Am 17.03.2011 22:06, schrieb Platonides:
Daniel Friesen wrote:
The spammers haven't coded the bots to handle QuestyCaptcha yet, but if people start using it to stop them, then they will code it into the bot.
Questy captcha is a free form question. You can't learn how to bypass any instance of it. Not even a human would be able to bypass it using just generic knowledge (eg. a foreign speaker). The most that bots could do is to try with common answers such as a the wiki name, or domain. No bot would be able to solve all by itself "Who is the current companion of Doctor Who?"* OTOH it's highly annoying for those users which don't know about Doctor Who, or that for some reason get their answer rejected. I was once denied access by one captcha of that kind (naming the character of the image) despite having found the correct answer, I don't remember exactly what was the issue. So you may also want to provide some email address for appealing.
*Once a human instructs it, they are able to use it multiple times at that wiki, though.
In Germany, there's a fairy tale about a race between a hare and a hedgehog; I just tried to translate it and found "hare and tortoise" (http://www.dltk-teach.com/fables/tortoise/tale.htm)
We are the hare, but the hedgehog/tortoise is faster, it seems.
The only way out that I can think of is for us, to find those measures that are easy to implement, and that raise the hurdle for the spammer such that the programming effort deters them.
One way that I've been thinking of is to just block the outgoing emails to addresses like shown by "grep gmail /var/log/maillog|grep to=", namely fro.stc.h.r.i.st.i.an80@gmail.com, e.u.g.eni.o.s.c.hmidt.1.0@gmail.com, c.r.o.s.b.y.d.o.k.eocet.ua.n@gmail.com and so on.
So, a simple way is to use a one-liner for the sendmail and postfix configuration files, which would ideally only affect *.*.*.*.*@gmail.com addresses.
I found that To:gmail.com REJECT (with one or multiple tabs where the blank appears in the line above) seems to work well when appended to /etc/mail/access which is used by sendmail on my CentOS-5.5 machine. Nota bene: only wikis are on this machine, so it's ok to not confirm account creation to gmail users - they can be told to subscribe with different emails.
I have not yet been able to find out why on my SL-6 machines gmail.com REJECT as the last line /etc/postfix/access does not seem to work - at least I see no "reject" message in /var/log/maillog.
thanks,
Kay
Kay Diederichs Kay.Diederichs@gmx.de wrote:
I found that To:gmail.com REJECT (with one or multiple tabs where the blank appears in the line above) seems to work well when appended to /etc/mail/access which is used by sendmail on my CentOS-5.5 machine. Nota bene: only wikis are on this machine, so it's ok to not confirm account creation to gmail users - they can be told to subscribe with different emails.
I have not yet been able to find out why on my SL-6 machines gmail.com REJECT as the last line /etc/postfix/access does not seem to work - at least I see no "reject" message in /var/log/maillog.
Typically /etc/postfix/access is associated with smtpd_client_restrictions, to check just do:
postconf | grep access
and you may see something like:
smtpd_client_restrictions = check_client_access hash:/etc/postfix/access
The manual[1] says, that check_client_access means:
Search the specified access database for the client hostname, parent domains, client IP address, or networks obtained by stripping least significant octets. See the access(5) manual page for details.
To check for outgoing email domain names (this is the equivalent of sendmail's "To:" in the accessdb) you need to use "smtpd_recipient_restrictions" parameter with possibly a different file.
Something like
smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/rcpt_access
will let you use another postfix map for the RCPT To: addresses. See[2]
Note: this will work only if you submit mail externally (i.e. via SMTP port) and not via local submission not handled by smtpd.
Sendmail allows you to put different kinds of rules and restrictions in the access file, with Postfix you should be careful and possible keep separate access maps.
//Marcin
[1] http://www.postfix.org/postconf.5.html#smtpd_client_restrictions [2] http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions
mediawiki-l@lists.wikimedia.org