Glorious spam, wonderful spam
46 views
Skip to first unread message
Tony Garnock-Jones
Oct 14, 2020, 4:01:55 AM10/14/20
to Racket Developers
I get bounces and delivery-delay notifications from the package-server
account signup/login system.
I am seeing a vast number of failed and delayed registration/login
emails to suspicious-looking email addresses recently.
I suspect we might be under spammer attack :-(
We could do a few things:
1. switch to "log in with github", "log in with google", etc.
2. add a dumb domain-specific captcha like "(foldl + 0 '(1 2 3)) = ?"
3. add recaptcha
I don't very much like 3 because eww, who wants to help train
murderbots? I don't know if 2 will help, either in the short or long
term. Picking 1 will turn people off and is generally a bit exclusionary.
But I think 1 is likely the best option all around. Get someone else to
do the expensive heavy lifting.
Tricky problem. (Hard to imagine what the spammers are getting out of
this, if even they're there... Perhaps step 0 is to keep better logs of
what's going on in the system.)
Tony
account signup/login system.
I am seeing a vast number of failed and delayed registration/login
emails to suspicious-looking email addresses recently.
I suspect we might be under spammer attack :-(
We could do a few things:
1. switch to "log in with github", "log in with google", etc.
2. add a dumb domain-specific captcha like "(foldl + 0 '(1 2 3)) = ?"
3. add recaptcha
I don't very much like 3 because eww, who wants to help train
murderbots? I don't know if 2 will help, either in the short or long
term. Picking 1 will turn people off and is generally a bit exclusionary.
But I think 1 is likely the best option all around. Get someone else to
do the expensive heavy lifting.
Tricky problem. (Hard to imagine what the spammers are getting out of
this, if even they're there... Perhaps step 0 is to keep better logs of
what's going on in the system.)
Tony
Ryan Kramer
Oct 15, 2020, 5:30:50 PM10/15/20
to Racket Developers
Based on some recent experience maintaining a public-facing website, I would
figure out if the spammers are actually getting anything useful. If not,
they're probably just probing for a weakness and will quit in a few
hours (or maybe days) when they learn there's nothing to be gained. This happened to me on a few occasions. Also, if all the requests are coming from the same IP, you could block that IP for a week and they'll probably quit.
I've recently been working with AWS Cognito and it might be another option. It supports signing up with an email address which Cognito will verify (when configured to do so). The AWS free tier includes up to 50,000 monthly active users.
Cognito also allows people to log in with Facebook/Google/Apple/Amazon, and adding Github would probably be pretty easy. I haven't personally gotten this far yet, but I think these users are also included in the 50,000 free tier limit.
In about a month, I should have time to work on this if it sounds viable and desirable to whomever would make that decision.
Reply all
Reply to author
Forward
0 new messages