Skip to Content.
Sympa Menu

en - Re: [sympa-users] spambots hitting subscription request page

Subject: The mailing list for listmasters using Sympa

List archive

Re: [sympa-users] spambots hitting subscription request page

Chronological Thread  
    < Chronological >       < Thread >
  • From: David Verdin <address@concealed>
  • To: address@concealed
  • Subject: Re: [sympa-users] spambots hitting subscription request page
  • Date: Wed, 10 Apr 2013 09:45:26 +0200
Hi Matt,
Le 08/04/13 21:26, Matt Taggart a écrit :
Hi sympa-users,

One of the lists we host has setup a web form on their website so people 
can enter their address and then get automatically directed to

https://listserver/www?list=listname&action="subrequest&email=foo%40bar.com&a
ction_subrequest=submit

which contains a button the user clicks to confirm submitting the request. 
When the button is clicked the address is emailed the confirmation request.

What we are seeing is that webcrawling spambots are able to enter an 
address in the form, submit, and then click the confirmation button. But 
they usually use a bad email address, so this results in the confirmation 
email bouncing to listmaster. We're seeing dozens of these a day.
Darn.
Do you think these bots would follow two forms in a row? If not, you could submit the form directly to Sympa (by POST instead of GET).
All Sympa actions can make use of GET as well as fo POST requests.

All you would have to do would be to set up a form like this:

<html>
    <head/>
    <body>
        <form action=""http://<your_sympa_server>/sympa" method="POST">
            <input type="hidden" name="action" value="subrequest">
            <input type="text" name="email">
            <input type="hidden" name="action_subrequest" value="submit">
            <input type="hidden" name="list" value="<listname>">
            <input type="submit"><!-- Don't give a name to this input, it would probably trigger an error in Sympa-->
        </form>
    </body>
</html>

It should do the trick.

Regards,

David

Is there something we can do to prevent this? Maybe a captcha or some other 
way to exclude the spambots?

Thanks,

--
A bug in Sympa? Quick! To the bug tracker!

 
David Verdin
Infrastructure pour les Services Informatiques
 
Tél : +33 2 23 23 69 71
Fax : +33 2 23 23 71 21
 
www.renater.fr
 		RENATER
263 Avenue du Gal Leclerc
35042 Rennes Cedex


PNG image

Attachment: smime.p7s
Description: Signature cryptographique S/MIME


Archive powered by MHonArc 2.6.19+.

Top of Page