Mailman and captcha
Mailman and captcha
The libwebsockets.org mailing list signup page (at https://libwebsockets.org/mailman/listinfo/libwebsockets ) has been targeted by a botnet trying to use automated signups via google.
Nothing made it to the list, but the mail server is filled with doomed attempts to verify against the generated emails, eg
S'sqoonart+yjjzxqku@outlook.com'
S'sqoonart+wziudy@outlook.com'
S'sqoonart+clkqaj@outlook.com'
S'sqoonart+xxohsyye@outlook.com'
S'sqoonart+uvubjuwp@outlook.com'
S'sqoonart+ezpikxd@outlook.com'
S'sqoonart+eaiqnjs@outlook.com'
S'sqoonart+mvpboqse@outlook.com'
S'sqoonart+tiai@outlook.com'
S'sqoonart+ieamtf@outlook.com'
S'sqoonart+prdpbmp@outlook.com'
looking closer they’re being generated by signups from a wide range of IPs POSTing the mailman signup form with nonsense names and passwords.
This causes our server to make a lot of bad requests to the mail hosts (in good faith). So it seems we should enable a captcha on the signup page.
No captcha support in mailman
Mailman does not support captcha, despite botnets are scanning the net looking for mailman signup pages to spam. I guess Hyperkitty has taken over dev interest, but I am okay with mailman. Googling around found this page
https://www.dragonsreach.it/2014/05/03/adding-recaptcha-support-to-mailman/
Where the author has already suffered this problem in 2014 and he provides a somewhat corrupted patch and info on how to patch mailman… this is a bit painful since we are patching distro python that is subject to being overwritten by package upgrades. But since mailman itself doesn’t want to support captcha it is the only choice.
The rest of this post is about how to actually do that successfully, based on Andrea Veri’s original blog post.
Broken package for python-recaptcha-client
The first problem following those instructions is the dependent package python-recaptcha-client that it relies on cannot be recognized as something you can include from Python. In fact as pointed out at http://mailman.9.n7.nabble.com/Mailman-2-1-23-and-reCAPTCHA-td46468.html#a46474 you must perform:
$ sudo touch /usr/lib/python2.7/site-packages/recaptcha/__init__.py
to provide the missing indication that the content is actually a python package at all; the Fedora package has the __init.py__
in a subdir, which causes python to ignore it.
Broken patch
The next problem is the patch has been mangled…. quoted items in angle-brackets have been snipped. This isn’t just an html rendering issue: they are missing in the page source on Andrea’s site. The fixed patch is here
--- listinfo.py 2017-08-12 04:12:29.953487616 +0200
+++ listinfo.py 2017-08-12 04:53:00.071483277 +0200
@@ -23,6 +23,7 @@
import os
import cgi
import time
+import sys
from Mailman import mm_cfg
from Mailman import Utils
@@ -32,6 +33,8 @@
from Mailman.htmlformat import *
from Mailman.Logging.Syslog import syslog
+from recaptcha.client import captcha
+
# Set up i18n
_ = i18n._
i18n.set_language(mm_cfg.DEFAULT_SERVER_LANGUAGE)
@@ -227,6 +230,7 @@
replacements['<mm-displang-box>'] = displang
replacements['<mm-lang-form-start>'] = mlist.FormatFormStart('listinfo')
replacements['<mm-fullname-box>'] = mlist.FormatBox('fullname', size=30)
+ replacements['<mm-recaptcha-javascript>'] = captcha.displayhtml(mm_cfg.RECAPTCHA_PUBLIC_KEY, use_ssl=True)
# Do the expansion.
doc.AddItem(mlist.ParseTags('listinfo.html', replacements, lang))
--- subscribe.py 2017-08-12 04:14:44.143487376 +0200
+++ subscribe.py 2017-08-12 04:45:08.608484119 +0200
@@ -32,6 +32,9 @@
from Mailman.UserDesc import UserDesc
from Mailman.htmlformat import *
from Mailman.Logging.Syslog import syslog
+from recaptcha.client import captcha
+
+
SLASH = '/'
ERRORSEP = '\n\n<p>'
@@ -122,6 +125,16 @@
os.environ.get('HTTP_X_FORWARDED_FOR',
os.environ.get('REMOTE_ADDR',
'unidentified origin')))
+
+ captcha_response = captcha.submit(
+ cgidata.getvalue('recaptcha_challenge_field', ""),
+ cgidata.getvalue('recaptcha_response_field', ""),
+ mm_cfg.RECAPTCHA_PRIVATE_KEY,
+ remote,
+ )
+ if not captcha_response.is_valid:
+ results.append(_('Invalid captcha'))
+
# Are we checking the hidden data?
if mm_cfg.SUBSCRIBE_FORM_SECRET:
now = int(time.time())
Change dir to /usr/lib/mailman/Mailman/Cgi
(for Fedora) before applying the patch.
This patch is correct against mailman-2.1.21.
You also need to modify the html and add your captcha keys to env vars in the mm_cfg.py
as pointed out in the original article.
Troubleshooting
If problems are coming, at least on Fedora, although mailman puts out some scary “low level error” html, it also puts the details / backtrace down /var/log/mailman/error/
.
Maintaining
Once it’s working, this is actually very fragile against updated mailman package from Fedora. In the abscence of a better idea I disabled updating mailman by creating an /etc/yum.conf
containing
exclude=mailman
and keep an eye out when updating for mailman getting listed as excluded.