Mailman and captcha
The libwebsockets.org mailing list signup page (at https://libwebsockets.org/mailman/listinfo/libwebsockets ) has been targeted by a botnet trying to use automated signups via google.
Nothing made it to the list, but the mail server is filled with doomed attempts to verify against the generated emails, eg
Semail@example.com' Sfirstname.lastname@example.org' Semail@example.com' Sfirstname.lastname@example.org' Semail@example.com' Sfirstname.lastname@example.org' Semail@example.com' Sfirstname.lastname@example.org' Semail@example.com' Sfirstname.lastname@example.org' Semail@example.com'
looking closer they’re being generated by signups from a wide range of IPs POSTing the mailman signup form with nonsense names and passwords.
This causes our server to make a lot of bad requests to the mail hosts (in good faith). So it seems we should enable a captcha on the signup page.
No captcha support in mailman
Mailman does not support captcha, despite botnets are scanning the net looking for mailman signup pages to spam. I guess Hyperkitty has taken over dev interest, but I am okay with mailman. Googling around found this page
Where the author has already suffered this problem in 2014 and he provides a somewhat corrupted patch and info on how to patch mailman… this is a bit painful since we are patching distro python that is subject to being overwritten by package upgrades. But since mailman itself doesn’t want to support captcha it is the only choice.
The rest of this post is about how to actually do that successfully, based on Andrea Veri’s original blog post.
Broken package for python-recaptcha-client
The first problem following those instructions is the dependent package python-recaptcha-client that it relies on cannot be recognized as something you can include from Python. In fact as pointed out at http://mailman.9.n7.nabble.com/Mailman-2-1-23-and-reCAPTCHA-td46468.html#a46474 you must perform:
$ sudo touch /usr/lib/python2.7/site-packages/recaptcha/__init__.py
to provide the missing indication that the content is actually a python package at all; the Fedora package has the
__init.py__ in a subdir, which causes python to ignore it.
The next problem is the patch has been mangled…. quoted items in angle-brackets have been snipped. This isn’t just an html rendering issue: they are missing in the page source on Andrea’s site. The fixed patch is here
Change dir to
/usr/lib/mailman/Mailman/Cgi (for Fedora) before applying the patch.
This patch is correct against mailman-2.1.21.
You also need to modify the html and add your captcha keys to env vars in the
mm_cfg.py as pointed out in the original article.
If problems are coming, at least on Fedora, although mailman puts out some scary “low level error” html, it also puts the details / backtrace down
Once it’s working, this is actually very fragile against updated mailman package from Fedora. In the abscence of a better idea I disabled updating mailman by creating an
and keep an eye out when updating for mailman getting listed as excluded.