[MM3-users] Unwanted E-mail to Maillists Submitted via Postorius Interface

matthew@alberti.us writes:

I$B!G(Bve seen a recent uptick in SPAM messages making it into

mailing lists. Looking at the raw, it seems that the e-mails are being submitted thru the Postorius/Hyperkitty $B!H(BStart a New Thread$B!I(B interface. Is there a way to turn that off?

I think this is HyperKitty only. Postorius doesn't know anything about posting or distributing posts.

You can disable web posting by setting

HYPERKITTY_ALLOW_WEB_POSTING = False

(as above, no quotation marks etc) in settings.py. I don't know much about HyperKitty, so I'm not sure where that file lives in your installation.

Part of the problem is that our anti-spam system RSPAMD trusts the mailman-web IP$B!D(B so it doesn$B!G(Bt scan things originating from there.. %G���%@

You know your organizational constraints, but it's a bad idea to trust any web-facing application that can send email to be responsible about it. :-(

Another uestion: Is there a way to implement captcha, or is

there a recommended gate that can be put in the signup process?

Here's the most recent technical discussion I can find.

Archived-At: <https://lists.mailman3.org/archives/list/mailman-users@mailman3.org/message/RSZLMKPASCTKFY63RKGPGNCVVPAB5C4M/>

However, it turns out that bots are almost as good at solving captchas as humans, and they can retry a lot faster. Captchas are also really horrible from an accessibility perspective.

Apparently bots are finding a way thru the signup process, and then sending messages to the list via the Postorius web interface. There seems to be a Django plugin for it; but it appears the Mailman code would have to be adjusted to implement it.

I don't think so, because Mailman (that is, HyperKitty and Postorius) delegate authentication to Django. Why do you think Mailman code needs to be adjusted?

Steve