Postorius performance with over 1000 pending users
I've got a couple things I need help with: The Symptom and The Problem.
The Symptom:
Postorius has gotten quite slow to load, taking more than 30s to load the Subscription Requests tab. Having zero pending subscription requests (I'm on v1.2.5), I started investigating unconfirmed subscriptions.
I followed the commands from here1 and got this:
mailman shell -l your.list.id
util = getUtility(IPendings)
print(len(list(util.find(mlist=m,pend_type='subscription'))))
1816Wow, 1816 pending subscription requests. I can say for certain that my list is not popular so these requests must have been submitted by bots. Let's get there in The Problem.
How can I "purge" this list? I'm willing to assume that none of these requests are valid and would reject all unconfirmed user requests.
The Problem:
How might this activity be happening? Running
cat /opt/mailman/core/var/logs/mailman.log | grep POSTreturns a lot of 202 and 409 responses for POST /3.1/members.
Could it be that these requests are being submitted through Postorius? I'd assume there would be some sort of honeypot input to prevent abuse. I'll continue investigating and follow up with any insight I can on the cause of The Problem.
Thanks, Nick
On 06/08/19 at 12:13, Nick W <mail@nickwynja.com> wrote:
Could it be that these requests are being submitted through Postorius? I'd assume there would be some sort of honeypot input to prevent abuse. I'll continue investigating and follow up with any insight I can on the cause of The Problem.
Some follow up here:
cat /var/log/nginx/access.log | grep "POST /postorius/lists/mylist.exmple.com/"shows only a recent manual attempt I made to subscribe but not much else, which leads me to believe these requests aren't coming through Postorius.
Now the more embarrassing part. The likely culprit is my stupidity.
In an attempt to have subscription forms embedded on my static websites, I created this flask app to handle POSTs and subscribe people the the specified lists.
https://github.com/nickwynja/fmmss/I included a menial honeypot feature to handle spam requests, which I thought was working. It must not be but it appeared like it was, likely because I made the honeypot for my app at the same time I changed the subscription policy to 'confirm' and upgraded from Postorius 1.2.3 (when pending user subscriptions were no longer shown).
Seems like I have some homework to do to prevent spam subscriptions through my app.
On 6/8/19 9:13 AM, Nick W wrote:
I've got a couple things I need help with: The Symptom and The Problem.
The Symptom:
Postorius has gotten quite slow to load, taking more than 30s to load the Subscription Requests tab. Having zero pending subscription requests (I'm on v1.2.5), I started investigating unconfirmed subscriptions.
I followed the commands from here[1] and got this:
mailman shell -l your.list.id util = getUtility(IPendings) print(len(list(util.find(mlist=m,pend_type='subscription')))) 1816Wow, 1816 pending subscription requests. I can say for certain that my list is not popular so these requests must have been submitted by bots. Let's get there in The Problem.
How can I "purge" this list? I'm willing to assume that none of these requests are valid and would reject all unconfirmed user requests.
mailman shell -l your.list.id util = getUtility(IPendings) for token, data in util.find(mlist=m, pend_type='subscription'): util.confirm(token, expunge=True)
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On 06/08/19 at 18:06, Mark Sapiro <mark@msapiro.net> wrote:
mailman shell -l your.list.id util = getUtility(IPendings) for token, data in util.find(mlist=m, pend_type='subscription'): util.confirm(token, expunge=True)
Thanks!
In trying to learn more about preventing spam registrations, what methods does Postorius successfully employ to reduce spam signups through the "anonymous_subscribe" form?
On 6/11/19 5:05 AM, Nick wrote:
In trying to learn more about preventing spam registrations, what methods does Postorius successfully employ to reduce spam signups through the "anonymous_subscribe" form?
Only those implied by the list's Subscription Policy.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (3)
-
Mark Sapiro -
Nick -
Nick W