Great Circle Associates List-Managers
(October 1999)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: spammers and list confirmations
From: John R Levine <johnl @ iecc . com>
Date: Thu, 14 Oct 1999 01:02:39 -0400 (EDT)
To: Tom Neff <tneff @ bigfoot . com>
Cc: List-Managers @ GreatCircle . COM
In-reply-to: <>

> "script confirms" prohibitively difficult.  Every week I get more
> "legitimate" joins on my lists, from addresses that are clearly address
> bots.

Do they deal with and acknowledge confirmations?  If so, what kind of
challenge do you do? 

I've experimented with three kinds:

* The majordomo kind, where you have to send back a cookie that's a hash of
the subscriber's address, so the software doesn't remember who tried to
subscribe.  It keeps spammers out, but it keeps too many real users out, too. 

* A cookie that the server remembers, which I originally wrote for
soc.religion.unitarian-univ, the original robomoderated newsgroup and for  The first time it hears from an address, it remembers the
message, generates a cookie, and sends back an autoack with the cookie in the
subject line and a bunch of boilerplate, in about the third paragraph of
which is the magic phrase that has to appear on the first line of the
response, "yes" for s.r.u-u and "I accept" for  The response has
to come from the right address, contain the cookie, and have the magic
phrase.  This works pretty well.  It even keeps out lamers who are too
impatient to read the welcome message. 

* The web kind, with a URL in the confirmation message that you click to 
confirm.  I'm moving to these, since they're the least confusing and work 
even if the user's outgoing and incoming addresses are different.  My 
main issue is how to do them and keep it reasonably easy for non-web 
users to confirm.  In many cases it's a non-issue since the only way to 
subscribe is from a web site, but in general, I have to deal with it.

John Levine,, Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be,, Sewer Commissioner
Finger for PGP key, f'print = 3A 5B D0 3F D9 A0 6A A4  2D AC 1E 9E A6 36 A3 47 

Indexed By Date Previous: Re: Idiot of the hour
From: "Roger B.A. Klorese" <rogerk@QueerNet.ORG>
Next: Re: spammers and list confirmations
From: Chuq Von Rospach <>
Indexed By Thread Previous: Re: list poking chapter XVIII
From: "Tom Neff" <>
Next: Re: spammers and list confirmations
From: Chuq Von Rospach <>

Search Internet Search