Steve, Thanks for the response. I put " HYPERKITTY_ALLOW_WEB_POSTING = False " in and that has worked as intended.

Sorry I wasn't more clear in my previous e-mail. I was trying to say

that Django-recaptcha might be a good way to gate the signups, but it looked like mailman code would have to be changed to work with djangi-recaptcha. But it seems not effective enough to be worth pursuing.

For now, maybe disabling posting via hyperkitty will be enough. Any

SPAM sent in from other sources will be subject to scanning.

• Matt Alberti

-----Original Message----- From: Stephen J. Turnbull <stephenjturnbull@gmail.com> Sent: Thursday, August 26, 2021 1:36 PM To: matthew@alberti.us Cc: mailman-users@mailman3.org Subject: [MM3-users] Unwanted E-mail to Maillists Submitted via Postorius Interface

matthew@alberti.us writes:

I’ve seen a recent uptick in SPAM messages making it into

mailing lists. Looking at the raw, it seems that the e-mails are > being

submitted thru the Postorius/Hyperkitty “Start a New Thread”

interface. Is there a way to turn that off?

I think this is HyperKitty only. Postorius doesn't know anything about posting or distributing posts.

You can disable web posting by setting

HYPERKITTY_ALLOW_WEB_POSTING = False

(as above, no quotation marks etc) in settings.py. I don't know much about HyperKitty, so I'm not sure where that file lives in your installation.

Part of the problem is that our anti-spam system RSPAMD trusts the > mailman-web IP… so it doesn’t scan things originating from > there.. %G 笘ケ%@

You know your organizational constraints, but it's a bad idea to trust any web-facing application that can send email to be responsible about it. :-(

Another uestion: Is there a way to implement captcha, or is

there a recommended gate that can be put in the signup process?

Here's the most recent technical discussion I can find.

Archived-At: <https://lists.mailman3.org/archives/list/mailman-users@mailman3.org/message /RSZLMKPASCTKFY63RKGPGNCVVPAB5C4M/>

However, it turns out that bots are almost as good at solving captchas as humans, and they can retry a lot faster. Captchas are also really horrible from an accessibility perspective.

Apparently bots are finding a way thru the signup process, and then > sending messages to the list via the Postorius web interface. There > seems to be a Django plugin for it; but it appears the Mailman code > would have to be adjusted to implement it.

I don't think so, because Mailman (that is, HyperKitty and Postorius) delegate authentication to Django. Why do you think Mailman code needs to be adjusted?

Steve

Brett Delmage writes:

On Thu, 26 Aug 2021, Stephen J. Turnbull wrote:

...

However, it turns out that bots are almost as good at solving captchas as humans, and they can retry a lot faster. Captchas are also really horrible from an accessibility perspective.

I have to disagree.

I previously put a captcha on a Joomla website which stopped 100% of all bogus account signup attempts.

What was it ? "How many letters are in the word 'jazz'"? This captcha is fully accessible, too.

Of course, point taken. I've done similar things, and know quite a few such anecdotes. It's a good method, as long as *only a few of us use it*.

But if enough people use it, patterns will show up, and we'll get into a "proof of waste" race with the spammers as we try to come up with logic puzzles people can solve but spammers' ML can't. I don't think it really addresses the issue that attackers can solve it easily if they want to, and will eventually automate that solution, although it does address the issue of accessibility (mostly -- I am not an expert but I wouldn't be surprised if long-time screen reader users are relatively poor spellers!)

And it's not a satisfactory solution for a lot of our users. We can't safely add enabling functions to Mailman, because I'm sure there are a dozen Spamming as a Service (SpAAS) groups out there with Mailman 3 clone repos. So you need a skilled admin to implement custom CAPTCHAs.

If there's a captcha problem out there, it's because too many people just use the same old, same old -

Of course they do. After all, that's what software is for -- very cheaply using others' solutions for common problems. In this case, though, the "problem" is smart -- it's human attackers and their tools.

which is worth the bots cracking because it is used everywhere.

That evaluation is close, but not exact in the age of SpAAS. If they want you, they'll get you, it's trivial for an open-subscription site. And if they need a human to crack your trivial CAPTCHA, a smart spammer (or even somebody who hates you for banning them from your comments) will add it to their box of tricks. I bet you'll get tired sooner than they do. Eventually it will make it into kiddie-scripts.

The other thing is that if such simple captchas become popular, you know that the pros will start scanning sites for them just to make a database of patterns, and add hacks for any popular ones (or if they're smart, for every pattern they find -- I bet on a regular basis they'll get as lucky as I did when I stopped Klez, and then Fretham too, with just "iframe.*height=1").

Steve