Re: CAPTCHA update

From: "Dada Mail" <dada@PROTECTED>

In-Reply-To: Re: CAPTCHA update

Date: August 11th 2006

On Aug 11, 2006, at 2:50 PM, Mariano Absatz wrote:

(most important): I'd do the captcha before sending the subscription e-mail, so that the subscription form can't be abused for mail bomb

Ah There's another check for that - You can enable Dada to only
allow one confirmation email to be sent at one time Give it a try on
the other list:

http://mojo
skazat
com/cgi-bin/dada/mail
cgi/list/

skazat_design_newsletter/

Should be enabled If you try a second time, you'll get an error and
you'll have to press a button to get another one sent It might be a
good idea to replace the, "Press this button to get a confirmation
again" with another CAPTCHA challenge/response though

ANyways, that should stop that, (hopefully) I'm hoping that putting
the CAPTCHA step at the very end will make people want to fill out
the challenge/response thing, since they've already done two steps in
the subscription process I know when I get to CAPTCHA images, a
breathe a little sigh :)

I'd do a case insensitive comparison of the strings the size changes in the images sometimes make people fail too often (our national NIC uses a case-sensitive captcha for most web forms and I know it's a source of frustration)

I'll think about that; right now, the only letters that can be
lowercase are vowels Most likely, I'll make the CAPTCHA stuff pretty
darn customizable - most anything that I an pass to the
GD::SecurityImage module, I can have available as a preference This
includes the text size, the font itself, the background image, the
noise that you see, and I can also have available the numbers/letters
that'll appear in the CAPTCHA image That's no problem It'll also
stop anyone from making a CAPTCHA breaking tool specifically for Dada
Mail (like that's ever going to happen, but you get my drift)

I'm not super blown away by the module, GD::SecurityImage though, I
may look and see what it would take to make it work a little better
The problem is that the GD library is somewhat limited in the type of
manipulation you can do - but it's very fast and small There's also
Image::Magick as an image backend but it's huge, and slow and takes
up many resources I guess it's a compromise ;)

Since I'm talking about security, I should note two features that are
in the release candidate and available right now:

The first is a global option to disallow list logins and new list
creation logins from any outside sources This means you can't have a
form outside of Dada Mail to log into Dada Mail This should fend off
any automated attempts to log into a list

Another security feature of interest is the ability to set the query
string/path info of the login screen - so, not only can you hide the
administration link, you can hide even the screen itself For
example, you'll see the login screen for the Dada Mail support site's
Dada Mail is not at:

http://mojo
skazat
com/cgi-bin/dada/mail
cgi/admin

(You'll just get the default screen)

Coupled to the other two points, it should make it hard for a human,
or a computer to figure out how to login into a Dada Mail list,
without the right information

These are good things It's not like I have a huge amounts of reports
of Dada Mail getting hacked, but I'd like to keep it that way ;)

More information:

http://mojo
skazat
com/support/documentation/Config
pm
html#security

Anyways, thanks Mariano for the CAPTCHA suggestion and giving it a
little whirl It was kinda fun to make ;)

‹ Re: CAPTCHA update

Index

(no subject) ›

Email Address

You're OK with using your email address as your primary contact for this email discussion list; messages will be sent on your behalf

Unsubscribe at Anytime | Privacy Policy

This mailing list is a public mailing list - anyone may join or leave, at any time.
This mailing list is a group discussion list (unmoderated)
Start a new thread, email: dadadev@dadamailproject.com

This is the developer discussion mailing list for Dada Mail.

If you are just looking for support Dada Mail, consult the message boards at:

https://forum.dadamailproject.com

Documentation for Dada Mail:

https://dadamailproject.com/d

Specifically, see the Error FAQ:

https://dadamailproject.com/d/FAQ-errors.pod.html

To post to this list, send a message to:

mailto:dadadev@dadamailproject.com

All subscribers of this list may post to the list itself.

Topics that are welcome:

Constructive critiques on the program (I like, "x", but, "y" needs some work - here's an idea on how to make this better...)
Bug/Error reports
Bug fixes
Request For Comments on any changes to the program
Help customizing Dada Mail for your own needs
Patches
Language Translations
Support Documentation/Doc editing, FAQ's, etc.
Discussion of any changes that you would like to be committed to the next version of Dada Mail -

Dada Mail is on Github:

https://github.com/justingit/dada-mail/

If you would like to fork, branch, send over PRs, open up issues, etc.

Privacy Policy:

This Privacy Policy is for this mailing list, and this mailing list only.

Email addresses collection through this mailing list are used explicitly to work within this email discussion list.

We only collect email addresses through our Closed-Loop Opt-In system.

We don't use your email address for any other purpose.

We won't be sharing your email address with any other entity.

Unsubscription can be done at any time. Please contact us at: justin@dadamailproject.com for any help regarding your subscription, including removal from the mailing list.

All mailing list messages sent from us will include a subscription removal link, which will allow you to remove yourself from this mailing list automatically, and permanently.

All consent to use your email address for any other purpose stated at the time of the mailing list subscription will also be revoked upon mailing list removal.