[MM3-users] Re: Unwanted E-mail to Maillists Submitted via Postorius Interface

Steve, Thanks for the response. I put " HYPERKITTY_ALLOW_WEB_POSTING = False " in and that has worked as intended.

Sorry I wasn't more clear in my previous e-mail. I was trying to say

that Django-recaptcha might be a good way to gate the signups, but it looked like mailman code would have to be changed to work with djangi-recaptcha. But it seems not effective enough to be worth pursuing.

For now, maybe disabling posting via hyperkitty will be enough. Any

SPAM sent in from other sources will be subject to scanning.

• Matt Alberti

-----Original Message----- From: Stephen J. Turnbull <stephenjturnbull@gmail.com> Sent: Thursday, August 26, 2021 1:36 PM To: matthew@alberti.us Cc: mailman-users@mailman3.org Subject: [MM3-users] Unwanted E-mail to Maillists Submitted via Postorius Interface

matthew@alberti.us writes:

I’ve seen a recent uptick in SPAM messages making it into

mailing lists. Looking at the raw, it seems that the e-mails are > being

submitted thru the Postorius/Hyperkitty “Start a New Thread”

interface. Is there a way to turn that off?

I think this is HyperKitty only. Postorius doesn't know anything about posting or distributing posts.

You can disable web posting by setting

HYPERKITTY_ALLOW_WEB_POSTING = False

(as above, no quotation marks etc) in settings.py. I don't know much about HyperKitty, so I'm not sure where that file lives in your installation.

Part of the problem is that our anti-spam system RSPAMD trusts the > mailman-web IP… so it doesn’t scan things originating from > there.. %G 笘ケ%@

You know your organizational constraints, but it's a bad idea to trust any web-facing application that can send email to be responsible about it. :-(

Another uestion: Is there a way to implement captcha, or is

there a recommended gate that can be put in the signup process?

Here's the most recent technical discussion I can find.

Archived-At: <https://lists.mailman3.org/archives/list/mailman-users@mailman3.org/message /RSZLMKPASCTKFY63RKGPGNCVVPAB5C4M/>

However, it turns out that bots are almost as good at solving captchas as humans, and they can retry a lot faster. Captchas are also really horrible from an accessibility perspective.

Apparently bots are finding a way thru the signup process, and then > sending messages to the list via the Postorius web interface. There > seems to be a Django plugin for it; but it appears the Mailman code > would have to be adjusted to implement it.

I don't think so, because Mailman (that is, HyperKitty and Postorius) delegate authentication to Django. Why do you think Mailman code needs to be adjusted?

Steve