On 6/13/18, Brian Curley <bpcur...@gmail.com> wrote:
> Doesn't the Fossil site already have a Capcha interface built into it that
> could be adopted to enforce additional authentication around subscriptions?

There are no captchas built into GNU MailMan.  You enter your email
address to subscribe and you get a confirmation email.  Click on a
link in the confirmation email.  Then your subscription goes to
moderation.  After the moderator approves, you are signed up.

The above system works fine to keep nefarious actors out of the subscriber list.

But that is not the problem.  The problem is that the bad guys don't
care about getting onto the subscriber list.  They just want to
generate as many bogus confirmation emails as they can, to harass the
people who are receiving the confirmation emails.

The obvious solution in GNU Mailman would be to only allow a single
confirmation email to go out per email address.  After that one email,
the corresponding email address is never allowed to sign up again.

This simple fix is complicated by several factors:

(1) Nobody seems to want to own the GNU MailMan software.  It is not
well maintained as far as I can see.

(2) MailMan does not seem to use a database other than the filesystem
and perhaps Python Pickle files, at least not that I have found, so
recording extra information such as who has previously requested a
subscription involves major structural changes to the code.

(3) MailMan itself seems to be a collection of scripts that must be
all installed in multiple well-known directories.  It is difficult to
identify what files are part of the MailMan implementation and what
files are not, making maintenance error-prone for people (like me) who
are unfamiliar with where to find all the pieces.

(4) There is a GNU MailMan mailing list, but in my past interactions,
there was nobody there who was willing to help with spam problems.
D. Richard Hipp
sqlite-users mailing list

Reply via email to