On Sun, 14 Aug 2016, at 01:14 AM, John R Levine wrote:
> Maybe it's just me, but if I were running a free mail service, I would
> make it harder for random strangers to sign up and send mail
> like this.
Interesting, do tell us what you would do. Because this is what
happened:
1. You signed up for a new FastMail account. In doing so you completed
the Google CAPTCHA and were assessed by eHawk[1] risk analysis which
did not find this signup suspicious.
2. You then verified an SMS number. Getting one SMS number is easy.
Getting a large number though is expensive relative to the gain you
are likely to achieve from sending spam.
3. You sent a single uniquely written message via our web interface.
This was spam-scanned going out and unsurprisingly passed (your own
incoming spam filtering also found it unremarkable I notice from the
headers). Trial accounts are of course rate limited heavily in
addition to outgoing spam scanning.
So I'm curious: what else would you do, as a hosted mailbox service, to
stop *a single spam message* from ever being sent successfully by a
spammer from a FastMail account to (say) a Gmail account that the
spammer also controls, so he or she can then use that message in a DKIM
replay attack?
Regards,
Neil
Links:
1. http://e-hawk.net/
_______________________________________________
mailop mailing list
[email protected]
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
