Several WMF mailing lists are being spammed with fake subscription requests. WMF is not the first to experience this kind of abuse; Gnome project experienced it in 2014, and eventually found the solution to be as simple as enabling reCAPTCHA on the subscription form (read here and here). I would like to request a similar measure to be enabled for WMF mailman-based listservs.
Although the idea sounds nice I believe it would not prevent all bot-generated subscription requests since sending a <listname>-firstname.lastname@example.org mail as well causes a subscription request.
I support reCAPTCHA. Our CAPTCHA is broken (cf. the ammount of spambots we lock everyday) in adition to other measures such as blocking subscription requests sent to $listname-join or rather make the ban list apply to those. Thanks.
Excellent comment. I think with some email providers you can verify if an email was actually sent by the address it appears to come from (e.g. using DomainKeys Identified Mail with GMail), so we should make sure Mailman checks that.
I also think we need a sysadmin to investigate the recent abuse to determine the source (is it fake subscription emails, or is it GET/POST requests submitted by a bot)
First: I personally like reCAPTCHA, and think it provides a lot of value from a security/abuse PoV. Yet we need to consider carefully whether we can deploy it on Wikimedia projects as it stands.
In addition, data on the interaction with the site is recorded and sent back to Google to assist in making an access control decision. Thus, usage of pages protected by reCAPTCHA is covered under the Google terms of service. From the reCAPTCHA enrolment page:
You acknowledge and understand that the reCAPTCHA API works by collecting hardware and software information, such as device and application data, and sending these data to Google for analysis. The information collected in connection with your use of the service will be used for improving reCAPTCHA and for general security purposes. It will not be used for personalized advertising by Google. Pursuant to Section 3(d) of the Google APIs Terms of Service, you agree that if you use the APIs that it is your responsibility to provide any necessary notices or consents for the collection and sharing of this data with Google. For users in the European Union, you and your API Client(s) must comply with the EU User Consent Policy currently located at http://www.google.com/about/company/user-consent-policy.html.
It's possible that we decide the "less secure" non-JS approach is sufficient. However, we'd have to run this by WMF Legal, and it would probably require a revision to the ToS, or at the very least an addendum for lists.wikimedia.org.
(I also note that this is covered in WP:Perrenial Proposals, but didn't see that until I had already authored the above…)