Re: [Python-Dev] Summary of Tracker Issues
Georg Brandl writes: > By requesting a registration form over and over, and recording all > questions. A human would then answer them, which is easily done for > 50 questions (provided that they are *not* targeted at experienced > Python programmers, which shouldn't be done). We are not going to publish all 50 questions at once. ISTM you need one only question requiring human attention at a time, because once a spammer assigns a human (or inhuman of equivalent intelligence) to cracking you, you're toast. Use it for a short period of time (days, maybe even weeks). The crucial thing is that questions (or site-specific answers that require reading comprehension to obtain from the page) differ across sites; they must not be shared. Now it's much faster for the human to simply do the registration on the current question, and then point the spambot at the site and vandalize 10,000 or so issues. If we can force them to do that, though, I think we're going to win. (In a "scorched earth" sense, maybe, but the spammers will get burned too.) Note that one crucial aspect is to record the ID of the question that each account authenticated with (at creation, not at login -- the person's password is a different token). Then have a Big Red Switch that hides[1] all data entered by accounts that authenticated with that question. Of course admins only throw the switch on actually seeing the spam, but since all data is associated with a creation token, you can nuke all of it, even if the spammer has had forethought to create multiple accounts with the Question of the Day, with *one* switch. And if they try to save such an account for tomorrow, cool! they're busted right there. You can get smarter than that (ie, by only barring access to data by accounts that touch more than a small number of issues in a short period of time), if you wish, but that should be sufficient unless you're getting dozens of new users during the validity period for a given question. I guess there will need to be a special token, available only to accounts confirmed by admins, to recover accounts for people who happen to have the same "birthday" as a spammer. Footnotes: [1] Ie, requires user action to become visible, and is tagged as "possible spam". This requires a new attribute on data items, and some programming, but since roundup has to recreate the page for every request (even if it caches, it has to do so for every new item; it's not a problem to invalidate the cache and recreate, I bet), I think it's probably not going to require huge amounts of extra effort or changes in the basic design. [2] Probabilistically. If the spammers are cracking your site on average every 10 days, rotate the question every 5 days. 50 questions means protection for most of a year in that case. ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Summary of Tracker Issues
> -Original Message- > From: [EMAIL PROTECTED] [mailto:python- > [EMAIL PROTECTED] On Behalf Of Stephen J. > Turnbull > > ISTM you need one only question requiring human attention at a time, > because once a spammer assigns a human (or inhuman of equivalent > intelligence) to cracking you, you're toast. I can't believe this is still profitable. It's either lucrative or fulfilling, and malice, if the latter. ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Summary of Tracker Issues
> -Original Message- > > ISTM you need one only question requiring human attention at a time, > > because once a spammer assigns a human (or inhuman of equivalent > > intelligence) to cracking you, you're toast. > > I can't believe this is still profitable. It's either lucrative or > fulfilling, and malice, if the latter. At any rate, it is hardly such an urgent problem that it needs all this brainpower poured into it. And it almost certainly doesn't require novel solutions. Kristján ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Summary of Tracker Issues
Aaron Brady writes: > > ISTM you need one only question requiring human attention at a time, > > because once a spammer assigns a human (or inhuman of equivalent > > intelligence) to cracking you, you're toast. > > I can't believe this is still profitable. It's either lucrative or > fulfilling, and malice, if the latter. That's precisely my point. I don't think it is profitable, and therefore at a reasonable expense to us (one of us makes up a question every couple of days) we can make the tracker an unprofitable target for spammers, and probably avoid most spam. There's ample evidence of malicious behavior by spammers who feel threatened or thwarted, though. ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Summary of Tracker Issues
> -Original Message- > From: Stephen J. Turnbull [mailto:[EMAIL PROTECTED] > Sent: Wednesday, May 16, 2007 5:10 AM > To: Aaron Brady > Cc: 'Georg Brandl'; python-dev@python.org > Subject: Re: [Python-Dev] Summary of Tracker Issues > > Aaron Brady writes: > > > > ISTM you need one only question requiring human attention at a time, > > > because once a spammer assigns a human (or inhuman of equivalent > > > intelligence) to cracking you, you're toast. > > > > I can't believe this is still profitable. It's either lucrative or > > fulfilling, and malice, if the latter. > > That's precisely my point. I don't think it is profitable, and > therefore at a reasonable expense to us (one of us makes up a question > every couple of days) we can make the tracker an unprofitable target > for spammers, and probably avoid most spam. > > There's ample evidence of malicious behavior by spammers who feel > threatened or thwarted, though. Can we spam back? /blink/ Click here for free therapy. //blink/ ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Summary of Tracker Issues
Martin v. Löwis wrote: > This question I could not answer, because I don't know what an orb is An orb is a sphere. -- Greg ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Summary of Tracker Issues
Kristján Valur Jónsson wrote: >> -Original Message- >>> ISTM you need one only question requiring human attention at a time, >>> because once a spammer assigns a human (or inhuman of equivalent >>> intelligence) to cracking you, you're toast. >> I can't believe this is still profitable. It's either lucrative or >> fulfilling, and malice, if the latter. > > At any rate, it is hardly such an urgent problem that it needs all this > brainpower poured into it. And it almost certainly doesn't require > novel solutions. > Possibly so, but I can't see c.l.p.dev passing up the chance to discuss this particular bicycle shed. It gets kind of personal when someone is spamming *your* tracker ... ;-) I have already been criticized on c.l.py for suggesting there should be at least one day of the year when we should be allowed to hang spammers up by the nuts (assuming they have any) - "not very welcoming" was the phrase, IIRC. So maybe I'm no longer rational on this topic. or-any-other-for-that-matter-ly y'rs - steve -- Steve Holden+1 571 484 6266 +1 800 494 3119 Holden Web LLC/Ltd http://www.holdenweb.com Skype: holdenweb http://del.icio.us/steve.holden -- Asciimercial - Get on the web: Blog, lens and tag your way to fame!! holdenweb.blogspot.comsquidoo.com/pythonology tagged items: del.icio.us/steve.holden/python All these services currently offer free registration! -- Thank You for Reading ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Official version support statement
Stephen J. Turnbull wrote: > Terry Reedy writes: > > > "Stephen J. Turnbull" <[EMAIL PROTECTED]> wrote in message > > news:[EMAIL PROTECTED] > > | The impression that many people (including python-dev regulars) have > > | that there is a "policy" of "support" for both the current release > > | (2.5) and the (still very widely used) previous release (2.4) is a > > | real problem, and needs to be addressed. > > > I agree that such mis-understanding should be addressed. So I now think a > > paragraph summarizing Martin's info PEP, ending with "For details, see > > PEPxxx.", would be a good idea. > > FWIW, after Martin's explanation, and considering the annoyance of > keeping updates sync'ed (can PEPs be amended after acceptance, or only > superseded by a new PEP, like IETF RFCs?), I tend to support Barry's > suggestion of a brief listing of current releases and next planned, > and "Python policy concerning release planning is defined by [the > current version of] PEPxxx", with a link. In which case doesn't it make more sense to use the existing mechanism of PEP 356 (Release Schedule)? If something isn't listed in there (even without dates) then there are no current plans to release it, and that tells the reader everything they need to know. At the moment the PEP begins with "This document describes the development and release schedule for Python 2.5." but it could just as easily say "future releases of the Python 2.X series" or something similar. Which reminds me, that PEP needs updating! regards Steve -- Steve Holden+1 571 484 6266 +1 800 494 3119 Holden Web LLC/Ltd http://www.holdenweb.com Skype: holdenweb http://del.icio.us/steve.holden -- Asciimercial - Get on the web: Blog, lens and tag your way to fame!! holdenweb.blogspot.comsquidoo.com/pythonology tagged items: del.icio.us/steve.holden/python All these services currently offer free registration! -- Thank You for Reading ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Official version support statement
Steve Holden wrote: > In which case doesn't it make more sense to use the existing mechanism > of PEP 356 (Release Schedule)? If something isn't listed in there (even > without dates) then there are no current plans to release it, and that > tells the reader everything they need to know. > > At the moment the PEP begins with "This document describes the > development and release schedule for Python 2.5." but it could just as > easily say "future releases of the Python 2.X series" or something similar. > > Which reminds me, that PEP needs updating! Those release schedule PEPs are mainly a TODO list leading up to the 2.x.0 releases, though - there's a new one for each major version bump: PEP 160 - Python 1.6 PEP 200 - Python 2.0 PEP 226 - Python 2.1 PEP 251 - Python 2.2 PEP 283 - Python 2.3 PEP 320 - Python 2.4 PEP 356 - Python 2.5 PEP 361 - Python 2.6 Cheers, Nick. -- Nick Coghlan | [EMAIL PROTECTED] | Brisbane, Australia --- http://www.boredomandlaziness.org ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Official version support statement
Nick Coghlan wrote: > Steve Holden wrote: >> In which case doesn't it make more sense to use the existing mechanism >> of PEP 356 (Release Schedule)? If something isn't listed in there >> (even without dates) then there are no current plans to release it, >> and that tells the reader everything they need to know. >> >> At the moment the PEP begins with "This document describes the >> development and release schedule for Python 2.5." but it could just as >> easily say "future releases of the Python 2.X series" or something >> similar. >> >> Which reminds me, that PEP needs updating! > > Those release schedule PEPs are mainly a TODO list leading up to the > 2.x.0 releases, though - there's a new one for each major version bump: > > PEP 160 - Python 1.6 > PEP 200 - Python 2.0 > PEP 226 - Python 2.1 > PEP 251 - Python 2.2 > PEP 283 - Python 2.3 > PEP 320 - Python 2.4 > PEP 356 - Python 2.5 > PEP 361 - Python 2.6 > > Cheers, > Nick. > Thanks, it wouldn't be appropriate then (and 361 *doesn't* need updating). regards Steve -- Steve Holden+1 571 484 6266 +1 800 494 3119 Holden Web LLC/Ltd http://www.holdenweb.com Skype: holdenweb http://del.icio.us/steve.holden -- Asciimercial - Get on the web: Blog, lens and tag your way to fame!! holdenweb.blogspot.comsquidoo.com/pythonology tagged items: del.icio.us/steve.holden/python All these services currently offer free registration! -- Thank You for Reading ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Summary of Tracker Issues
Talin <[EMAIL PROTECTED]> wrote: > Terry Reedy wrote: > > My underlying point: seeing porno spam on the practice site gave me a bad > > itch both because I detest spammers in general and because I would not want > > visitors turned off to Python by something that is completely out of place > > and potentially offensive to some. So I am willing to help us not throw up > > our hands in surrender. > > There are various other solutions. The spammer's client isn't generally > a full browser, it's just a bare HTTP robot, so if there's some kind of > Javascript that is required to post, then the spammer probably won't be > able to execute it. For example, you could have a hidden field which is > a hash of the bug summary line, calculated by the Javascript in the web > form, which is checked by the server. (For people who have JS turned > off, failing the check would fall back to a captcha or some other manual > means of identification.) I'm not sure how effective the question/answer stuff is, but a bit of javascript seems to be a good idea. What has also worked on a phpbb forum that I admin is "Stop Spambot Registration". As the user is registering, it tells them not enter in any profile information when they are registering, that they should do that later. Anyone who enters any profile information is flagged as a spammer, their registration rejected, and I get an email (of the 35 rejections I've received, none have been legitimate users, and only one smart spambot got through, but he had a drug-related name and was easy to toss). If we include fake profile entries during registration that we tell people not to fill in (like 'web page', 'interests', etc.), we may catch some foolish spambots. Of course there is the other *really* simple option of just renaming registration form entry names. Have a 'username' field, but make it hidden and empty by default, rejecting registration if it is not empty. The real login form name could be generated uniquely for each registration attempt, and verified against another hidden form with minimal backend database support. While it would only take a marginally intelligent spambot to defeat it, it should thwart the stupid spambots. - Josiah ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Summary of Tracker Issues
> My underlying point: seeing porno spam on the practice site gave me a bad > itch both because I detest spammers in general and because I would not want > visitors turned off to Python by something that is completely out of place > and potentially offensive to some. So I am willing to help us not throw up > our hands in surrender. Would that help go so far as to provide patches to the roundup installation? Regards, Martin ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Summary of Tracker Issues
On Wed, May 16, 2007, Josiah Carlson wrote: > > I'm not sure how effective the question/answer stuff is, but a bit of > javascript seems to be a good idea. Just for the record (and to few people's surprise, I'm sure), I am entirely opposed to any use of JavaScript. -- Aahz ([EMAIL PROTECTED]) <*> http://www.pythoncraft.com/ "Look, it's your affair if you want to play with five people, but don't go calling it doubles." --John Cleese anticipates Usenet ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Summary of Tracker Issues
On Thursday 17 May 2007, Aahz wrote: > On Wed, May 16, 2007, Josiah Carlson wrote: > > I'm not sure how effective the question/answer stuff is, but a > > bit of javascript seems to be a good idea. > > Just for the record (and to few people's surprise, I'm sure), I > am entirely opposed to any use of JavaScript. What about flash, instead, then? /ducks -- Anthony Baxter <[EMAIL PROTECTED]> It's never too late to have a happy childhood. ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Summary of Tracker Issues
>Typically spammers don't go through the effort to do a custom login >script for each different site. Instead, they do a custom login script >for each of the various software applications that support end-user >comments. So for example, there's a script for WordPress, and one for >PHPNuke, and so on. In my experience, what you say is true - the bulk of the spam comes via generic spamming software that has been hard-coded to work with a finite number of applications. However - once you knock these out, there is still a steady stream of what are clearly human generated spams. The mind boggles at the economics or desperation that make this worthwhile. -- Andrew McNamara, Senior Developer, Object Craft http://www.object-craft.com.au/ ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Summary of Tracker Issues
Andrew McNamara wrote: >> Typically spammers don't go through the effort to do a custom login >> script for each different site. Instead, they do a custom login script >> for each of the various software applications that support end-user >> comments. So for example, there's a script for WordPress, and one for >> PHPNuke, and so on. > > In my experience, what you say is true - the bulk of the spam comes via > generic spamming software that has been hard-coded to work with a finite > number of applications. > > However - once you knock these out, there is still a steady stream of > what are clearly human generated spams. The mind boggles at the economics > or desperation that make this worthwhile. Actually, it doesn't cost that much, because typically the spammer can trick other humans into doing their work for them. Here's a simple method: Put up a free porn site, with a front page that says "you must be 18 or older to enter". The page also has a captcha to verify that you are a real person. But here's the trick: The captcha is actually a proxy to some other site that the spammer is trying to get access to. When the human enters in the correct word, the spammer's server sends that word to the target site, which result in a successful login/registration. Now that the spammer is in, they can post comments or whatever they need to do. -- Talin ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Summary of Tracker Issues
>> However - once you knock these out, there is still a steady stream of >> what are clearly human generated spams. The mind boggles at the economics >> or desperation that make this worthwhile. > >Actually, it doesn't cost that much, because typically the spammer can >trick other humans into doing their work for them. > >Here's a simple method: Put up a free porn site, with a front page that >says "you must be 18 or older to enter". The page also has a captcha to >verify that you are a real person. But here's the trick: The captcha is >actually a proxy to some other site that the spammer is trying to get >access to. When the human enters in the correct word, the spammer's >server sends that word to the target site, which result in a successful >login/registration. Now that the spammer is in, they can post comments >or whatever they need to do. Yep - I was aware of this trick, but the ones I'm talking about have also got through filling out questionnaires, and whatnot. Certainly the same technique could be used, but my suspicion is that real people are being paid a pittance to sit in front of a PC and spam anything that moves. -- Andrew McNamara, Senior Developer, Object Craft http://www.object-craft.com.au/ ___ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
