Eric Bloch writes: > My experience is not limited nor second hand. We get scanned by > plenty of bots every day.
Heck, I can beat that: some of my sites get scanned by more bots than they have actual users.<wink> The question of "limited" is "how many different sites/kinds of sites do you have experience (eg, log access) on?" In my case, it's a half dozen or so, plus the talk I hear from other admins in the LUGs etc I hang out with. You can surely beat that, but does your experience generalize to a large fraction of Mailman lists, so that it should be a standard option provided by Mailman? "Not every three-line patch needs to be a standard feature." Or 300-line patch, for that matter. But some do. Are captchas a feature that ordinary Mailman users need? Or are they something that "if you know enough to know why you need them, you know enough to code an appropriate Handler"? (Or snaffle one from the CheeseShop, for that matter.) I have my opinion ;-), but I'm willing to be corrected. :-| > We also see captchas broken every day by some bots. Not all bots > break the captchas. Not all are trying to, either of course. This is the post hoc part. Of course, you see this, I was assuming you do. > But without the captchas, the ones that weren't even trying would > be getting to things we don't want them to get at. It's that > simple. This is the propter hoc part. It's not that simple. Captcha-using pages are *different* from non-captcha pages. What is it in your experience that shows that the captcha has any additional effect compared to *other* differences that are less annoying to bona fide users? I subscribe to a *lot* of Mailman lists. I would be mildly annoyed if uninformed list owners started using captchas just because they're easy to configure and because a lot of big names use them. At this point, I don't see a good reason to make it easy to annoy millions of subscribers that way. Or lose them, for that matter; I'm an Anonymous Coward on more than one site because I couldn't be bothered to use my "neural network" to break the captchas. Especially in open source development, the "frivolous" contributions (eg, one-off bug reports) add up --- we really don't want to encourage "features" of known cost to the individual subscriber and dubious benefit to the list community. Not to mention that this is an "arms race game": the more captchas are used, the more 'bots will be programmed to recognize *and break* them. You admit that you already see successful break-ins "every day", and the rate will only increase. They're really mostly suitable for well- informed admins who understand concepts like "defense in depth". (But again, those folks can typically cons up a patch pretty quickly. These parts of Mailman are not that hard to modify, especially in Mailman 3.) I guess my bottom line is that if a captcha feature is provided standard in Mailman 3, I believe that (1) it should be configurable per list (and off by default); (2) it should need to be enabled by the site admin (and off by default); The rationale for this is not just to make it harder to use the feature, but that the site admin is likely to be more expert in general to understand the limitations of the feature, and also some of the benefits and costs accrue to the site rather to the list community, so the site admin should have some input. (3) both configuration tools should have documentation indicating that captchas do not provide security; what they do is chase off the frivolous (both bona fide users and would-be abusers). This is a genuine benefit in several ways for many lists; it's just not real security because serious abusers will get through. _______________________________________________ Mailman-Developers mailing list Mailman-Developers@python.org http://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9