0

I'm thinking through a mischief denial-of-service scenario that seems too easy to employ.

Your web-site validates email addresses for new users on sign-up.

  1. A rogue party (a competitor) performs sign-ups using honeypot email addresses.
  2. Your server sends its confirmation emails to the honeypot addresses.
  3. Your server gets marked as a spammer, then none of your emails go though. (Denial of service.)

How do you counter this?

If a list of honeypot emails is available, the spammers would use it.

Is there a way even to detect this? Do gmail or vendors in this realm have ways you can check your domain, or appeal?

Others asking about being mis-identified as spammers are asking about bulk sending, not relevant. (There's a reference to openspf.org "Sender Policy Framework" but that site's dead.)

JimB
  • 103
  • 2
  • 1
    Of course you can appeal a reputation score from phish pots. This is a core function of their services. Have you looked up a phish/spam pot to see how they work? – schroeder Jun 06 '22 at 12:31

1 Answers1

1

This is called list bombing. If your server is facilitating a list bomb, that is indeed your fault.

Put safeguards on your website to avoid abuse. For example, no single IP should be able to input too many emails in a certain amount of time (though you do have to consider larger NATs). Consider increasingly difficult captchas to correspond to increasing volume matching an IP (or a tight CIDR) plus a hard cutoff that prevents a higher threshold of subscriptions per hour.

Regarding the old OpenSPF​.org site: Sender Policy Framework (SPF) won't help you here, it's an unrelated technology that, with DMARC, can prevent spoofing. List bombs aren't spoofed.

Adam Katz
  • 9,718
  • 2
  • 22
  • 44
  • Accepting this for the here expertise and for putting me on the right track. Thanks! @schroeder 's comment also was key in finding mistaken listings appeal pages https://www.projecthoneypot.org/contact_us.php?ft=Mistaken Listing. Many thanks to you both. – JimB Jun 11 '22 at 13:13