captcha for subscription and account registration forms
Dear all,
in mailman installed in venv is there really no canonical way of integrating a captcha into postorius' subscription and account registration forms? We are increasingly getting hammered by spambots, and a captcha would seem like a simple and effective solution.
Thanks for any suggestions!
Johannes
Johannes Rohr via Mailman-users writes:
in mailman installed in venv is there really no canonical way of integrating a captcha into postorius' subscription and account registration forms? We are increasingly getting hammered by spambots, and a captcha would seem like a simple and effective solution.
Nothing canonical, but a quick search of this list shows a few threads leading to this issue: https://gitlab.com/mailman/django-mailman3/-/work_items/33
If you have evidence that captchas work well, please let us know. The modern reCAPTCHA, however, mostly seems to be AI vendors training their models. Our own experience is that captchas slow the bots a bit and slow users more than a little: https://lists.mailman3.org/archives/list/mailman-users@mailman3.org/message/... which is why we are willing to let others do the work of integrating a solution. I don't recall seeing reports of successful use, only a few references to patches. None of those who have patches are willing to volunteer to integrate, so they don't seem terribly excited either.[1]
These bots do seem to be on the increase. It would help if we had data on where they're coming from and what addresses they're trying to sign up.
Footnotes: [1] I understand that a lot of people perceive substantial barriers to contribution. and that's fine. My point is that people who have a feature they think is really helpful for others often do get excited enough to do the work, and we're seeing none of that.
-- GNU Mailman consultant (installation, migration, customization) Sirius Open Source https://www.siriusopensource.com/ Software systems consulting in Europe, North America, and Japan
Am 30.04.26 um 14:45 schrieb Stephen J. Turnbull:
Johannes Rohr via Mailman-users writes:
in mailman installed in venv is there really no canonical way of integrating a captcha into postorius' subscription and account registration forms? We are increasingly getting hammered by spambots, and a captcha would seem like a simple and effective solution.
Nothing canonical, but a quick search of this list shows a few threads leading to this issue: https://gitlab.com/mailman/django-mailman3/-/work_items/33
If you have evidence that captchas work well, please let us know.
Last time I tried, they did, but maybe that was before AI became ubiquitous.
Is there another approach that you would recommend?
Cheers,
Johannes
Johannes Rohr via Mailman-users writes:
Last time I tried, [captchas worked well], but maybe that was before AI became ubiquitous.
What we saw was that 2005-level machine learning technology was producing character recognition good enough to beat the distorted character CAPTCHAs in a small number of tries. This was readily available to the most persistent spammers, so CAPTCHAs were not very successful at reducing such attacks to tolerable levels.
Is there another approach that you would recommend?
Not my expertise, unfortunately. I would talk to people who work on these problems. At a hunch, maybe the Django people, especially the ones who work on allauth would have ideas. Also you could look for captcha projects (especially on PyPI, where you would find the most easily integrated products) and talk to their developers.
Since you seem quite concerned, it wouldn't hurt to try it. It's not hard, and the instructions for the django-simple-captcha package seem straightforward. It can be installed from PyPI using pip. That would pull in all the Python dependencies. You might need to install imaging libraries in the OS, although I think they're usually available.
The patch referenced earlier would probably show which files to edit, and where, to add the captchas to the right forms. Even if you don't program Python yourself, anybody with a little experience should be able to do it. Just make sure you make backups of any file you change, and a list of them, so you can revert easily.
-- GNU Mailman consultant (installation, migration, customization) Sirius Open Source https://www.siriusopensource.com/ Software systems consulting in Europe, North America, and Japan
"Stephen" == Stephen J Turnbull <steve@turnbull.jp> writes:
Stephen> Johannes Rohr via Mailman-users writes:
Last time I tried, [captchas worked well], but maybe that was before AI became ubiquitous.
Stephen> What we saw was that 2005-level machine learning technology Stephen> was producing character recognition good enough to beat the Stephen> distorted character CAPTCHAs in a small number of tries. Stephen> This was readily available to the most persistent spammers, Stephen> so CAPTCHAs were not very successful at reducing such attacks Stephen> to tolerable levels.
I've enabled CAPTCHA in Postorius and Django using the patches in https://github.com/pbiering/mailman3-rpm and have seen a massive reduction in sign-up spam. Just adding an extra step has made us less attractive than other sites.
Is there another approach that you would recommend?
We haven't used it on Mailman, but Anubis has helped with signup spam on our Mattermost server. https://github.com/TecharoHQ/anubis
Peter C
Am 01.05.26 um 01:23 schrieb Peter Chubb via Mailman-users:
We haven't used it on Mailman, but Anubis has helped with signup spam on our Mattermost server. https://github.com/TecharoHQ/anubis
Testing anubis right now. So far, it seems to do a good job. Hope it stays this way!
Also the effort in configuring this setup was surprisingly limited. :-)
Johannes
Hi, just for your information, these are the steps I used to set up anubis to protect mailman:
https://cloud.uferwerk.org/s/a7nWGAjasrQpfSM
The md file has been written by claude, but as far as I see, it those steps I did (also guided by claude)
So far, no more incoming subscription spam...
Johannes
Am 01.05.26 um 12:27 schrieb Johannes Rohr via Mailman-users:
Am 01.05.26 um 01:23 schrieb Peter Chubb via Mailman-users:
We haven't used it on Mailman, but Anubis has helped with signup spam on our Mattermost server. https://github.com/TecharoHQ/anubis
Testing anubis right now. So far, it seems to do a good job. Hope it stays this way!
Also the effort in configuring this setup was surprisingly limited. :-)
Johannes
Mailman-users mailing list -- mailman-users@mailman3.org To unsubscribe send an email to mailman-users-leave@mailman3.org https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/ Archived at: https://lists.mailman3.org/archives/list/mailman-users@mailman3.org/message/...
This message sent to johannes@rohr.org
On 2026-05-01 09:23:25 +1000 (+1000), Peter Chubb via Mailman-users wrote: [...]
We haven't used it on Mailman, but Anubis has helped with signup spam on our Mattermost server. [...]
We added it in front of our Mailman sites in the OpenDev Collaboratory a month or two back, not so much to curtail sign-up spam as to relieve the massive load increase we were seeing from compromised mobile device bot armies parallel crawling our Hyperkitty archives in search of more greymarket data for the LLM training goldrush.
Jeremy Stanley
participants (4)
-
Jeremy Stanley -
Johannes Rohr -
Peter Chubb -
Stephen J. Turnbull