Franklin Weng writes:
I really have no idea how the robots find my system since I haven't told anyone the ip or URL of my mailman instance.� And, they're registering on the system, not the mailing list since I have only one list for testing now and it wasn't assaulted by spam yet.
The bots just check every domain on the internet for the /mailman3 and /postorius paths.
- just let users join from email (lists-join@lists.url) instead of registering on the mailman instance?� or
What I do is open up the firewall only to ips I have legit users at. You probably can't do that, but if you can, it's quite effective.
You could restrict it to email-only subscription in one of the following ways, but the bots have known how to do that since the 90s, and the only control you have is to require moderator approval. Requiring address verification doesn't help much, the bots have been doing that almost as long.
You can disable the administrative UI entirely, by removing the entries for mailman3 and postorius from the top-level urls.py.
You can edit the template for the list information to remove the subscription form.
- use a scheme like CAPTCHA to reduce the successful opportunity of robot registering?
I think somebody has implemented CAPTCHA for Mailman 3. Search the archives of this list.
But the bots also know how to solve CAPTCHAs, and for some CAPTCHAs they were faster and more accurate than humans. Unless your users expect instant membership, or you expect an awful lot of subscriptions, I would just let subscriptions accumulate for a day or two and then discard them all.
You can also write a script to figure out the IPs and ban those hosts at the firewall.
Steve