On 13/07/2024 07:17, Mark Sapiro wrote:
On 7/10/24 7:36 PM, Ben Sturmfels via Mailman-users wrote:
Is there a configuration option that does this, or was it a custom change made in the templates? Was the change made to reduce fake registrations? Did it work?
It was added in Postorius 1.3.9. See the UI section at https://docs.mailman3.org/projects/postorius/en/latest/news.html#news-1-3-9
Yes, the change was made in an attempt to reduce fake registrations.
We haven't really studied it's effectiveness. It seems to help somewhat, but it also seems that bots may already have a template to POST so removing it from the UI is not a complete solution.
They would be missing the CSRF token (a hidden field on the anonymous signup form) so this ought to fail.
There is also a lot of email to innocent third parties and non-existent addresses from attempts to register them for an account.
There are patches to integrate a Captcha system here: https://gitlab.com/mailman/django-mailman3/-/issues/33
I think it's needed, as less than 24 hours after migrating to Mailman 3 I already see bots retrieving the signup form to get the CSRF token (GET /accounts/signup/?next=/postorius/lists/) then POSTing the request for a new user account (POST /accounts/signup/).
There's also the setting ACCOUNT_EMAIL_UNKNOWN_ACCOUNTS = False, which prevents spam from the "forgot password" address, see https://gitlab.com/mailman/postorius/-/issues/591
--
Matt