On Wed, Aug 26, 2020 at 2:37 PM Jim Popovitch via Mailman-Users <mailman-users@python.org> wrote:
Hi Folks,
A couple of days ago, over on the MAILOP mailinglist, there was a long thread titled 'Mailman confirmation email denial of service'. This detailed some of the problems we've all seen with Mailman subscription spam. The Mailman team has addressed a lot of these problems with ReCAPTCHA support and additional configuration options. Arguably the best solution has been the ReCAPTCHA integration. BUT, a lot of people don't like the Google tie-ins that come with ReCAPTCHA.
The person describing the problem in that thread had not set SUBSCRIBE_FORM_SECRET, and someone with apparently the same problem described it as "actually filling it correctly (password, confirmation...) and, as shown below, without even fetching the page containing the form first". I may well have misunderstood it, and apologise in advance if I have, but it seems that the problem in question could have been avoided using an existing feature of Mailman 2.
(It would be ideal if Mailman 2 could be developed until the same set of people who installed it can install Mailman 3, but I don't know how realistic that is. I installed MM2 on a shared server, with no real expertise and at no extra cost, but have been told I would need to pay for a dedicated server to install MM3. I will probably move to MM3 mainly for its email-from-web feature, but pay to have the list hosted for me on a subdomain.)
Best wishes
Jonathan