I think I'd start by not letting random people sign up as [email protected]
-- Security Desk [email protected] On Sat, Aug 13, 2016, at 03:50 PM, Neil Jenkins wrote: > On Sun, 14 Aug 2016, at 01:14 AM, John R Levine wrote: >> Maybe it's just me, but if I were running a free mail service, >> I would >> make it harder for random strangers to sign up and send mail >> like this. > > Interesting, do tell us what you would do. Because this is what > happened: > 1. You signed up for a new FastMail account. In doing so you > completed the Google CAPTCHA and were assessed by eHawk[1] risk > analysis which did not find this signup suspicious. > 2. You then verified an SMS number. Getting one SMS number is easy. > Getting a large number though is expensive relative to the gain > you are likely to achieve from sending spam. > 3. You sent a single uniquely written message via our web interface. > This was spam-scanned going out and unsurprisingly passed (your > own incoming spam filtering also found it unremarkable I notice > from the headers). Trial accounts are of course rate limited > heavily in addition to outgoing spam scanning. > So I'm curious: what else would you do, as a hosted mailbox service, > to stop *a single spam message* from ever being sent successfully by a > spammer from a FastMail account to (say) a Gmail account that the > spammer also controls, so he or she can then use that message in a > DKIM replay attack? > > Regards, > > Neil > _________________________________________________ > mailop mailing list > [email protected] > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop Links: 1. http://e-hawk.net/
_______________________________________________ mailop mailing list [email protected] https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
