Re: [Mailman-Users] Distributed mass subscribe attack?
On 08/18/2017 11:07 AM, Phil Stracchino wrote: I second this. It is a legitimate part of compliant email addresses, no matter how many web stores seem to believe otherwise (or are merely unaware of it). I third this. I love user+detail but HATE that poorly designed web forms balk at +, and have been forced to do something else for user+detail like functionality. -- Grant. . . . unix || die -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Distributed mass subscribe attack?
On 08/18/17 12:25, tlhackque via Mailman-Users wrote: > On 17-Aug-17 16:47, Andy Cravens wrote: >> >> >> David, >> >> I forgot to mention I’m also working on a modsecurity rule to look at all >> POSTs >> and reject if they contain an email address with a + sign. >> > I understand the drive to suppress an attack. However, + is valid in > e-mail addresses. It's frequently used by people to setup auto-filing > rules, and/or to track the source of addresses harvested for SPAM. > > I strongly discourage any service provider from defining what formats of > e-mail addresses are acceptable. Such definitions, however > well-intentioned, are almost always wrong - and effectively blindly deny > service. I second this. It is a legitimate part of compliant email addresses, no matter how many web stores seem to believe otherwise (or are merely unaware of it). > If an address is valid per RFC822 (2822,5322, ...), accept it. This. > No matter what you do, the spammers will adapt, eventually. But unless > you're a particularly appealing target, they're likely to move on if you > do almost anything unusual. One of your best first lines of defense is don't be the low-hanging fruit. -- Phil Stracchino Babylon Communications ph...@caerllewys.net p...@co.ordinate.org Landline: +1.603.293.8485 Mobile: +1.603.998.6958 -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Distributed mass subscribe attack?
On 17-Aug-17 16:47, Andy Cravens wrote: > > > David, > > I forgot to mention I’m also working on a modsecurity rule to look at all > POSTs > and reject if they contain an email address with a + sign. > I understand the drive to suppress an attack. However, + is valid in e-mail addresses. It's frequently used by people to setup auto-filing rules, and/or to track the source of addresses harvested for SPAM. I strongly discourage any service provider from defining what formats of e-mail addresses are acceptable. Such definitions, however well-intentioned, are almost always wrong - and effectively blindly deny service. We've seen this with hardcoded lists of TLDs (there'll never be more than 13. + CC TLDs. + IDN + freemarket...). And every variety of mailbox name format restriction - character set, length, "bad words", ... If an address is valid per RFC822 (2822,5322, ...), accept it. But by all means use other approaches to suppress attacks. Captchas are probably your best shot. Rate limiting can help. You can use (imperfect) filtering by geolocating by IP address - if your client base doesn't include the whole world. Other tricks include telling the user to wait a minute or two before clicking submit; discard or require re-submission of early responses. Bots won't do that. No matter what you do, the spammers will adapt, eventually. But unless you're a particularly appealing target, they're likely to move on if you do almost anything unusual. -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Distributed mass subscribe attack?
On 8/17/17 3:47 PM, Andy Cravens wrote: I forgot to mention I’m also working on a modsecurity rule to look at all POSTs and reject if they contain an email address with a + sign. I'm interested in both your recaptcha mod & mod_security rule ... please post (or contact me privately) when you make some progress. If you're interested in my MM mod, let me know. david -- IBM i on Power Systems: For when you can't afford to be out of business! I'm riding a metric century (100 km / 65 miles) in the American Diabetes Association's Tour de Cure to raise money for diabetes research, education, advocacy, and awareness. You can make a tax deductible donation to my ride by visiting http://gmane.diabetessucks.net. My goal is $6000 but any amount is appreciated. You can see where my donations come from by visiting my interactive donation map ... http://gmane.diabetessucks.net/map (it's a geeky thing). I may have diabetes, but diabetes doesn't have me! -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org