13 Jun 2018, at 11:52pm, Bob Friesenhahn <bfrie...@simple.dallas.tx.us> wrote:
> The problem is knowing what "one" means. The subscription request is likely > submitted via http/https into the web form and using a bogus email > subscription address (of the "victim"). A botnet is able to submit these > requests from hundreds of IP addresses. First you accept only one request per IP address for every twentyfour hours. You might as well just wipe your address list at midnight rather than do the tricky programming to implement a rolling 12 hour window. Second you have the form page generate a random number every time it shows the form. The submission has to include the number sent to that IP address, and it has to be done at least five seconds after the number was generated. This ties up that bot (though not the whole botnet) for five seconds. One assumes that humans take more than 5 seconds to type their password twice and hit 'submit' so they won't even notice the difference. People who copy-and-paste their email address into the 'verify' field deserve what they get. Third you accept only one request per email address per week. The second of the above defeats a lot of bots. They submit the request without ever downloading the form in the first place. For all the above you need two tables of data and some python programming. Unfortunately I don't know Python. Simon. _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
