On 17-Aug-17 16:47, Andy Cravens wrote: > > > David, > > I forgot to mention I’m also working on a modsecurity rule to look at all > POSTs > and reject if they contain an email address with a + sign. > I understand the drive to suppress an attack. However, + is valid in e-mail addresses. It's frequently used by people to setup auto-filing rules, and/or to track the source of addresses harvested for SPAM.
I strongly discourage any service provider from defining what formats of e-mail addresses are acceptable. Such definitions, however well-intentioned, are almost always wrong - and effectively blindly deny service. We've seen this with hardcoded lists of TLDs (there'll never be more than 13. + CC TLDs. + IDN + freemarket...). And every variety of mailbox name format restriction - character set, length, "bad words", ... If an address is valid per RFC822 (2822,5322, ...), accept it. But by all means use other approaches to suppress attacks. Captchas are probably your best shot. Rate limiting can help. You can use (imperfect) filtering by geolocating by IP address - if your client base doesn't include the whole world. Other tricks include telling the user to wait a minute or two before clicking submit; discard or require re-submission of early responses. Bots won't do that. No matter what you do, the spammers will adapt, eventually. But unless you're a particularly appealing target, they're likely to move on if you do almost anything unusual. ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
