Hiding the "subscribe without creating an account"
Hi Folks,
My Mailman3 installation is receiving a trickle of fake registrations, for which it then attempts to send a "Your confirmation is needed to join..." email, which typically bounce.
I suspect these are coming from the "subscribe without creating an account" form on the list summary page. I notice that lists.mailman3.org doesn't show this form at all - you have to create an account to subscribe:
https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/
compared to mine with:
https://lists.softwarefreedom.com.au/postorius/lists/free-software-melb.list...
Is there a configuration option that does this, or was it a custom change made in the templates? Was the change made to reduce fake registrations? Did it work?
Regards, Ben
-- Ben Sturmfels
Sturm Software Engineering www.sturm.com.au +61 3 9024 2467
On 7/10/24 7:36 PM, Ben Sturmfels via Mailman-users wrote:
Is there a configuration option that does this, or was it a custom change made in the templates? Was the change made to reduce fake registrations? Did it work?
It was added in Postorius 1.3.9. See the UI section at https://docs.mailman3.org/projects/postorius/en/latest/news.html#news-1-3-9
Yes, the change was made in an attempt to reduce fake registrations.
We haven't really studied it's effectiveness. It seems to help somewhat, but it also seems that bots may already have a template to POST so removing it from the UI is not a complete solution.
There is also a lot of email to innocent third parties and non-existent addresses from attempts to register them for an account.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On 13/07/2024 07:17, Mark Sapiro wrote:
On 7/10/24 7:36 PM, Ben Sturmfels via Mailman-users wrote:
Is there a configuration option that does this, or was it a custom change made in the templates? Was the change made to reduce fake registrations? Did it work?
It was added in Postorius 1.3.9. See the UI section at https://docs.mailman3.org/projects/postorius/en/latest/news.html#news-1-3-9
Yes, the change was made in an attempt to reduce fake registrations.
We haven't really studied it's effectiveness. It seems to help somewhat, but it also seems that bots may already have a template to POST so removing it from the UI is not a complete solution.
They would be missing the CSRF token (a hidden field on the anonymous signup form) so this ought to fail.
There is also a lot of email to innocent third parties and non-existent addresses from attempts to register them for an account.
There are patches to integrate a Captcha system here: https://gitlab.com/mailman/django-mailman3/-/issues/33
I think it's needed, as less than 24 hours after migrating to Mailman 3 I already see bots retrieving the signup form to get the CSRF token (GET /accounts/signup/?next=/postorius/lists/) then POSTing the request for a new user account (POST /accounts/signup/).
There's also the setting ACCOUNT_EMAIL_UNKNOWN_ACCOUNTS = False, which prevents spam from the "forgot password" address, see https://gitlab.com/mailman/postorius/-/issues/591
--
Matt
On 13/07/2024 07:17, Mark Sapiro wrote:
On 7/10/24 7:36 PM, Ben Sturmfels via Mailman-users wrote:
Is there a configuration option that does this, or was it a custom change made in the templates? Was the change made to reduce fake registrations? Did it work?
It was added in Postorius 1.3.9. See the UI section at https://docs.mailman3.org/projects/postorius/en/latest/news.html#news-1-3-9
Yes, the change was made in an attempt to reduce fake registrations.
Thanks very much for the prompt advice Mark and Matthew! Really appreciate it.
I'm currently running Postorius 1.3.8 (Debian Stable/Bookworm), so will look at upgrading and applying the settings you suggested.
Regards, Ben
participants (3)
-
Ben Sturmfels -
Mark Sapiro -
Matthew Blissett