How to set up email registration


#1

To set-up email for Gitea check out the the following email providers recommended by Discourse:

Assuming you chose Mailgun do the following:

  1. Add your Gitea domain in Mailgun
  2. Add the Mailgun-suggested DNS records to domain. Rather than waiting 24-48 hours for DNS propogation look for the button inside Mailgun to check manually from the Mailgun dashboard.
  3. Edit your app.ini file to enable user registrations, email confirmations and set a noreply address. Look in the [services] section for this stuff and reference the Config Cheat Sheet for help.
  4. In the [mailer] section set the following: ENABLED=true, FROM=noreply@git.example.org, USE_SENDMAIL=false, HOST=smtp.mailgun.org:587, USER=[from-mailgun-dashboard], PASSWD=[from-mailgun-dashboard].

Consider also setting ENABLE_NOTIFY_EMAIL while you’re in there, then save and exit app.ini and then (assuming Docker) run a docker container restart [container_id] (available from docker ps).

Test emails can then be sent from the admin configuration settings as suggested here:

If all went well you should receive an email within a few seconds.


High Tea: Gitea with Traefik
#2

You can also send a test email via the admin configuration settings page.

47%20PM


#3

Email registration has been working well and I’ve had a number of users activate accounts. Since updating to to 1.5.2 I’ve seen a bunch of bots try and create accounts using various email addresses, some of which seem to be real given two users filed complaints (as reported by Mailgun):

Here’s what the spam accounts look like. I’ll find a way to bulk remove them later but none of them have activated so I’m not particularly concerned about them right now—just sharing for the benefit of others:


#4

@balibebas I know this is slightly off topic for this thread, but if you are concerned about being blocked from mailgun for sending email to these spammers you could use captcha (there is google recaptcha and just a plain built in system too that are options) to prevent these spammers.


#5

Good idea. A PoW-based tiny url might be useful too for accessibility and privacy compared to reCAPTCHA—which I’ve found to be sometimes unbearable gauntlet when using a socks5 proxy while browsing or traveling in SEA. Here’s a mirror which seems like a fun way to get some practice in with WireShark while taking some focus of the actual honey.

https://git.habd.as/comfusion/esp8266_honeypot


#6

Also found this super useful feature today:

Since none of the bots were able to activate their accounts I was able to purge about 160 of them with one click. As for where the bots came from who knows.


#7

After three weeks of logging here are some observations about the email spam I’ve collected in case it’s useful for anyone. First, the last two days of logs (2 failures and 1 complaint) visualized:

Raw log data from Mailgun
Search logs

11/05/18 12:00 AM - 11/07/18 11:59 PM

Date/Time Summary
11/06/18 07:49 PM Accepted: noreply@git.habd.as → claybro*****@hotmail.com ‘Please activate your account’
11/06/18 07:02 PM Accepted: noreply@git.habd.as → alexander.w.@gmail.com ‘Please activate your account’
11/06/18 06:38 PM Accepted: noreply@git.habd.as → tina
@yahoo.com ‘Please activate your account’
11/06/18 06:26 PM Accepted: noreply@git.habd.as → j.neauxg*****@gmail.com ‘Please activate your account’
11/06/18 06:14 PM Accepted: noreply@git.habd.as → patelm*****@verizon.net ‘Please activate your account’
11/06/18 06:02 PM Accepted: noreply@git.habd.as → ji*****@yahoo.com ‘Please activate your account’
11/06/18 05:49 PM Accepted: noreply@git.habd.as → ar*****@gmail.com ‘Please activate your account’
11/06/18 05:24 PM Accepted: noreply@git.habd.as → midbrobobs*****@charter.net ‘Please activate your account’
11/06/18 05:12 PM Accepted: noreply@git.habd.as → lo*****@gmail.com ‘Please activate your account’
11/06/18 04:59 PM Accepted: noreply@git.habd.as → britneyj*****@yahoo.com ‘Please activate your account’
11/06/18 04:47 PM Accepted: noreply@git.habd.as → fashionis*****@hotmail.co.uk ‘Please activate your account’
11/06/18 04:34 PM Accepted: noreply@git.habd.as → p*****@gmail.com ‘Please activate your account’
11/06/18 04:22 PM Accepted: noreply@git.habd.as → rca*****@mac.com ‘Please activate your account’
11/06/18 04:10 PM Accepted: noreply@git.habd.as → mariansin*****@gmail.com ‘Please activate your account’
11/06/18 03:57 PM Accepted: noreply@git.habd.as → c*****@3bauto.co.uk ‘Please activate your account’
11/06/18 03:45 PM Accepted: noreply@git.habd.as → fratt*****@cox.net ‘Please activate your account’
11/06/18 03:20 PM Accepted: noreply@git.habd.as → eric*****@gmail.com ‘Please activate your account’
11/06/18 03:08 PM Accepted: noreply@git.habd.as → hamm*****@gmail.com ‘Please activate your account’
11/06/18 02:55 PM Accepted: noreply@git.habd.as → larry.co*****@verizon.net ‘Please activate your account’
11/06/18 02:42 PM Accepted: noreply@git.habd.as → christianmarg*****@gmail.com ‘Please activate your account’
11/06/18 02:30 PM Accepted: noreply@git.habd.as → clo*****@sbcglobal.net ‘Please activate your account’
11/06/18 02:05 PM Accepted: noreply@git.habd.as → christinabr*****@comcast.net ‘Please activate your account’
11/06/18 01:40 PM Accepted: noreply@git.habd.as → fran_ruben*****@yahoo.com ‘Please activate your account’
11/06/18 01:28 PM Accepted: noreply@git.habd.as → lbco*****@aol.com ‘Please activate your account’
11/06/18 01:14 PM Accepted: noreply@git.habd.as → courtneys*****@gmail.com ‘Please activate your account’
11/06/18 12:35 PM Accepted: noreply@git.habd.as → k*****@wilsonmgmt.com ‘Please activate your account’
11/06/18 12:05 PM Accepted: noreply@git.habd.as → bp*****@hotmail.com ‘Please activate your account’
11/06/18 11:36 AM Accepted: noreply@git.habd.as → dr*****@gmx.de ‘Please activate your account’
11/06/18 11:07 AM Accepted: noreply@git.habd.as → lilm*****@gmail.com ‘Please activate your account’
11/06/18 10:38 AM Accepted: noreply@git.habd.as → rams*****@aol.com ‘Please activate your account’
11/06/18 10:08 AM Accepted: noreply@git.habd.as → bmc*****@yahoo.com ‘Please activate your account’
11/06/18 09:38 AM Accepted: noreply@git.habd.as → patrickjswans*****@gmail.com ‘Please activate your account’
11/06/18 09:08 AM Accepted: noreply@git.habd.as → a*****@aol.com ‘Please activate your account’
11/06/18 08:12 AM Accepted: noreply@git.habd.as → ninan*****@naver.com ‘Please activate your account’
11/06/18 07:44 AM Accepted: noreply@git.habd.as → klaus.seng*****@gmx.de ‘Please activate your account’
11/06/18 07:17 AM Accepted: noreply@git.habd.as → ashley*****@yahoo.com ‘Please activate your account’
11/06/18 06:55 AM Retry limit reached. Dropped: noreply@git.habd.as → =?UTF-8?q?ta.storona.m.o.sta.rek*****@gmail.com=0d=0a?= ‘Please activate your account’ No MX for gmail.com=0d=0a?= Server response: 498 No MX for gmail.com=0d=0a?=
11/06/18 06:51 AM Accepted: noreply@git.habd.as → new*****@aol.com ‘Please activate your account’
11/06/18 06:23 AM Accepted: noreply@git.habd.as → ryanbr*****@yahoo.com ‘Please activate your account’
11/06/18 05:56 AM Accepted: noreply@git.habd.as → richardwalterjo*****@yahoo.com ‘Please activate your account’
11/06/18 05:28 AM Accepted: noreply@git.habd.as → heathersantosre*****@gmail.com ‘Please activate your account’
11/06/18 04:35 AM Accepted: noreply@git.habd.as → big_lunk_co*****@yahoo.com ‘Please activate your account’
11/06/18 04:10 AM Accepted: noreply@git.habd.as → mailr*****@yahoo.com ‘Please activate your account’
11/06/18 03:20 AM Accepted: noreply@git.habd.as → su*****@livemaster.ru ‘Please activate your account’
11/06/18 02:29 AM Accepted: noreply@git.habd.as → mike.@me.com ‘Please activate your account’
11/06/18 02:05 AM Accepted: noreply@git.habd.as → gyn
@aol.com ‘Please activate your account’
11/06/18 02:05 AM Accepted: noreply@git.habd.as → m*****@brandongiesing.com ‘[after-dark] Web Mining (#7)’
11/06/18 01:42 AM Accepted: noreply@git.habd.as → aric*****@yahoo.com ‘Please activate your account’
11/06/18 12:56 AM Accepted: noreply@git.habd.as → j*****@dotweekly.com ‘Please activate your account’
11/05/18 11:47 PM Accepted: noreply@git.habd.as → kvz*****@yahoo.com ‘Please activate your account’
11/05/18 07:51 PM Accepted: noreply@git.habd.as → vul*****@aol.com ‘Please activate your account’
11/05/18 07:06 PM Accepted: noreply@git.habd.as → alicia*****@alumni.shu.edu ‘Please activate your account’
11/05/18 07:00 PM Accepted: noreply@git.habd.as → =?UTF-8?q?ta.storona.m.o.sta.rek*****@gmail.com=0d=0a?= ‘Please activate your account’
11/05/18 06:44 PM Accepted: noreply@git.habd.as → ndgo*****@mac.com ‘Please activate your account’
11/05/18 06:21 PM Accepted: noreply@git.habd.as → jlt*****@verizon.net ‘Please activate your account’
11/05/18 05:58 PM Accepted: noreply@git.habd.as → leonardo.la*****@yahoo.com ‘Please activate your account’
11/05/18 05:35 PM Accepted: noreply@git.habd.as → wallm*****@yahoo.com ‘Please activate your account’
11/05/18 05:14 PM Accepted: noreply@git.habd.as → c*****@gmail.com ‘Please activate your account’
11/05/18 04:53 PM Accepted: noreply@git.habd.as → coffi*****@comcast.net ‘Please activate your account’
11/05/18 04:10 PM Accepted: noreply@git.habd.as → ricerocke*****@yahoo.com ‘Please activate your account’
11/05/18 03:49 PM Accepted: noreply@git.habd.as → betsya*****@hotmail.com ‘Please activate your account’
11/05/18 03:08 PM Accepted: noreply@git.habd.as → lcaro*****@yahoo.com ‘Please activate your account’
11/05/18 02:48 PM Accepted: noreply@git.habd.as → ali*****@comcast.net ‘Please activate your account’
11/05/18 02:28 PM Accepted: noreply@git.habd.as → david_te*****@hotmail.com ‘Please activate your account’
11/05/18 02:07 PM Accepted: noreply@git.habd.as → rebeccahop*****@gmail.com ‘Please activate your account’
11/05/18 01:45 PM Accepted: noreply@git.habd.as → patelm*****@verizon.net ‘Please activate your account’
11/05/18 01:24 PM Accepted: noreply@git.habd.as → jennya*****@yahoo.com ‘Please activate your account’
11/05/18 01:01 PM Complained: mpreal@comcast.net ‘Please activate your account’
11/05/18 12:41 PM Accepted: noreply@git.habd.as → clyn*****@gmail.com ‘Please activate your account’
11/05/18 12:20 PM Accepted: noreply@git.habd.as → socale*****@gmail.com ‘Please activate your account’
11/05/18 11:39 AM Accepted: noreply@git.habd.as → mpreal@comcast.net ‘Please activate your account’
11/05/18 10:33 AM Accepted: noreply@git.habd.as → mar*****@hotmail.com ‘Please activate your account’
11/05/18 10:13 AM Accepted: noreply@git.habd.as → julieblak*****@btinternet.com ‘Please activate your account’
11/05/18 09:51 AM Accepted: noreply@git.habd.as → ssd*****@comcast.net ‘Please activate your account’
11/05/18 09:31 AM Accepted: noreply@git.habd.as → email_twice_bl*****@yahoo.com ‘Please activate your account’
11/05/18 09:10 AM Accepted: noreply@git.habd.as → mercedes.bau*****@gmail.com ‘Please activate your account’
11/05/18 08:49 AM Accepted: noreply@git.habd.as → cavy*****@gmail.com ‘Please activate your account’
11/05/18 08:28 AM Accepted: noreply@git.habd.as → danfan*****@gmail.com ‘Please activate your account’
11/05/18 08:08 AM Accepted: noreply@git.habd.as → marshaepe*****@comcast.net ‘Please activate your account’
11/05/18 07:49 AM Accepted: noreply@git.habd.as → charlesto*****@gmail.com ‘Please activate your account’
11/05/18 07:28 AM Accepted: noreply@git.habd.as → kri*****@gmail.com ‘Please activate your account’
11/05/18 07:08 AM Accepted: noreply@git.habd.as → djoyfalbe*****@gmail.com ‘Please activate your account’
11/05/18 05:35 AM Accepted: noreply@git.habd.as → emymai*****@gmail.com ‘Please activate your account’
11/05/18 05:17 AM Accepted: noreply@git.habd.as → debbiecleav*****@gmail.com ‘Please activate your account’
11/05/18 04:03 AM Accepted: noreply@git.habd.as → norman*****@icloud.com ‘Please activate your account’
11/05/18 03:44 AM Accepted: noreply@git.habd.as → kall*****@yahoo.de ‘Please activate your account’
11/05/18 03:07 AM Accepted: noreply@git.habd.as → m*****@brandongiesing.com ‘[after-dark] Web Mining (#7)’
11/05/18 03:06 AM Accepted: noreply@git.habd.as → catwiesel-an*****@web.de ‘Please activate your account’
11/05/18 02:10 AM Accepted: noreply@git.habd.as → jarrod*****@gmail.com ‘Please activate your account’

Parsing the logs the only thing that popped out at me was:

11/05/18 01:01 PM	Complained: mpreal@comcast.net 'Please activate your account'

Which I found on a blacklist here with a mention of WordPress: https://cleantalk.org/blacklists/mpreal@comcast.net

So far all spam accounts use the “SatGuach” postfix in their name. There doesn’t seem to be much rhyme or reason for the emails or domains selected for the attack. Conjecturing perhaps the emails are targeted for a CTP (crack-the-perimeter) op. Just a guess. I sent an email to determine if the Comcast address was legit.