[spike] verify how to prevent self-registration on mailman3 instance (outside of allowing FAS/ACO accounts)

We recently got some AI bots registering to mailman3 instances (and that affects also Fedora instance), and then posting AI slops/advertising on really old threads. The post initially looks like genuine mail, describing things discussed in the old thread, but suddenly deviates to url links, etc

Some investigation is needed to fight against this and maybe the first/easy step would be to just disable signing up operation/api on mailman3, while still allowing registered users through social accounts (we only allow FAS/ACO through oauth2) to login (and also create corresponding account at the back if logging in for the first time)