address with a confirmation request. That
address (along with the envelope sender) are unfortunately forged.

The volume of the confirmation requests is getting worse than direct
spams, because the spam filtering considers the confirmation requests to
be valid email (they would be, except for the fact they are
unsolicited).

To combat this problem, I'd like us to consider switching the subscribe
mechanism for the mailing lists to be a web form (protected with
recaptcha). Unsubscribe will continue to be offered as an email action
for the moment, because it ignores the mail if the address was not
subscribed.

-- 
Robin Hugh Johnson
Gentoo Linux Developer & Infra Guy
E-Mail     : robbat2@gentoo.org
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85

[-- Attachment #2: Type: application/pgp-signature, Size: 330 bytes --]

Re: [gentoo-project] Spam reduction proposal - switching lists to a web-form for subscription

[Petteri Räty]

[-- Attachment #1: Type: text/plain, Size: 965 bytes --]

Robin H. Johnson wrote:
> Lately we've been seeing a LOT of spam being sent to the mailing list
> subscribe mechanism, with the side effect that the subscribe mechanism
> responds to the From header address with a confirmation request. That
> address (along with the envelope sender) are unfortunately forged.
> 
> The volume of the confirmation requests is getting worse than direct
> spams, because the spam filtering considers the confirmation requests to
> be valid email (they would be, except for the fact they are
> unsolicited).
> 
> To combat this problem, I'd like us to consider switching the subscribe
> mechanism for the mailing lists to be a web form (protected with
> recaptcha). Unsubscribe will continue to be offered as an email action
> for the moment, because it ignores the mail if the address was not
> subscribed.
> 

I have no objection to this one as I have been receiving quite a few of
these...

Regards,
Petteri


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 261 bytes --]

Re: [gentoo-project] Spam reduction proposal - switching lists to a web-form for subscription

[Ferris McCormick]

[-- Attachment #1: Type: text/plain, Size: 1174 bytes --]

On Wed, 2009-05-27 at 09:28 -0700, Robin H. Johnson wrote:
> Lately we've been seeing a LOT of spam being sent to the mailing list
> subscribe mechanism, with the side effect that the subscribe mechanism
> responds to the From header address with a confirmation request. That
> address (along with the envelope sender) are unfortunately forged.
> 
> The volume of the confirmation requests is getting worse than direct
> spams, because the spam filtering considers the confirmation requests to
> be valid email (they would be, except for the fact they are
> unsolicited).
> 
> To combat this problem, I'd like us to consider switching the subscribe
> mechanism for the mailing lists to be a web form (protected with
> recaptcha). Unsubscribe will continue to be offered as an email action
> for the moment, because it ignores the mail if the address was not
> subscribed.

Fine with me.  I've been getting quite a few of these lately, and since
I sometimes do subscribe to new lists, I have to look at them before
discarding.

Regards,
Ferris
-- 
Ferris McCormick (P44646, MI) <fmccor@gentoo.org>
Developer, Gentoo Linux (Sparc, Userrel, Trustees)

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-project] Spam reduction proposal - switching lists to a web-form for subscription

[Dale]

Petteri Räty wrote:
> Robin H. Johnson wrote:
>   
>> Lately we've been seeing a LOT of spam being sent to the mailing list
>> subscribe mechanism, with the side effect that the subscribe mechanism
>> responds to the From header address with a confirmation request. That
>> address (along with the envelope sender) are unfortunately forged.
>>
>> The volume of the confirmation requests is getting worse than direct
>> spams, because the spam filtering considers the confirmation requests to
>> be valid email (they would be, except for the fact they are
>> unsolicited).
>>
>> To combat this problem, I'd like us to consider switching the subscribe
>> mechanism for the mailing lists to be a web form (protected with
>> recaptcha). Unsubscribe will continue to be offered as an email action
>> for the moment, because it ignores the mail if the address was not
>> subscribed.
>>
>>     
>
> I have no objection to this one as I have been receiving quite a few of
> these...
>
> Regards,
> Petteri
>
>   

Is there something besides a captcha that can be used?  I hate those
things because they make no sense to me.  I usually just give up when I
encounter one of these and try three or four times with no success.  The
ones that look like broken glass or something are the ones I don't even
try anymore.  I can't get past one of those.

Just curious if there is a better way here.

Dale

:-)  :-)

Re: [gentoo-project] Spam reduction proposal - switching lists to a web-form for subscription

[Nirbheek Chauhan]

On Wed, May 27, 2009 at 9:58 PM, Robin H. Johnson <robbat2@gentoo.org> wrote:
> To combat this problem, I'd like us to consider switching the subscribe
> mechanism for the mailing lists to be a web form (protected with
> recaptcha). Unsubscribe will continue to be offered as an email action
> for the moment, because it ignores the mail if the address was not
> subscribed.
>

++

Make it so number one. :-)


-- 
~Nirbheek Chauhan

Re: [gentoo-project] Spam reduction proposal - switching lists to a web-form for subscription

[Roy Bamford]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2009.05.27 17:28, Robin H. Johnson wrote:
> Lately we've been seeing a LOT of spam being sent to the mailing list
> subscribe mechanism, 
[snip]
> To combat this problem, I'd like us to consider switching the
> subscribe
> mechanism for the mailing lists to be a web form (protected with
> recaptcha). Unsubscribe will continue to be offered as an email 
> action
> for the moment, because it ignores the mail if the address was not
> subscribed.
> 
> -- 
> Robin Hugh Johnson
> Gentoo Linux Developer & Infra Guy
> E-Mail     : robbat2@gentoo.org
> GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85
> 
Robin,

Is this a spam outburst that will blow over ?

How will visually imparied users subscribe ?
If that is still possible, I'm not against such a move.

- -- 
Regards,

Roy Bamford
(NeddySeagoon) a member of
gentoo-ops
forum-mods
treecleaners
trustees
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)

iEYEARECAAYFAkodm/sACgkQTE4/y7nJvavVsgCgwCDeJBzyKp6ia9/MRusWsYcJ
vowAni58ytQAtsbcRTqxrVMrmVeS27bD
=CVLW
-----END PGP SIGNATURE-----

Re: [gentoo-project] Spam reduction proposal - switching lists to a web-form for subscription

[Robin H. Johnson]

[-- Attachment #1: Type: text/plain, Size: 606 bytes --]

On Wed, May 27, 2009 at 09:00:54PM +0100, Roy Bamford wrote:
> Is this a spam outburst that will blow over ?
No, it's been growing in intensity for the last 6 months.

> How will visually imparied users subscribe ?
> If that is still possible, I'm not against such a move.
I specifically stated recaptcha [1], as it includes an audio recognition
task for blind users, as well as rate limiting abuse attempts.

1. http://recaptcha.net/

-- 
Robin Hugh Johnson
Gentoo Linux Developer & Infra Guy
E-Mail     : robbat2@gentoo.org
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85

[-- Attachment #2: Type: application/pgp-signature, Size: 330 bytes --]

Re: [gentoo-project] Spam reduction proposal - switching lists to a web-form for subscription

[Robin H. Johnson]

[-- Attachment #1: Type: text/plain, Size: 997 bytes --]

On Wed, May 27, 2009 at 01:45:24PM -0500, Dale wrote:
> Is there something besides a captcha that can be used?  I hate those
> things because they make no sense to me.  I usually just give up when I
> encounter one of these and try three or four times with no success.  The
> ones that look like broken glass or something are the ones I don't even
> try anymore.  I can't get past one of those.
recaptcha [1] is very common at this point, offloads the problem to an
external service, supports visually-challenged users, and includes it's
own detection of brute forcing from IP addresses and subnets.

If that's not acceptable to you, I'll just deploy calculus-captcha.
calculus-captcha is best viewed on this page here:
http://random.irb.hr/signup.php
(reload a few times to see the fun they had in qualifying questions).

-- 
Robin Hugh Johnson
Gentoo Linux Developer & Infra Guy
E-Mail     : robbat2@gentoo.org
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85

[-- Attachment #2: Type: application/pgp-signature, Size: 330 bytes --]

Re: [gentoo-project] Spam reduction proposal - switching lists to a web-form for subscription

[Marijn Schouten (hkBst)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Robin H. Johnson wrote:
> On Wed, May 27, 2009 at 01:45:24PM -0500, Dale wrote:
>> Is there something besides a captcha that can be used?  I hate those
>> things because they make no sense to me.  I usually just give up when I
>> encounter one of these and try three or four times with no success.  The
>> ones that look like broken glass or something are the ones I don't even
>> try anymore.  I can't get past one of those.
> recaptcha [1] is very common at this point, offloads the problem to an
> external service, supports visually-challenged users, and includes it's
> own detection of brute forcing from IP addresses and subnets.
> 
> If that's not acceptable to you, I'll just deploy calculus-captcha.
> calculus-captcha is best viewed on this page here:
> http://random.irb.hr/signup.php
> (reload a few times to see the fun they had in qualifying questions).

The reCAPTCHA page mentions[1] that simple text recognition (with minimal
distortion) is easy to do with computer programs. Given that the
calculus-captcha are non-distorted LaTeX'ed formulas we should therefore
probably assume that computers can read those formulas. They only seem to have
very few kinds of questions (zeros of small polynomials, differentiation of some
trigonometric functions (only cos and sin), arithmetic), all of which are
extremely simple especially for a program[1]. If this CAPTCHA becomes widespread
someone WILL break it.

On the other hand I like that reCAPTCHA puts your answers to use for automatic
digitizations of books. Unfortunately their "Stop spam, read books" message
doesn't make this very clear unless you already know.

Marijn

[1]:http://recaptcha.net/captcha.html

- --
If you cannot read my mind, then listen to what I say.

Marijn Schouten (hkBst), Gentoo Lisp project, Gentoo ML
<http://www.gentoo.org/proj/en/lisp/>, #gentoo-{lisp,ml} on FreeNode
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkodvLMACgkQp/VmCx0OL2zK/QCgmt+/RincRzXtmuGNTxsE4Yd+
wo8An2zcFsPPaxpzbB75lYlnFCAg1o8q
=glct
-----END PGP SIGNATURE-----

Re: [gentoo-project] Spam reduction proposal - switching lists to a web-form for subscription

[Robin H. Johnson]

[-- Attachment #1: Type: text/plain, Size: 2705 bytes --]

On Thu, May 28, 2009 at 12:20:35AM +0200, Marijn Schouten (hkBst) wrote:
> The reCAPTCHA page mentions[1] that simple text recognition (with minimal
> distortion) is easy to do with computer programs.
I think you misread part of that page.
The sentence in question is (added emphasis mine):
"For example, the CAPTCHAs ***shown below*** can all be broken using image
processing techniques, mainly because they use a consistent font."
(and there is an image comprised of several past generations of
captcha).  

reCAPTCHA breakage rates remain lower than other captcha variants, since
the source material is not generated, comes from old books.

Nowhere did I claim that captchas could not be defeated.
- Web-service to do it for you:
  http://www.captchakiller.com/
- How 4chan did it (in the end, actually attacking the methodology of
  reCAPTCHA - any word submitted consistently for the same testcase
  wins, regardless of actually matching): 
  http://musicmachinery.com/2009/04/27/moot-wins-time-inc-loses/
- From DEFCON 2008:
  http://captchatalk.com/

Then there are all the folk that realize you can outsource the problem
to humans in third world countries cheaper or on porn sides than the
processing time required to attack via OCR.

> Given that the calculus-captcha are non-distorted LaTeX'ed formulas we
> should therefore probably assume that computers can read those
> formulas. They only seem to have very few kinds of questions (zeros of
> small polynomials, differentiation of some trigonometric functions
> (only cos and sin), arithmetic), all of which are extremely simple
> especially for a program[1]. If this CAPTCHA becomes widespread
> someone WILL break it.
I gave the calculus captcha as a joke, and I'm surprised nobody called
me on it. The level of human required to correctly answer some of the
actual calculus questions is beyond a lot of our user-base (no offense
to them, but they just haven't covered that in formal or informal
education).

The captcha just needs to be passably good enough to protect a single
text field of the email address to subscribe.

The only other complaint of value in this thread thus-far was Dale
noting that he's one of the users that would need the audio variant, but
doesn't have enough bandwidth (stuck on very slow dialup) to stream it.
To address that then, as it's only going to be a small percentage, I'm
going to have a message at the bottom of the page, telling that subset
of users to just email me as the list postmaster.

-- 
Robin Hugh Johnson
Gentoo Linux Developer & Infra Guy
E-Mail     : robbat2@gentoo.org
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85

[-- Attachment #2: Type: application/pgp-signature, Size: 330 bytes --]

Re: [gentoo-project] Spam reduction proposal - switching lists to a web-form for subscription

[Tiziano Müller]

[-- Attachment #1: Type: text/plain, Size: 1187 bytes --]

Am Mittwoch, den 27.05.2009, 14:27 -0700 schrieb Robin H. Johnson:
> On Wed, May 27, 2009 at 09:00:54PM +0100, Roy Bamford wrote:
> > Is this a spam outburst that will blow over ?
> No, it's been growing in intensity for the last 6 months.
> 
> > How will visually imparied users subscribe ?
> > If that is still possible, I'm not against such a move.
> I specifically stated recaptcha [1], as it includes an audio recognition
> task for blind users, as well as rate limiting abuse attempts.
> 
> 1. http://recaptcha.net/
> 

An alternative (which works quiet well with my blog):
have an empty css-hidden input field in the form and check for it being
empty when submitting the form. Bots will fill it out since they ignore
CSS mostly.
Advantage: it's hidden for all users and for those where it isn't
(Screen-Readers) you can add a normally hidden description stating this
is a spam-catching-field intentionally left blank.

-- 
Tiziano Müller
Gentoo Linux Developer, Council Member
Areas of responsibility:
  Samba, PostgreSQL, CPP, Python, sysadmin, GLEP Editor
E-Mail   : dev-zero@gentoo.org
GnuPG FP : F327 283A E769 2E36 18D5  4DE2 1B05 6A63 AE9C 1E30

[-- Attachment #2: Dies ist ein digital signierter Nachrichtenteil --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-project] Spam reduction proposal - switching lists to a web-form for subscription

[Nandeep Mali]

On Thu, May 28, 2009 at 11:49 AM, Tiziano Müller <dev-zero@gentoo.org> wrote:
> An alternative (which works quiet well with my blog):
> have an empty css-hidden input field in the form and check for it being
> empty when submitting the form. Bots will fill it out since they ignore
> CSS mostly.
> Advantage: it's hidden for all users and for those where it isn't
> (Screen-Readers) you can add a normally hidden description stating this
> is a spam-catching-field intentionally left blank.

Interesting idea. :) But once they get to know about the trick, they
might just bypass it. A blog will not be as lucrative as Gentoo site,
so the bot-makers could go to extra lengths to get their bots working.

Regards
Nandeep

Re: [gentoo-project] Spam reduction proposal - switching lists to a web-form for subscription

[Tiziano Müller]

[-- Attachment #1: Type: text/plain, Size: 1213 bytes --]

Am Donnerstag, den 28.05.2009, 12:27 +0530 schrieb Nandeep Mali:
> On Thu, May 28, 2009 at 11:49 AM, Tiziano Müller <dev-zero@gentoo.org> wrote:
> > An alternative (which works quiet well with my blog):
> > have an empty css-hidden input field in the form and check for it being
> > empty when submitting the form. Bots will fill it out since they ignore
> > CSS mostly.
> > Advantage: it's hidden for all users and for those where it isn't
> > (Screen-Readers) you can add a normally hidden description stating this
> > is a spam-catching-field intentionally left blank.
> 
> Interesting idea. :) But once they get to know about the trick, they
> might just bypass it. A blog will not be as lucrative as Gentoo site,
> so the bot-makers could go to extra lengths to get their bots working.
no, not even the Gentoo site is worth the bot-maintainers time.
But instead of returning an error, just say that everything's ok and
discard the request silently.

-- 
Tiziano Müller
Gentoo Linux Developer, Council Member
Areas of responsibility:
  Samba, PostgreSQL, CPP, Python, sysadmin, GLEP Editor
E-Mail   : dev-zero@gentoo.org
GnuPG FP : F327 283A E769 2E36 18D5  4DE2 1B05 6A63 AE9C 1E30

[-- Attachment #2: Dies ist ein digital signierter Nachrichtenteil --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-project] Spam reduction proposal - switching lists to a web-form for subscription

[Alec Warner]

On Wed, May 27, 2009 at 3:20 PM, Marijn Schouten (hkBst)
<hkBst@gentoo.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Robin H. Johnson wrote:
>> On Wed, May 27, 2009 at 01:45:24PM -0500, Dale wrote:
>>> Is there something besides a captcha that can be used?  I hate those
>>> things because they make no sense to me.  I usually just give up when I
>>> encounter one of these and try three or four times with no success.  The
>>> ones that look like broken glass or something are the ones I don't even
>>> try anymore.  I can't get past one of those.
>> recaptcha [1] is very common at this point, offloads the problem to an
>> external service, supports visually-challenged users, and includes it's
>> own detection of brute forcing from IP addresses and subnets.
>>
>> If that's not acceptable to you, I'll just deploy calculus-captcha.
>> calculus-captcha is best viewed on this page here:
>> http://random.irb.hr/signup.php
>> (reload a few times to see the fun they had in qualifying questions).
>
> The reCAPTCHA page mentions[1] that simple text recognition (with minimal
> distortion) is easy to do with computer programs. Given that the
> calculus-captcha are non-distorted LaTeX'ed formulas we should therefore
> probably assume that computers can read those formulas. They only seem to have
> very few kinds of questions (zeros of small polynomials, differentiation of some
> trigonometric functions (only cos and sin), arithmetic), all of which are
> extremely simple especially for a program[1]. If this CAPTCHA becomes widespread
> someone WILL break it.

As it turns out; our mailing list subscription form is not meant to be
an impenetrable fortress and I doubt we care if the CAPTCHA service we
are using is breakable or not (worst case the spammer uses humans
looking for porn to fill out the CAPTCHA)  The point here is to just
make it a little bit harder to spam everyone; not to make it
impossible, defense in depth and all that.

>
> On the other hand I like that reCAPTCHA puts your answers to use for automatic
> digitizations of books. Unfortunately their "Stop spam, read books" message
> doesn't make this very clear unless you already know.
>
> Marijn
>
> [1]:http://recaptcha.net/captcha.html
>
> - --
> If you cannot read my mind, then listen to what I say.
>
> Marijn Schouten (hkBst), Gentoo Lisp project, Gentoo ML
> <http://www.gentoo.org/proj/en/lisp/>, #gentoo-{lisp,ml} on FreeNode
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkodvLMACgkQp/VmCx0OL2zK/QCgmt+/RincRzXtmuGNTxsE4Yd+
> wo8An2zcFsPPaxpzbB75lYlnFCAg1o8q
> =glct
> -----END PGP SIGNATURE-----
>
>