Hi Mark, My main intent with my response was simply to let y’all know that we are aware of and acting on the phishing. But, I’ll take a moment to address your response as well since you took the time to offer some tips.
We offer many or most of (or at least similar) features to what you’ve mentioned on a per-account basis within Mandrill. We’ve recommended MFA for user logins in both Mandrill and Mailchimp for years. There are also other anti-abuse mechanisms that sit above user accounts that are being tweaked to help address this as well. Obviously when we identify a compromised Mandrill account, in addition to disabling the API key, we strongly advise that they enable as many of the additional security features as practical to prevent future abuse. Rest assured that we have some of the best security and anti-abuse people around working on this. We take any abuse of our systems and users very seriously. Thanks, Matt Gilbert -- Deliverability Engineer | Mailchimp delivery.mailchimp.com > On Feb 27, 2019, at 4:07 PM, Mark Foster <blak...@blakjak.net> wrote: > > Forgive my ignorance, but for anything user-interactive, can you mandate > MFA and/or comment on the viability and/or success in doing so? > > For API interaction, can you mix both keys and credentials or use some > other method for achieving similar ends? > > What about other sorts of controls, (for example perhaps) geo-locking of > user accounts and/or API interfaces so that their sudden use from another > country is at least logged/flagged, if not blocked outright? > > Obviously, generating spam via a compromised account is extremely common > and makes mail systems accessible from anywhere very attractive; in the > userspace we recommend MFA as a significant control for compromised > credentials, i'll admit to being less familiar with the applicability of > this approach for anything API driven. But for a commercial mail-sending > operation these sorts of controls would seem to becoming more and more > relevant, as the impact of a reputation hit on your IP ranges, etc, is > much more far-reaching than a private system? > > Cheers > Mark. >
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
