John R Levine [mailto:johnl @
>Tom Neff wrote:
>> "script confirms" prohibitively difficult. Every week I get more
>> "legitimate" joins on my lists, from addresses that are clearly address
>Do they deal with and acknowledge confirmations? If so, what kind of
>challenge do you do?
I have two challenge systems:
* one is Web based, with a cookie that the server remembers.
* The other is stock Majordomo confirm, with the stateless hash.
The Web based challenge system does not get abused by spammers, primarily
because it's hand-rolled and they have little motive or opportunity to
reverse engineer it. Of course if I offered it to the world and it became
popular, they would hack it in a week.
The stock MJ confirm is only good for catching users with bad mail setups,
e.g. their configured From: address is wrong. Spammers have script driven
"confirms" in regular use. I can't say I'm surprised, as I could hack one
together in an hour if I needed it :)
> * The web kind, with a URL in the confirmation message that you click to
Unfortunately, these are, if anything, easier to script, since detecting the
URL in the message body is fairly trivial.
What I would like to see is a confirm-request message that VARIES in
quasi-unpredictable ways that make it still easy for an actual human to read
it, do what it says and confirm the signup -- but remarkably difficult for a
script driven procmail filter to accomplish the same thing.
The way to do it would be to employ some of the same tricks that people do
to avoid having their addresses spammed in email lists and web pages these
days: "To send me mail, remove the HIPPOPOTAMUS and change the last Q to a
3..." etc. There would be a randomly selected message template from a suite
of many of them, each containing a different English language explanation of
how to confirm.
For example, one might say
If you D O N O T want to join XYZ-L, send mail to 209urwe0dfj @
or click on the URL http://www.xyz-l.com/3240dfs409ew .
If you D O want to join, look in the list below and send email to the
address you find next to the flower name:
buffalo ..... 3043if30if @
com ..... penny
apple ..... 094g4305gi4 @
com ..... quince
tulip ..... 457fy33847fh3 @
com ..... marigold
sedan ..... 4e43f9345f @
com ..... truck
Getting a hit or a message at any of the decoy addresses would invalidate