> "script confirms" prohibitively difficult. Every week I get more
> "legitimate" joins on my lists, from addresses that are clearly address
Do they deal with and acknowledge confirmations? If so, what kind of
challenge do you do?
I've experimented with three kinds:
* The majordomo kind, where you have to send back a cookie that's a hash of
the subscriber's address, so the software doesn't remember who tried to
subscribe. It keeps spammers out, but it keeps too many real users out, too.
* A cookie that the server remembers, which I originally wrote for
soc.religion.unitarian-univ, the original robomoderated newsgroup and for
abuse.net. The first time it hears from an address, it remembers the
message, generates a cookie, and sends back an autoack with the cookie in the
subject line and a bunch of boilerplate, in about the third paragraph of
which is the magic phrase that has to appear on the first line of the
response, "yes" for s.r.u-u and "I accept" for abuse.net. The response has
to come from the right address, contain the cookie, and have the magic
phrase. This works pretty well. It even keeps out lamers who are too
impatient to read the welcome message.
* The web kind, with a URL in the confirmation message that you click to
confirm. I'm moving to these, since they're the least confusing and work
even if the user's outgoing and incoming addresses are different. My
main issue is how to do them and keep it reasonably easy for non-web
users to confirm. In many cases it's a non-issue since the only way to
subscribe is from a web site, but in general, I have to deal with it.
John Levine, firstname.lastname@example.org, Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner
Finger for PGP key, f'print = 3A 5B D0 3F D9 A0 6A A4 2D AC 1E 9E A6 36 A3 47