You definitely need anti-bot protection because currently you produce bounce SPAM and may be used for targeted SPAM / DDoS, especially if you reflect some user input (e.g. First name / last name). Currently, bots of this kind do not bother to emulate user behavior and checking user have visited form page before submitting the form in the same session with reasonable interval between two requests is enough in most cases to distinguish real user from bot without requiring CAPTCHA. In future you may be required to implement CAPTCHA or some other form of stronger protection.
Most requests of this kind come from hosting network. Because usually you do not expect real user's request from this kind of network, you can blacklist hosting networks entirely. There is a risk to loose small fractions of users who use VPS for proxy/VPN connections. Vick Khera пишет: > As an ESP, we host mailing list signup forms for many customers. Of > late, it appears they have been getting pounded on with fraudulent > signups for real addresses. Sometimes the people confirm by clicking > the confirmation link in the message and we are left scratching our > heads as to why they would do that. Mostly they get ignored and > sometimes they come back as spam complaints. > > One opinion I got regarding this was that people were using bots to > sign up to newsletter lists other bot-driven email addresses at gmail, > yahoo, etc., to make those mailboxes look more real before they became > "weaponized" for use in sending junk. That does not seem to be > entirely what is happening here... > > Today we got a set of complaints for what appears to be a personal > email address at a reasonably sized ISP. The complaint clearly > identified the messages as a signup confirmation message and chastised > us for not having the form protected by a CAPTCHA. Of course, they > blocked some of our IPs for good measure :( They characterized it as a > DDoS. > > What are the folks on this fine list doing about this kind of abuse? > We do have ability to turn on CAPTCHA for our customers, but often > they have nicely integrated the signup forms into their own web sites > and making it work for those is pretty complicated. If I enabled > CAPTCHA naively, the subscribers would have to click the submit form > twice and then click the confirm on the email. The UX for that sucks, > but such is the cost of allowing jerks on the internet... > > Rate limiting doesn't seem to be useful since the forms are being > submitted at low rates and from a wide number of IP addresses. > > I look forward to hearing what others here are doing. > > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop -- Vladimir Dubrovin @Mail.Ru
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
