Any possible way to reduce robot spam accounts?
Hi,
I just installed a mailman3 instance, even haven't announced to anyone yet, there are a lot of spam robot accounts registering into my system.
(See https://nextcloud.slat.org/index.php/s/WWHo7F3igYxn8LY for screenshot)
I really have no idea how the robots find my system since I haven't told anyone the ip or URL of my mailman instance. And, they're registering on the system, not the mailing list since I have only one list for testing now and it wasn't assaulted by spam yet.
No matter what, what I want to ask is that, is there a way to either
just let users join from email (lists-join@lists.url) instead of registering on the mailman instance? or
use a scheme like CAPTCHA to reduce the successful opportunity of robot registering?
Any help is appreciated!
Franklin
Franklin Weng writes:
I really have no idea how the robots find my system since I haven't told anyone the ip or URL of my mailman instance.� And, they're registering on the system, not the mailing list since I have only one list for testing now and it wasn't assaulted by spam yet.
The bots just check every domain on the internet for the /mailman3 and /postorius paths.
- just let users join from email (lists-join@lists.url) instead of registering on the mailman instance?� or
What I do is open up the firewall only to ips I have legit users at. You probably can't do that, but if you can, it's quite effective.
You could restrict it to email-only subscription in one of the following ways, but the bots have known how to do that since the 90s, and the only control you have is to require moderator approval. Requiring address verification doesn't help much, the bots have been doing that almost as long.
You can disable the administrative UI entirely, by removing the entries for mailman3 and postorius from the top-level urls.py.
You can edit the template for the list information to remove the subscription form.
- use a scheme like CAPTCHA to reduce the successful opportunity of robot registering?
I think somebody has implemented CAPTCHA for Mailman 3. Search the archives of this list.
But the bots also know how to solve CAPTCHAs, and for some CAPTCHAs they were faster and more accurate than humans. Unless your users expect instant membership, or you expect an awful lot of subscriptions, I would just let subscriptions accumulate for a day or two and then discard them all.
You can also write a script to figure out the IPs and ban those hosts at the firewall.
Steve
Hi Stephen,
Thanks for your reply.
Stephen J. Turnbull 於 2023/7/20 21:11 寫道:
Franklin Weng writes:
- just let users join from email (lists-join@lists.url) instead of registering on the mailman instance? or
What I do is open up the firewall only to ips I have legit users at. You probably can't do that, but if you can, it's quite effective.
You could restrict it to email-only subscription in one of the following ways,
You can edit the template for the list information to remove the subscription form.
Could you please tell me how to do it? I thought of removing the register link from the web page (upper right corner of /mailman3/postorius/lists/ ) but I couldn't find any web page templates like that. I tried /var/lib/mailman3/web/static but I couldn't even find any keywords like "accounts" or "signup". I don't know how to deal with javascripts.
Thanks, Franklin
Hi,
On Fri, Jul 21, 2023 at 6:46 AM Franklin Weng <franklin@slat.org> wrote:
You can edit the template for the list information to remove the subscription form.
Could you please tell me how to do it?
There is a better way to do this - via SHOW_ANONYMOUS_SUBSCRIBE_FORM = False in settings, however, you need the latest Mailman 3 version for this to work.
With my best regards, Danil Smirnov
Hi,
On Thu, Jul 20, 2023 at 10:28 AM Franklin Weng <franklin@slat.org> wrote:
No matter what, what I want to ask is that, is there a way to either
- just let users join from email (lists-join@lists.url) instead of registering on the mailman instance? or
I suppose you want this:
https://docs.mailman3.org/en/latest/faq.html#how-to-disable-signup
With my best regards, Danil Smirnov
Hi Danil,
(I just used the wrong account to reply. Feel free to reject the previous one which should be in moderated list)
Danil Smirnov 於 2023/7/21 04:32 寫道:
Hi,
On Thu, Jul 20, 2023 at 10:28 AM Franklin Weng <franklin@slat.org> wrote:
No matter what, what I want to ask is that, is there a way to either
- just let users join from email (lists-join@lists.url) instead of registering on the mailman instance? or
I suppose you want this:
https://docs.mailman3.org/en/latest/faq.html#how-to-disable-signup
With my best regards, Danil Smirnov
Thank you. When I set it in my settings_local.py, I clicked register and got an error:
ModuleNotFoundError at/accounts/signup/ No module named 'django_mailman3.views.user_adapter'
(In the document the path is /etc/mailman3/settings.py but I installed it with Debian packages so I guess the path is somewhat different, and I thought setting in setting_local.py should work too. It seems work since it gave me the error above.)
Do I have to install something else? Or disable some other options?
Thanks, Franklin
On 7/20/23 20:42, Franklin Weng wrote:
Thank you. When I set it in my settings_local.py, I clicked register and got an error:
ModuleNotFoundError at/accounts/signup/ No module named 'django_mailman3.views.user_adapter'
(In the document the path is /etc/mailman3/settings.py but I installed it with Debian packages so I guess the path is somewhat different, and I thought setting in setting_local.py should work too. It seems work since it gave me the error above.)
Do I have to install something else? Or disable some other options?
What is the version of django_mailman3 in your Debian package? As it says in the FAQ article, "You would need django-mailman3 >= 1.3.6 for these settings to work."
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Hi Mark,
Mark Sapiro 於 2023/7/21 12:01 寫道:
On 7/20/23 20:42, Franklin Weng wrote:
Thank you. When I set it in my settings_local.py, I clicked register and got an error:
ModuleNotFoundError at/accounts/signup/ No module named 'django_mailman3.views.user_adapter'
(In the document the path is /etc/mailman3/settings.py but I installed it with Debian packages so I guess the path is somewhat different, and I thought setting in setting_local.py should work too. It seems work since it gave me the error above.)
Do I have to install something else? Or disable some other options?
What is the version of django_mailman3 in your Debian package? As it says in the FAQ article, "You would need django-mailman3 >= 1.3.6 for these settings to work."
Debian Bullseye goes with 1.3.5, and Debian Bookworm goes with 1.3.9 but as I have said in another thread it has problems in django admin.
So I downloaded the 1.3.9 source code, extracted it, and copied django-mailman3/views/user_adapter.py to /usr/lib/python3/dist-packages/django_mailman3/views. It worked!
For a record here. Thanks for your help.
Thanks, Franklin
participants (4)
-
Danil Smirnov -
Franklin Weng -
Mark Sapiro -
Stephen J. Turnbull