Loading ...
Sorry, an error occurred while loading the content.

Wiki pulled down due to excessive spam

Expand Messages
  • Shlomi Fish
    Hi all! I had to disable the wiki due to an excessive amount of spam in the last couple of days. It seems that one spammer is using a network of zombie
    Message 1 of 22 , May 23 1:01 PM
    • 0 Attachment
      Hi all!

      I had to disable the wiki due to an excessive amount of spam in the last
      couple of days. It seems that one spammer is using a network of zombie
      computers to spam our wiki. We are using rel="nofollow" and I monitor the RSS
      feed, but he still continues.

      I hope this guy get caught and stuff. I can give some of the IPs that were
      used to spam the wiki if that's any help.

      Regards,

      Shlomi Fish

      ---------------------------------------------------------------------
      Shlomi Fish shlomif@...
      Homepage: http://www.shlomifish.org/

      Tcl is LISP on drugs. Using strings instead of S-expressions for closures
      is Evil with one of those gigantic E's you can find at the beginning of
      paragraphs.
    • Arik Baratz
      ... Shlomi, Don t take it down, just make it subscribe-only. -- Arik
      Message 2 of 22 , May 23 4:54 PM
      • 0 Attachment
        On 23/05/05, Shlomi Fish <shlomif@...> wrote:
        > Hi all!
        >
        > I had to disable the wiki due to an excessive amount of spam in the last
        > couple of days. It seems that one spammer is using a network of zombie
        > computers to spam our wiki. We are using rel="nofollow" and I monitor the RSS
        > feed, but he still continues.

        Shlomi,

        Don't take it down, just make it subscribe-only.

        -- Arik
      • Shlomi Fish
        ... That I will do. But first I need to research how to do it. I also want to see if a subscription can involve confirmation by E-mail. Regards, Shlomi Fish
        Message 3 of 22 , May 23 9:48 PM
        • 0 Attachment
          On Tuesday 24 May 2005 02:54, Arik Baratz wrote:
          > On 23/05/05, Shlomi Fish <shlomif@...> wrote:
          > > Hi all!
          > >
          > > I had to disable the wiki due to an excessive amount of spam in the last
          > > couple of days. It seems that one spammer is using a network of zombie
          > > computers to spam our wiki. We are using rel="nofollow" and I monitor the
          > > RSS feed, but he still continues.
          >
          > Shlomi,
          >
          > Don't take it down, just make it subscribe-only.
          >

          That I will do. But first I need to research how to do it. I also want to see
          if a subscription can involve confirmation by E-mail.

          Regards,

          Shlomi Fish

          ---------------------------------------------------------------------
          Shlomi Fish shlomif@...
          Homepage: http://www.shlomifish.org/

          Tcl is LISP on drugs. Using strings instead of S-expressions for closures
          is Evil with one of those gigantic E's you can find at the beginning of
          paragraphs.
        • Shlomi Fish
          ... OK. Done. The wiki has been restored. However, there doesn t seem to be a way to require an E-mail handshake right now. Time for some PHP hacking? ;-)
          Message 4 of 22 , May 23 10:30 PM
          • 0 Attachment
            On Tuesday 24 May 2005 07:48, Shlomi Fish wrote:
            > On Tuesday 24 May 2005 02:54, Arik Baratz wrote:
            > > On 23/05/05, Shlomi Fish <shlomif@...> wrote:
            > > > Hi all!
            > > >
            > > > I had to disable the wiki due to an excessive amount of spam in the
            > > > last couple of days. It seems that one spammer is using a network of
            > > > zombie computers to spam our wiki. We are using rel="nofollow" and I
            > > > monitor the RSS feed, but he still continues.
            > >
            > > Shlomi,
            > >
            > > Don't take it down, just make it subscribe-only.
            >
            > That I will do. But first I need to research how to do it. I also want to
            > see if a subscription can involve confirmation by E-mail.
            >

            OK. Done. The wiki has been restored. However, there doesn't seem to be a way
            to require an E-mail handshake right now. Time for some PHP hacking? ;-)

            Regards,

            Shlomi Fish

            ---------------------------------------------------------------------
            Shlomi Fish shlomif@...
            Homepage: http://www.shlomifish.org/

            Tcl is LISP on drugs. Using strings instead of S-expressions for closures
            is Evil with one of those gigantic E's you can find at the beginning of
            paragraphs.
          • amos@amos.mailshell.com
            On 5/24/05, Shlomi Fish ... In most wiki s I m aware off, wacky character images (the ones which look as if you see them through a badly damaged bottom of
            Message 5 of 22 , May 23 10:53 PM
            • 0 Attachment
              On 5/24/05, Shlomi Fish
              <shlomif.at.iglu.org.il@...> wrote:
              > OK. Done. The wiki has been restored. However, there doesn't seem to be a way
              > to require an E-mail handshake right now. Time for some PHP hacking? ;-)

              In most wiki's I'm aware off, wacky character images (the ones which
              look as if you see them through a badly damaged bottom of
              whisky-bottle) are the most common "human authentication" way today.
              I suspect this has become prevelant because spam bots became clever
              enough to give a working temporary e-mail address and be able to
              register automatically.

              I can't find such tools right now (forgot the term used to reffer to
              this trick),
              but apparently the preactice which happened on your wiki is called
              "wikispam" and you can find lots of stuff on the net by looking this term
              up.
              Here is a page I saw to be refferenced from a few places:
              http://www.usemod.com/cgi-bin/mb.pl?WikiSpam

              Cheers,

              --Amos
            • Tal Kelrich
              On Tue, 24 May 2005 15:53:51 +1000 ... That s called a Captcha. [1] BTW, WikiMedia has a couple of anti-spam features, including a URL blacklist. [2] [1]
              Message 6 of 22 , May 24 1:15 AM
              • 0 Attachment
                On Tue, 24 May 2005 15:53:51 +1000
                amos@... wrote:

                > In most wiki's I'm aware off, wacky character images (the ones which
                > look as if you see them through a badly damaged bottom of
                > whisky-bottle) are the most common "human authentication" way today.

                That's called a Captcha. [1]

                BTW, WikiMedia has a couple of anti-spam features, including a URL
                blacklist. [2]


                [1] http://en.wikipedia.org/wiki/Captcha
                [2] http://meta.wikimedia.org/wiki/Anti-spam_Features

                --
                Tal Kelrich
                PGP fingerprint: 3EDF FCC5 60BB 4729 AB2F CAE6 FEC1 9AAC 12B9 AA69
                Key Available at: http://www.hasturkun.com/pub.txt
                ----
                The heart has its reasons which reason knows nothing of. -- Blaise
                Pascal
                ----
              • Arik Baratz
                ... http://en.wikipedia.org/wiki/Captcha I haven t seen a MediaWiki plugin that does that, but there are free php implementations. -- Arik
                Message 7 of 22 , May 24 3:23 AM
                • 0 Attachment
                  On 24/05/05, amos@... <amos@...> wrote:

                  > I can't find such tools right now (forgot the term used to reffer to
                  > this trick),

                  http://en.wikipedia.org/wiki/Captcha

                  I haven't seen a MediaWiki plugin that does that, but there are free
                  php implementations.

                  -- Arik
                • Shoshannah Forbes
                  ... They are called CAPTCHA and are a serious usability problem for people with vision related disabilities. Hell, even without vision problems, I had enough
                  Message 8 of 22 , May 24 1:16 PM
                  • 0 Attachment
                    On 24/05/2005, at 08:53, amos@... wrote:

                    > In most wiki's I'm aware off, wacky character images (the ones which
                    > look as if you see them through a badly damaged bottom of
                    > whisky-bottle) are the most common "human authentication" way today.
                    > I suspect this has become prevelant because spam bots became clever
                    > enough to give a working temporary e-mail address and be able to
                    > register automatically.

                    They are called "CAPTCHA" and are a serious usability problem for
                    people with vision related disabilities.
                    Hell, even without vision problems, I had enough of those reject me
                    after what I though was an "l" turned out to be an "i" or a "1" or
                    other similar problems.


                    BTW, spammers have figured out how to bypass those- they set up a "free
                    porn site", that in order to enter, you need to answer a CAPTCHA-
                    pulled from another site.
                    then the CAPTCHA and the answer are fed back to the original site- and
                    they're in.

                    There are also ways to beat it using only computers. See here:
                    http://haacked.com/archive/2005/01/31/2060.aspx
                    ---
                    Shoshannah Forbes
                    http://www.xslf.com
                  • Shoshannah Forbes
                    ... oops.. correct link: http://www.brains-n-brawn.com/default.aspx?vDir=aicaptcha he has links to other articles about computers solving CAPTCHAs. ...
                    Message 9 of 22 , May 24 1:46 PM
                    • 0 Attachment
                      On 24/05/2005, at 23:16, Shoshannah Forbes wrote:
                      > There are also ways to beat it using only computers. See here:
                      > http://haacked.com/archive/2005/01/31/2060.aspx

                      oops.. correct link:
                      http://www.brains-n-brawn.com/default.aspx?vDir=aicaptcha
                      he has links to other articles about computers solving CAPTCHAs.
                      ---
                      Shoshannah Forbes
                      http://www.xslf.com
                    • Tal Kelrich
                      On Tue, 24 May 2005 23:16:02 +0300 ... There are audio Captchas that deal with the problem, clearer Captchas exist, and most sites allow one to bypass the
                      Message 10 of 22 , May 25 4:10 AM
                      • 0 Attachment
                        On Tue, 24 May 2005 23:16:02 +0300
                        Shoshannah Forbes <xslf@...> wrote:

                        >
                        > On 24/05/2005, at 08:53, amos@... wrote:
                        >
                        > > In most wiki's I'm aware off, wacky character images (the ones
                        > > which look as if you see them through a badly damaged bottom of
                        > > whisky-bottle) are the most common "human authentication" way
                        > > today. I suspect this has become prevelant because spam bots became
                        > > clever enough to give a working temporary e-mail address and be
                        > > able to register automatically.
                        >
                        > They are called "CAPTCHA" and are a serious usability problem for
                        > people with vision related disabilities.
                        > Hell, even without vision problems, I had enough of those reject me
                        > after what I though was an "l" turned out to be an "i" or a "1" or
                        > other similar problems.

                        There are audio Captchas that deal with the problem, clearer Captchas
                        exist, and most sites allow one to bypass the system entirely by mailing
                        an administrator

                        > BTW, spammers have figured out how to bypass those- they set up a
                        > "free porn site", that in order to enter, you need to answer a
                        > CAPTCHA- pulled from another site.
                        > then the CAPTCHA and the answer are fed back to the original site- and
                        > they're in.

                        That's a fairly easy fix, you make your tokens non-reuseable, dependent
                        on session, quick aging, etc.
                        then they can only attack it in real time.

                        --
                        Tal Kelrich
                        PGP fingerprint: 3EDF FCC5 60BB 4729 AB2F CAE6 FEC1 9AAC 12B9 AA69
                        Key Available at: http://www.hasturkun.com/pub.txt
                        ----
                        "I may be synthetic, but I'm not stupid" -- the artificial person, from
                        _Aliens_
                        ----
                      • Nadav Har'El
                        ... None of these idea help, because spammers *can* attack it in real time - when a user goes into their porn site, they get a capcha from the wiki (or
                        Message 11 of 22 , May 25 10:18 AM
                        • 0 Attachment
                          On Wed, May 25, 2005, Tal Kelrich wrote about "Re: [hackers-il] Wiki pulled down due to excessive spam":
                          > > BTW, spammers have figured out how to bypass those- they set up a
                          > > "free porn site", that in order to enter, you need to answer a
                          > > CAPTCHA- pulled from another site.
                          > > then the CAPTCHA and the answer are fed back to the original site- and
                          > > they're in.
                          >
                          > That's a fairly easy fix, you make your tokens non-reuseable, dependent
                          > on session, quick aging, etc.
                          > then they can only attack it in real time.

                          None of these idea help, because spammers *can* attack it in real time -
                          when a user goes into their porn site, they get a capcha from the wiki
                          (or whatever) site, and ask you to solve it for them.

                          Also, consider a captcha which has a 10% chance of being solved by a
                          good computer program. The attacker will need to run just 10 tries to
                          succeed in one in good probability.

                          So these CAPCHAs can help, but are certainly not the silver bullet against
                          site abuse by robots.


                          --
                          Nadav Har'El | Wednesday, May 25 2005, 17 Iyyar 5765
                          nyh@... |-----------------------------------------
                          Phone +972-523-790466, ICQ 13349191 |How to become immortal: Read this
                          http://nadav.harel.org.il |signature tomorrow and follow its advice.
                        • Arik Baratz
                          On 25/05/05, Nadav Har El wrote: [snip] ... I say let s use Captchas today, and worry about Captcha-cracking monkeys or whatever
                          Message 12 of 22 , May 25 10:38 AM
                          • 0 Attachment
                            On 25/05/05, Nadav Har'El <nyh@...> wrote:
                            [snip]
                            > So these CAPCHAs can help, but are certainly not the silver bullet against
                            > site abuse by robots.

                            I say let's use Captchas today, and worry about Captcha-cracking
                            monkeys or whatever becomes popular tomorrow - tomorrow. Shlomi - do
                            you need help with this?

                            -- Arik
                          • Gadi Evron
                            ... Sorry for not responding earlier. DDoS ing me is one of the stupidest thing anyone can do.. and unfortunately I am a member of this list and take them
                            Message 13 of 22 , May 25 2:07 PM
                            • 0 Attachment
                              Shlomi Fish wrote:
                              > Hi all!
                              >
                              > I had to disable the wiki due to an excessive amount of spam in the last
                              > couple of days. It seems that one spammer is using a network of zombie
                              > computers to spam our wiki. We are using rel="nofollow" and I monitor the RSS
                              > feed, but he still continues.
                              >
                              > I hope this guy get caught and stuff. I can give some of the IPs that were
                              > used to spam the wiki if that's any help.

                              Sorry for not responding earlier.

                              DDoS'ing me is one of the stupidest thing anyone can do.. and
                              unfortunately I am a member of this list and take them DDoS'ing you
                              rather personally.

                              I will help, please provide me with as many IP's + timestamps.

                              A tcpdump sample log would also be nice.

                              Gadi.
                            • Shoshannah Forbes
                              ... Problem is, let s put it bluntly, that visual Captchas suck, and are a real pain for legitimate users (and they block legit users many times, not just
                              Message 14 of 22 , May 25 3:01 PM
                              • 0 Attachment
                                On 25/05/2005, at 20:38, Arik Baratz wrote:

                                > I say let's use Captchas today, and worry about Captcha-cracking
                                > monkeys or whatever becomes popular tomorrow - tomorrow

                                Problem is, let's put it bluntly, that visual Captchas suck, and are a
                                real pain for legitimate users (and they block legit users many times,
                                not just blind and hard of seeing users either).

                                My point was that not only visual Captchas a usability and
                                accessibility problem for legitimate users, they are not that effective
                                for a "black hat" to brake, and with the wide spread use of them, this
                                will happen sooner rather then later.

                                So- are they really necessary? Is the gain really worth the cost?
                                --
                                Shoshannah Forbes
                                http://www.xslf.com
                              • Arik Baratz
                                ... Make them only a part of the user registration process, so a user has to deal with them only once. Have visually challanged people call someone by phone to
                                Message 15 of 22 , May 25 3:23 PM
                                • 0 Attachment
                                  On 26/05/05, Shoshannah Forbes <xslf@...> wrote:
                                  > On 25/05/2005, at 20:38, Arik Baratz wrote:
                                  > > I say let's use Captchas today, and worry about Captcha-cracking
                                  > > monkeys or whatever becomes popular tomorrow - tomorrow
                                  >
                                  > Problem is, let's put it bluntly, that visual Captchas suck, and are a
                                  > real pain for legitimate users (and they block legit users many times,
                                  > not just blind and hard of seeing users either).

                                  Make them only a part of the user registration process, so a user has
                                  to deal with them only once. Have visually challanged people call
                                  someone by phone to register a user. Once you have a user, that's it.

                                  > So- are they really necessary? Is the gain really worth the cost?

                                  Well, if you want the wiki to stay down than they are not worth it,
                                  but if we want it up for the time being then definitely. As long as
                                  there is easier pray, that will work. A home-grown captcha on our page
                                  will be even harder, because someone will need to fit a
                                  captcha-guessing engine for OUR site, which is even more effort. I say
                                  we have a year until we need to think of something else. The wiki can
                                  stay down during that year, or it can stay up with minimal effort.
                                  What do you think?

                                  -- Arik
                                • amos@amos.mailshell.com
                                  On 5/26/05, Arik Baratz ... Which made me think - I don t know about developing a captcha in-house (there s probably some mathematics and heuristics developed
                                  Message 16 of 22 , May 25 3:29 PM
                                  • 0 Attachment
                                    On 5/26/05, Arik Baratz
                                    <arik.baratz.at.gmail.com@...> wrote:
                                    > there is easier pray, that will work. A home-grown captcha on our page
                                    > will be even harder, because someone will need to fit a
                                    > captcha-guessing engine for OUR site, which is even more effort. I say

                                    Which made me think - I don't know about developing a captcha in-house
                                    (there's probably some mathematics and heuristics developed in this area)
                                    but if the captcha is in Hebrew then I guess it will cut down the number of
                                    possible spam bots who can get through it by 99% (the percentage of
                                    hebrew-speaking people among the porn users).

                                    > we have a year until we need to think of something else. The wiki can
                                    > stay down during that year, or it can stay up with minimal effort.
                                    > What do you think?

                                    I'd vote for at least a trial of a captcha (maybe hebrew-based).
                                    Don't let what I percieve to be more theoretical arguments shoot this
                                    option down.

                                    >
                                    > -- Arik

                                    --Amos
                                  • Shoshannah Forbes
                                    ... Visually challenged people are not the only ones that loose accessibility due to visual captcha s. There are also people with dyslexia, and even normal
                                    Message 17 of 22 , May 25 3:43 PM
                                    • 0 Attachment
                                      On 26/05/2005, at 01:23, Arik Baratz wrote:
                                      > Have visually challanged people call
                                      > someone by phone to register a user. Once you have a user, that's it.

                                      Visually challenged people are not the only ones that loose
                                      accessibility due to visual captcha's. There are also people with
                                      dyslexia, and even "normal" people with sum captcha's generated.

                                      Although having a one time captcha is not that bad (but still a pain).

                                      > Well, if you want the wiki to stay down than they are not worth it,
                                      > but if we want it up for the time being then definitely.

                                      Ah, so it is a binary thing? Either captcha or nothing at all? What
                                      about email verification mentioned here before?


                                      > A home-grown captcha on our page
                                      > will be even harder, because someone will need to fit a
                                      > captcha-guessing engine for OUR site, which is even more effort.

                                      There are general captcha-beating scripts out there, that can probably
                                      beat many home-grown captcha systems. For example:
                                      http://www.puremango.co.uk/cm_breaking_captcha_115.php
                                      http://sam.zoy.org/pwntcha/

                                      ---
                                      Shoshannah Forbes
                                      http://www.xslf.com
                                    • amos@amos.mailshell.com
                                      On 5/26/05, Shoshannah Forbes ... When I brought the Captcha idea it was for registration only, not for every time a user wants to login or post something. ...
                                      Message 18 of 22 , May 25 5:06 PM
                                      • 0 Attachment
                                        On 5/26/05, Shoshannah Forbes
                                        <xslf.at.actcom.co.il@...> wrote:
                                        >
                                        > On 26/05/2005, at 01:23, Arik Baratz wrote:
                                        > > Have visually challanged people call
                                        > > someone by phone to register a user. Once you have a user, that's it.
                                        >
                                        > Visually challenged people are not the only ones that loose
                                        > accessibility due to visual captcha's. There are also people with
                                        > dyslexia, and even "normal" people with sum captcha's generated.
                                        >
                                        > Although having a one time captcha is not that bad (but still a pain).

                                        When I brought the Captcha idea it was for registration only, not
                                        for every time a user wants to login or post something.

                                        >
                                        > > Well, if you want the wiki to stay down than they are not worth it,
                                        > > but if we want it up for the time being then definitely.
                                        >
                                        > Ah, so it is a binary thing? Either captcha or nothing at all? What
                                        > about email verification mentioned here before?

                                        No. But captcha's seems to be the strongest practical tool against
                                        spammers.

                                        I raised the captcha idea after arguing that many spam bots easely
                                        circumvent the e-mail registration verification with temporary e-mail
                                        addresses.

                                        > There are general captcha-beating scripts out there, that can probably
                                        > beat many home-grown captcha systems. For example:
                                        > http://www.puremango.co.uk/cm_breaking_captcha_115.php

                                        The first one simply relays on a basic bug in the captcha script logic
                                        which allows multiple attempts - pretty similar to brute-force. It can be
                                        easely fixed - limit the number of attempts to one or a very small number
                                        (it doesn't make sense that a reasonable user will try the same captcha
                                        more than about ten times).

                                        > http://sam.zoy.org/pwntcha/

                                        The "Escape from Captcha" link there indeed puts up some good arguments
                                        against captcha - but not many solutions.

                                        A couple of answers I though about what it says:

                                        1. (Already suggested this): I gues that using Hebrew captcha should lock
                                        out most of the robots and circumnavigation schemes.

                                        2. A new idea - monitor the wiki:

                                        a. Create multi-level user accounts (two is enough?) - users who already
                                        edited some pages fine or were verified in some other way will become unlimited.
                                        b. Large changes (complete page replacements, or additions which consist
                                        mostly on many URL's) will have to be approved by an "unlimited user".

                                        Just some ideas.

                                        I'm trying not to loose the focus on what we want to achieve here:
                                        on one hand accessibility to a WIKI (i.e. any non-melicious member of the
                                        public should be able to participate) while avoiding automatic robots from
                                        defacing the pages.

                                        Cheers,

                                        --Amos
                                      • amos@amos.mailshell.com
                                        ... I d be curios to hear war stories from this one if you may.... ... --A
                                        Message 19 of 22 , May 25 8:37 PM
                                        • 0 Attachment
                                          On 5/26/05, Gadi Evron <ge.at.linuxbox.org@...> wrote:
                                          > DDoS'ing me is one of the stupidest thing anyone can do.. and
                                          > unfortunately I am a member of this list and take them DDoS'ing you
                                          > rather personally.
                                          >
                                          > I will help, please provide me with as many IP's + timestamps.
                                          >
                                          > A tcpdump sample log would also be nice.

                                          I'd be curios to hear war stories from this one if you may....

                                          >
                                          > Gadi.

                                          --A
                                        • Shoshannah Forbes
                                          ... I am not sure how they do that- these registration schemes tend to send the password for the logging (or an authentication token) to the mail box. Even if
                                          Message 20 of 22 , May 26 7:40 AM
                                          • 0 Attachment
                                            On 26/05/2005, at 03:06, amos@... wrote:

                                            > I raised the captcha idea after arguing that many spam bots easely
                                            > circumvent the e-mail registration verification with temporary e-mail
                                            > addresses.

                                            I am not sure how they do that- these registration schemes tend to send
                                            the password for the logging (or an authentication token) to the mail
                                            box. Even if they use a temp email, they still need to check the
                                            mailbox to get the token/password.
                                            ---
                                            Shoshannah Forbes
                                            http://www.xslf.com
                                          • Arik Baratz
                                            ... Step 1. Buy a domain, can be anything really (like 93763924bbb.com) Step 2. set up MX record for the domain to a machine Step 3. Install an SMTP server on
                                            Message 21 of 22 , May 26 8:08 AM
                                            • 0 Attachment
                                              On 26/05/05, Shoshannah Forbes <xslf@...> wrote:

                                              > I am not sure how they do that- these registration schemes tend to send
                                              > the password for the logging (or an authentication token) to the mail
                                              > box. Even if they use a temp email, they still need to check the
                                              > mailbox to get the token/password.

                                              Step 1. Buy a domain, can be anything really (like 93763924bbb.com)
                                              Step 2. set up MX record for the domain to a machine
                                              Step 3. Install an SMTP server on the machine that drops every
                                              incoming email message in a file
                                              Step 4. Parse the files as RFC-2822 messages, and look for a URL in the body
                                              Step 5. Visit every URL (i.e. perform the HTTP GET request and discard
                                              the result)

                                              And then run your robot and have it sign up for users and spam away.

                                              Again, we can make it more complicated by (for example) having a
                                              JavaScript algorithm on the confirm page that performs some action on
                                              the client-side and sends the result or do other tricks to see if
                                              there's a real browser on the other side of the connection. It's an
                                              arms race, really.

                                              --- Arik
                                            • Tal Kelrich
                                              On Thu, 26 May 2005 18:08:40 +0300 ... Better yet, give them a link for I do not confirm, delete this user now , should be clearly marked, though -- Tal
                                              Message 22 of 22 , May 26 8:49 AM
                                              • 0 Attachment
                                                On Thu, 26 May 2005 18:08:40 +0300
                                                Arik Baratz <arik.baratz@...> wrote:

                                                > Again, we can make it more complicated by (for example) having a
                                                > JavaScript algorithm on the confirm page that performs some action on
                                                > the client-side and sends the result or do other tricks to see if
                                                > there's a real browser on the other side of the connection. It's an
                                                > arms race, really.
                                                >

                                                Better yet, give them a link for "I do not confirm, delete this user
                                                now", should be clearly marked, though


                                                --
                                                Tal Kelrich
                                                PGP fingerprint: 3EDF FCC5 60BB 4729 AB2F CAE6 FEC1 9AAC 12B9 AA69
                                                Key Available at: http://www.hasturkun.com/pub.txt
                                                ----
                                                Noise proves nothing. Often a hen who has merely laid an egg cackles as
                                                if she laid an asteroid. -- Mark Twain
                                                ----
                                              Your message has been successfully submitted and would be delivered to recipients shortly.