Hello, is there a opportunity to avoid django fake users? Because of it is not stopping, further and further fake users are subscribing. Would be nice to have a possibility to stop this.
Hi,
Mark got a script together a few weeks ago which deletes the non-active users which I am in the process of getting together as a Cron job to fix this issue. I would be interested in any ways of avoiding the problem if possible in the first place but suspect there isn't an easy answer.
Andrew.
-----Original Message----- From: r.woithe@callassoftware.com <r.woithe@callassoftware.com> Sent: 13 January 2021 12:55 To: mailman-users@mailman3.org Subject: [MM3-users] django fake users
Hello, is there a opportunity to avoid django fake users? Because of it is not stopping, further and further fake users are subscribing. Would be nice to have a possibility to stop this.
Mailman-users mailing list -- mailman-users@mailman3.org To unsubscribe send an email to mailman-users-leave@mailman3.org https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/
On 1/13/21 5:45 AM, Andrew Hodgson wrote:
Hi,
Mark got a script together a few weeks ago which deletes the non-active users which I am in the process of getting together as a Cron job to fix this issue.
See <https://lists.mailman3.org/archives/list/mailman-users@mailman3.org/message/...> for the post containing the script attachment.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
r.woithe@callassoftware.com writes:
is there a opportunity to avoid django fake users? Because of it is not stopping, further and further fake users are subscribing.
Require moderator approval for subscribing.
It may be possible to do something automatic, but you need to explain how you know these users are "fake", and it has to be something that can easily be detected with a few lines of Python. If it becomes at all complex, it will almost surely make trouble for "real" subscribers.
Steve
Stephen J. Turnbull wrote:
r.woithe@callassoftware.com writes:
is there a opportunity to avoid django fake users? Because of it is not stopping, further and further fake users are > subscribing.
Require moderator approval for subscribing.
I don't think this would help the issue. What I am seeing here is users signing up through Postorius using the sign up option which then creates an account in Django (but not Mailman). Yesterday alone I had over 700 of these accounts created. I don't know whether they pass email confirmation or not (I don't see this in Django admin), however they don't get added as users in Mailman and they don't attempt to subscribe to any list.
It may be possible to do something automatic, but you need to explain how you know these users are "fake", and it has to be something that can easily be detected with a few lines of Python. If it becomes at all complex, it will almost surely make trouble for "real" subscribers.
I agree, this is why I am taking the route of running a regular Cron job to delete the users as explained earlier.
Andrew.
Hello,
yes we talk about django users who are not subscribing to any list only to the django user managment.
Automatically removing this users like described above with a cron job is a good idea, but i would more like to avoid this users.
Obvious this users are created by a bot, would it not be helpfully to use any kind of captcha?
Am 17.01.21 um 12:24 schrieb Andrew Hodgson:
Stephen J. Turnbull wrote:
r.woithe@callassoftware.com writes:
is there a opportunity to avoid django fake users? Because of it is not stopping, further and further fake users are > subscribing. Require moderator approval for subscribing. I don't think this would help the issue. What I am seeing here is users signing up through Postorius using the sign up option which then creates an account in Django (but not Mailman). Yesterday alone I had over 700 of these accounts created. I don't know whether they pass email confirmation or not (I don't see this in Django admin), however they don't get added as users in Mailman and they don't attempt to subscribe to any list.
It may be possible to do something automatic, but you need to explain how you know these users are "fake", and it has to be something that can easily be detected with a few lines of Python. If it becomes at all complex, it will almost surely make trouble for "real" subscribers. I agree, this is why I am taking the route of running a regular Cron job to delete the users as explained earlier.
Andrew.
roberto writes:
yes we talk about django users who are not subscribing to any list only to the django user managment.
OK, thanks.
Automatically removing this users like described above with a cron job is a good idea, but i would more like to avoid this users.
Obvious this users are created by a bot, would it not be helpfully to use any kind of captcha?
I don't know ... last I checked the smarter bots were better at solving captchas than real users are. I guess we could put in a hook, so you could add one if you like, but I'd be against maintaining the captcha itself in Mailman. I think it's redundant when we could address this particular bot automatically in Mailman (see my response to Andrew).
Captchas are also anything but accessible. We periodically make efforts at accessibility, but we're not very good at the moment from what I'm hearing. I wouldn't want to add a feature that makes things worse.
That's not a definite no, but it's fair to let you know my default position on them.
On 1/17/21 6:24 AM, Andrew Hodgson wrote:
I don't think this would help the issue. What I am seeing here is users signing up through Postorius using the sign up option which then creates an account in Django (but not Mailman). Yesterday alone I had over 700 of these accounts created. I don't know whether they pass email confirmation or not (I don't see this in Django admin), however they don't get added as users in Mailman and they don't attempt to subscribe to any list.
You can select "Email Addresses" in Django. On the "Email Addresses" page, select No under the By verified heading in the FILTER box. There you should see a list of unverified email/users.
-- Brian Carpenter Harmonylists.com Emwd.com
Brian Carpenter wrote:
On 1/17/21 6:24 AM, Andrew Hodgson wrote:
I don't think this would help the issue. What I am seeing here is users signing up through Postorius using the sign up option which then creates an account in Django (but not Mailman). Yesterday alone I had over 700 of these accounts created. I don't know whether they pass email confirmation or not (I don't see this in Django admin), however they don't get added as users in Mailman and they don't attempt to subscribe to any list.
You can select "Email Addresses" in Django. On the "Email Addresses" page, select No under the By verified heading in the FILTER box. There you should see a list of unverified email/users.
Thanks for that, was looking in the wrong place. The fake accounts currently in my system aren't actually being verified as I kind of expected.
Andrew.
Andrew Hodgson writes:
Require moderator approval for subscribing.
I don't think this would help the issue. What I am seeing here is users signing up through Postorius using the sign up option which then creates an account in Django (but not Mailman).
Ah, so "fake" == "account in Django but no user in Mailman"?
I don't have time to look at it, so take this with a grain of salt, but I don't think they are passing the email confirmation. If they were, they would show up in Mailman.
I don't know whether they pass email confirmation or not (I don't see this in Django admin), however they don't get added as users in Mailman and they don't attempt to subscribe to any list.
I think this would be simple enough to deal with (not trivial, so I'm not making any promises except to try adding it to the GSoC ideas page -- that should be enough to clarify whether there are any "annoyance to 'real' users" issues, and we move forward from there if there aren't). Basically, Postorius should notify Mailman that there is a *pending* user in Django, and if there's no confirmation by a deadline, remove that user. This requires a bunch of infrastructure like a table of "pending" users, callbacks for the deletion, etc, but I don't see why it would be conceptually difficult. (This combination is why I think it would be a good GSoC task)
Steve
Stephen J. Turnbull wrote:
Andrew Hodgson writes:
Require moderator approval for subscribing.
I don't think this would help the issue. What I am seeing here is > users signing up through Postorius using the sign up option which > then creates an account in Django (but not Mailman).
Ah, so "fake" == "account in Django but no user in Mailman"?
Yes.
I don't have time to look at it, so take this with a grain of salt, but I don't think they are passing the email confirmation. If they were, they would show up in Mailman.
Actually I did confirm the same to this list later on, the accounts are indeed not passing email confirmation.
I think this would be simple enough to deal with (not trivial, so I'm not making any promises except to try adding it to the GSoC ideas page -- that should be enough to clarify whether there are any "annoyance to 'real' users" issues, and we move forward from there if there aren't). Basically, Postorius should notify Mailman that there is a *pending* user in Django, and if there's no confirmation by a deadline, remove that user. This requires a bunch of infrastructure like a table of "pending" users, callbacks for the deletion, etc, but I don't see why it would be conceptually difficult. (This combination is why I think it would be a good GSoC task)
Sure. I would rather go this route rather than use captchas at this stage, though right now my Cron job running once a week is sufficient.
Thanks. Andrew.
participants (6)
-
Andrew Hodgson
-
Brian Carpenter
-
Mark Sapiro
-
r.woithe@callassoftware.com
-
roberto
-
Stephen J. Turnbull