On 08/18/17 12:25, tlhackque via Mailman-Users wrote: > On 17-Aug-17 16:47, Andy Cravens wrote: >> >> >> David, >> >> I forgot to mention I’m also working on a modsecurity rule to look at all >> POSTs >> and reject if they contain an email address with a + sign. >> > I understand the drive to suppress an attack. However, + is valid in > e-mail addresses. It's frequently used by people to setup auto-filing > rules, and/or to track the source of addresses harvested for SPAM. > > I strongly discourage any service provider from defining what formats of > e-mail addresses are acceptable. Such definitions, however > well-intentioned, are almost always wrong - and effectively blindly deny > service.
I second this. It is a legitimate part of compliant email addresses, no matter how many web stores seem to believe otherwise (or are merely unaware of it). > If an address is valid per RFC822 (2822,5322, ...), accept it. This. > No matter what you do, the spammers will adapt, eventually. But unless > you're a particularly appealing target, they're likely to move on if you > do almost anything unusual. One of your best first lines of defense is don't be the low-hanging fruit. -- Phil Stracchino Babylon Communications ph...@caerllewys.net p...@co.ordinate.org Landline: +1.603.293.8485 Mobile: +1.603.998.6958 ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
