X-Git-Url: https://git.ralfj.de/web.git/blobdiff_plain/6c08d400b8980332184e3de1fa5279699cbf8ee5..e25fa2227bc11aa8fcb76b1c9c239b64e4b9df97:/ralf/_posts/2018-06-02-mailman-subscription-spam.md?ds=sidebyside diff --git a/ralf/_posts/2018-06-02-mailman-subscription-spam.md b/ralf/_posts/2018-06-02-mailman-subscription-spam.md index 237153c..e8d557c 100644 --- a/ralf/_posts/2018-06-02-mailman-subscription-spam.md +++ b/ralf/_posts/2018-06-02-mailman-subscription-spam.md @@ -20,14 +20,17 @@ spam. So, more than enough reasons to try and stop this. ### The Big Guns My first reaction was to go and look for a way to add a CAPTCHA to the -subscription page. Unfortunately, Mailman itself does not support a CAPTCHA (at -least not Mailman 2), and the existing patches I found were all about adding -support for Google's reCAPTCHA. I am not going to expose my users to Google's -tracking like that, nor am I willing to actively discriminate against people not -having Google accounts (reCAPTCHA is much more annoying if Google can't track -you because you are not logged in), so reCAPTCHA was clearly not an option. -Instead, the plan was to look at one of these patches and implement a simple -question-and-answer CAPTCHA myself. +subscription page. Unfortunately, Mailman 2 itself only very recently (with +version 2.1.26) gained support for CAPTCHAs, and even that just supports +Google's reCAPTCHA. I am not going to expose my users to Google's tracking like +that, nor am I willing to actively discriminate against people not having Google +accounts (reCAPTCHA is much more annoying if Google can't track you because you +are not logged in), so reCAPTCHA was clearly not an option. Instead, the plan +was to look at one of the patches that add CAPTCHA support to older versions of +Mailman and implement a simple question-and-answer CAPTCHA myself. + +**Update:** I previously claimed Mailman 2 does not support CAPTCHAs at all, + which turned out to be incorrect. **/Update** ### Keep It Simple @@ -42,9 +45,10 @@ have found my servers so far are much less patient than that, just setting spam. So, if you are reading this and running a Mailman installation: **Please set -`SUBSCRIBE_FORM_SECRET` and protect your setup against abuse!** Just run `pwgen -16` to get some random string, and then add `SUBSCRIBE_FORM_SECRET = "<random -string here>"` to `/etc/mailman/mm_cfg.py`. It's really that simple! Just a +`SUBSCRIBE_FORM_SECRET` and protect your setup against abuse!** Just run +`openssl rand -base64 18` to get some random string, and then add +`SUBSCRIBE_FORM_SECRET = "<random string here>"` to `/etc/mailman/mm_cfg.py`. +It's really that simple! Just a [four-line patch in my Ansible playbook](https://git.ralfj.de/ansible.git/commitdiff/937b170594be82e500ae726dc47de8ca9ef3dfcf) to get this rolled out to all servers. Note that you need to be at least on Mailman 2.1.16 for this to work; all currently supported versions of Debian come @@ -53,7 +57,5 @@ with a recent enough version (if you use backports on Debian 7 "Wheezy"). The more people do this, the more it will help to stop this kind of spam. Or rather, it'll force the spammers to upgrade their game. I assume eventually I *will* have to add a CAPTCHA. Or maybe there is a simple and reliable way to -migrate to Mailman 3 before that happens---and maybe that will have a CAPTCHA. -(Though, from a quick search, it doesn't seem like it does, which I find pretty -surprising. If my tiny servers are abused like this, I assume it's a really -common problem and Mailman should protect against it per default.) +migrate to Mailman 3 before that happens---and maybe that will have more +reasonable CAPTCHA options, something beyond just reCAPTCHA.