Subscription Requests
![](https://secure.gravatar.com/avatar/1194586fd4442269c560ca23652fdc12.jpg?s=120&d=mm&r=g)
Hello list.
I'm receiving a lot of fake Subscription Requests and spend time to discard them.
how can I "lock" lists not to receive requests except administrator's mass subscription?
how can I mass discard those request from console?
Thank you in advance,
Nikos.
![](https://secure.gravatar.com/avatar/e2371bef92eb40cd7c586e9f2cc75cd8.jpg?s=120&d=mm&r=g)
nikos writes:
Put "^" (without the quotation marks) in Privacy Options | Subscription Policy | ban_list. (It says "list of addresses" but it also permits patterns. "^" is a pattern that matches at the beginning of any string, so it matches all addresses.)
Note that if you want to subscribe an address, even from the Mass Subscription page, you will have to temporarily remove this pattern from the ban_list, subscribe the address, then put the pattern back. Sorry for the inconvenience, but we found that allowing Mass Subscription to override the banlist was vulnerable to "social engineering" where a malicious actor convinces the admin to subscribe them.
There is a script called "discard" in Mailman's mailman/bin directory. cd to the mailman directory (usually /var/lib/mailman or /var/local/lib/mailman), and call "bin/discard qfiles/commands/*". This is safe: if a subscription happens to be in process but is not a held message, it will be ignored.
![](https://secure.gravatar.com/avatar/1194586fd4442269c560ca23652fdc12.jpg?s=120&d=mm&r=g)
On 31/8/2020 6:38 μ.μ., Stephen J. Turnbull wrote:
Thank you for your answer.
I'll try it.
I also find a script called list_requests (http://www.msapiro.net/scripts/list_requests), witch is a good solution for the 2nd question.
Nikos.
![](https://secure.gravatar.com/avatar/cf212b670ff8a10ac08609610c0a6c89.jpg?s=120&d=mm&r=g)
Dear list,
after we installed the reCAPTCHA feature for mailman 2.1.29 users repor an error when using the self sign-on function of some lists:
reCAPTCHA validation failed: missing-input-response
Most lists work well with the new reCAPTCHA feature. Can you help us please?
Thank you in advance, Markus
![](https://secure.gravatar.com/avatar/cf212b670ff8a10ac08609610c0a6c89.jpg?s=120&d=mm&r=g)
Dear Brian, dear list,
Do those lists have customized listinfo pages?
no, i do'nt see any customizations. But I do think the listinfo page is as old as it doesn't contain any reCAPTCHA settings yet. Is that possible? You find an example listlinfo page attached to this mail.
Best regards, Markus
On 03.12.20 13:34, Brian Carpenter wrote:
![](https://secure.gravatar.com/avatar/5e7b1f320a5a2a058af6953b59adc109.jpg?s=120&d=mm&r=g)
Is the reCAPTCHA field showing up the on old listinfo pages? Are they showing up on the new ones? If yes to the latter, then you just need to compare the html code with the old listinfo pages and you will be able to find where to add the missing reCAPTCHA code.
On 12/3/20 9:18 AM, Markus Ludwig Grandpré wrote:
![](https://secure.gravatar.com/avatar/5e7b1f320a5a2a058af6953b59adc109.jpg?s=120&d=mm&r=g)
Look for the following line on those lists without the reCAPTCHA element:
<mm-digest-question-end>
Add the following two lines right below the above line:
<mm-recaptcha-ui> <mm-captcha-ui>
That should reveal reCAPTCHA via the listinfo page for would-be subscribers to check when subscribing.
On 12/3/20 9:48 AM, Markus Ludwig Grandpré wrote:
![](https://secure.gravatar.com/avatar/1f41ce7b88907fcc4ed4ec751fe48241.jpg?s=120&d=mm&r=g)
On 12/3/20 9:02 AM, Brian Carpenter wrote:
Folks:
Sorry for resurrecting an old thread, but I'm trying to get recaptcha working on my site ...
I've got the keys set in my mm_cfg.py file, and have quadruple verified that they are correct ... but for some reason I keep getting the error "reCAPTCHA validation failed: invalid-input-response" when submitting the form.
I'm 99% sure the listinfo.html template is correct.
</tr>
<mm-digest-question-end>
<mm-recaptcha-ui>
<tr>
<td colspan="3">
<center><MM-Subscribe-Button></P></center>
</TABLE>
It renders like this:
<td>Would you like to receive list mail batched in a daily
digest?
</td>
<td><input type=radio name="digest" value="0" CHECKED> No
<input type=radio name="digest" value="1"> Yes
</TD>
</tr>
<tr><td> </td><td>
<noscript>This form requires JavaScript.</noscript>
<script src="https://www.google.com/recaptcha/api.js?hl=en">
</script>
<div class="g-recaptcha"
data-sitekey="6LeN3gwTAAAAABLV8GkJQlgj4YQC7BYHgDkdJLxZ"></div> </td></tr>
<tr>
<td colspan="3">
<center><INPUT type="Submit" name="email-button"
value="Subscribe"></P></center> </TABLE> </FORM>
Any suggestions on what I can do to try and diagnose the problem?
Thanks!
David
-- I'm riding in the American Diabetes Association's Tour de Cure to raise money for diabetes research, education, advocacy, and awareness. You can make a tax-deductible donation to my ride by visiting https://mideml.diabetessucks.net.
You can see where my donations come from by visiting my interactive donation map ... https://mideml.diabetessucks.net/map (it's a geeky thing).
![](https://secure.gravatar.com/avatar/e2371bef92eb40cd7c586e9f2cc75cd8.jpg?s=120&d=mm&r=g)
David Gibbs via Mailman-Users writes:
Hi, David!
I don't use this, so I'm just going to assume Brian's advice was right.
I've got the keys set in my mm_cfg.py file, and have quadruple verified that they are correct ...
OK, so assume they are.
but for some reason I keep getting the error "reCAPTCHA validation failed: invalid-input-response" when submitting the form.
You're missing <mm-captcha-ui> here. I'm pretty sure that is what accepts the input. See comment in rendered output below.
This next comment almost certainly has nothing to do with the CAPTCHA issue (as a text/html or text/xhtml page, browsers are extremely lenient), but if you want to be pedantically correct (and who doesn't? :-) you should delete the unmatched </P> above, and add </td></tr> here (ie, between </center> and </TABLE>).
Notice that although you have the script, there's no <INPUT> element here to accept the user's input. As I mentioned, I'm simply relying on Brian's advice, plus generic knowledge of how most HTML pages are put together, and a bit of guess work, but what do you have to lose by trying, right?
Good luck!
Regards, Steve
![](https://secure.gravatar.com/avatar/1f41ce7b88907fcc4ed4ec751fe48241.jpg?s=120&d=mm&r=g)
On 6/1/21 10:40 AM, Stephen J. Turnbull wrote:
Unless I'm missing something, there is no code in Mailman that replaces 'mm-captcha-ui'.
In Cgi/listinfo.py, there is code that replaces 'mm-recaptcha-ui'
I'm running MM 2.1.29.
david
-- I'm riding in the American Diabetes Association's Tour de Cure to raise money for diabetes research, education, advocacy, and awareness. You can make a tax-deductible donation to my ride by visiting https://mideml.diabetessucks.net.
You can see where my donations come from by visiting my interactive donation map ... https://mideml.diabetessucks.net/map (it's a geeky thing).
![](https://secure.gravatar.com/avatar/1f41ce7b88907fcc4ed4ec751fe48241.jpg?s=120&d=mm&r=g)
On 6/1/21 12:23 PM, David Gibbs wrote:
I think the mm-captcha-ui token is only used for text based captcha's. I'm using recaptcha only.
david
-- I'm riding in the American Diabetes Association's Tour de Cure to raise money for diabetes research, education, advocacy, and awareness. You can make a tax-deductible donation to my ride by visiting https://mideml.diabetessucks.net.
You can see where my donations come from by visiting my interactive donation map ... https://mideml.diabetessucks.net/map (it's a geeky thing).
![](https://secure.gravatar.com/avatar/56f108518d7ee2544412cc80978e3182.jpg?s=120&d=mm&r=g)
On 6/1/21 10:30 AM, David Gibbs via Mailman-Users wrote:
I think the mm-captcha-ui token is only used for text based captcha's. I'm using recaptcha only.
That is correct.
I think your issue may be that your google keys are reCaptcha v3. This MM 2.1 feature requires v2 keys.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
![](https://secure.gravatar.com/avatar/e2371bef92eb40cd7c586e9f2cc75cd8.jpg?s=120&d=mm&r=g)
nikos writes:
Put "^" (without the quotation marks) in Privacy Options | Subscription Policy | ban_list. (It says "list of addresses" but it also permits patterns. "^" is a pattern that matches at the beginning of any string, so it matches all addresses.)
Note that if you want to subscribe an address, even from the Mass Subscription page, you will have to temporarily remove this pattern from the ban_list, subscribe the address, then put the pattern back. Sorry for the inconvenience, but we found that allowing Mass Subscription to override the banlist was vulnerable to "social engineering" where a malicious actor convinces the admin to subscribe them.
There is a script called "discard" in Mailman's mailman/bin directory. cd to the mailman directory (usually /var/lib/mailman or /var/local/lib/mailman), and call "bin/discard qfiles/commands/*". This is safe: if a subscription happens to be in process but is not a held message, it will be ignored.
![](https://secure.gravatar.com/avatar/1194586fd4442269c560ca23652fdc12.jpg?s=120&d=mm&r=g)
On 31/8/2020 6:38 μ.μ., Stephen J. Turnbull wrote:
Thank you for your answer.
I'll try it.
I also find a script called list_requests (http://www.msapiro.net/scripts/list_requests), witch is a good solution for the 2nd question.
Nikos.
![](https://secure.gravatar.com/avatar/cf212b670ff8a10ac08609610c0a6c89.jpg?s=120&d=mm&r=g)
Dear list,
after we installed the reCAPTCHA feature for mailman 2.1.29 users repor an error when using the self sign-on function of some lists:
reCAPTCHA validation failed: missing-input-response
Most lists work well with the new reCAPTCHA feature. Can you help us please?
Thank you in advance, Markus
![](https://secure.gravatar.com/avatar/cf212b670ff8a10ac08609610c0a6c89.jpg?s=120&d=mm&r=g)
Dear Brian, dear list,
Do those lists have customized listinfo pages?
no, i do'nt see any customizations. But I do think the listinfo page is as old as it doesn't contain any reCAPTCHA settings yet. Is that possible? You find an example listlinfo page attached to this mail.
Best regards, Markus
On 03.12.20 13:34, Brian Carpenter wrote:
![](https://secure.gravatar.com/avatar/5e7b1f320a5a2a058af6953b59adc109.jpg?s=120&d=mm&r=g)
Is the reCAPTCHA field showing up the on old listinfo pages? Are they showing up on the new ones? If yes to the latter, then you just need to compare the html code with the old listinfo pages and you will be able to find where to add the missing reCAPTCHA code.
On 12/3/20 9:18 AM, Markus Ludwig Grandpré wrote:
![](https://secure.gravatar.com/avatar/5e7b1f320a5a2a058af6953b59adc109.jpg?s=120&d=mm&r=g)
Look for the following line on those lists without the reCAPTCHA element:
<mm-digest-question-end>
Add the following two lines right below the above line:
<mm-recaptcha-ui> <mm-captcha-ui>
That should reveal reCAPTCHA via the listinfo page for would-be subscribers to check when subscribing.
On 12/3/20 9:48 AM, Markus Ludwig Grandpré wrote:
![](https://secure.gravatar.com/avatar/1f41ce7b88907fcc4ed4ec751fe48241.jpg?s=120&d=mm&r=g)
On 12/3/20 9:02 AM, Brian Carpenter wrote:
Folks:
Sorry for resurrecting an old thread, but I'm trying to get recaptcha working on my site ...
I've got the keys set in my mm_cfg.py file, and have quadruple verified that they are correct ... but for some reason I keep getting the error "reCAPTCHA validation failed: invalid-input-response" when submitting the form.
I'm 99% sure the listinfo.html template is correct.
</tr>
<mm-digest-question-end>
<mm-recaptcha-ui>
<tr>
<td colspan="3">
<center><MM-Subscribe-Button></P></center>
</TABLE>
It renders like this:
<td>Would you like to receive list mail batched in a daily
digest?
</td>
<td><input type=radio name="digest" value="0" CHECKED> No
<input type=radio name="digest" value="1"> Yes
</TD>
</tr>
<tr><td> </td><td>
<noscript>This form requires JavaScript.</noscript>
<script src="https://www.google.com/recaptcha/api.js?hl=en">
</script>
<div class="g-recaptcha"
data-sitekey="6LeN3gwTAAAAABLV8GkJQlgj4YQC7BYHgDkdJLxZ"></div> </td></tr>
<tr>
<td colspan="3">
<center><INPUT type="Submit" name="email-button"
value="Subscribe"></P></center> </TABLE> </FORM>
Any suggestions on what I can do to try and diagnose the problem?
Thanks!
David
-- I'm riding in the American Diabetes Association's Tour de Cure to raise money for diabetes research, education, advocacy, and awareness. You can make a tax-deductible donation to my ride by visiting https://mideml.diabetessucks.net.
You can see where my donations come from by visiting my interactive donation map ... https://mideml.diabetessucks.net/map (it's a geeky thing).
![](https://secure.gravatar.com/avatar/e2371bef92eb40cd7c586e9f2cc75cd8.jpg?s=120&d=mm&r=g)
David Gibbs via Mailman-Users writes:
Hi, David!
I don't use this, so I'm just going to assume Brian's advice was right.
I've got the keys set in my mm_cfg.py file, and have quadruple verified that they are correct ...
OK, so assume they are.
but for some reason I keep getting the error "reCAPTCHA validation failed: invalid-input-response" when submitting the form.
You're missing <mm-captcha-ui> here. I'm pretty sure that is what accepts the input. See comment in rendered output below.
This next comment almost certainly has nothing to do with the CAPTCHA issue (as a text/html or text/xhtml page, browsers are extremely lenient), but if you want to be pedantically correct (and who doesn't? :-) you should delete the unmatched </P> above, and add </td></tr> here (ie, between </center> and </TABLE>).
Notice that although you have the script, there's no <INPUT> element here to accept the user's input. As I mentioned, I'm simply relying on Brian's advice, plus generic knowledge of how most HTML pages are put together, and a bit of guess work, but what do you have to lose by trying, right?
Good luck!
Regards, Steve
![](https://secure.gravatar.com/avatar/1f41ce7b88907fcc4ed4ec751fe48241.jpg?s=120&d=mm&r=g)
On 6/1/21 10:40 AM, Stephen J. Turnbull wrote:
Unless I'm missing something, there is no code in Mailman that replaces 'mm-captcha-ui'.
In Cgi/listinfo.py, there is code that replaces 'mm-recaptcha-ui'
I'm running MM 2.1.29.
david
-- I'm riding in the American Diabetes Association's Tour de Cure to raise money for diabetes research, education, advocacy, and awareness. You can make a tax-deductible donation to my ride by visiting https://mideml.diabetessucks.net.
You can see where my donations come from by visiting my interactive donation map ... https://mideml.diabetessucks.net/map (it's a geeky thing).
![](https://secure.gravatar.com/avatar/1f41ce7b88907fcc4ed4ec751fe48241.jpg?s=120&d=mm&r=g)
On 6/1/21 12:23 PM, David Gibbs wrote:
I think the mm-captcha-ui token is only used for text based captcha's. I'm using recaptcha only.
david
-- I'm riding in the American Diabetes Association's Tour de Cure to raise money for diabetes research, education, advocacy, and awareness. You can make a tax-deductible donation to my ride by visiting https://mideml.diabetessucks.net.
You can see where my donations come from by visiting my interactive donation map ... https://mideml.diabetessucks.net/map (it's a geeky thing).
![](https://secure.gravatar.com/avatar/56f108518d7ee2544412cc80978e3182.jpg?s=120&d=mm&r=g)
On 6/1/21 10:30 AM, David Gibbs via Mailman-Users wrote:
I think the mm-captcha-ui token is only used for text based captcha's. I'm using recaptcha only.
That is correct.
I think your issue may be that your google keys are reCaptcha v3. This MM 2.1 feature requires v2 keys.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (6)
-
Brian Carpenter
-
David Gibbs
-
Mark Sapiro
-
Markus Ludwig Grandpré
-
nikos
-
Stephen J. Turnbull