Ask HN: What to do about random email sign-up attacks?

by gajuson 3/25/2024, 2:53:32 PM with 5 comments
  • by LinuxBenderon 3/25/2024, 3:13:41 PM

    I have what would probably be an unpopular and high friction idea but here goes.

    If I were being targeted in this manor I would flip the transaction around. I would generate a long random-like email address on my website using an email specific domain that is temporary but tied to the person logged in. To activate it they would email that address with a code from the application they received whilst signed in. On that email specific domain I would validate and enforce FCrDNS, DMARC and SPF and probably also use SpamAssassin to get a spam score from all the RBL's and RSL's, then do something with it. There is also greylisting and prompt delays that can be configured to break some bots. Oh, and if the sender does not have SPF+DMARC enforcing you could just outright reject it anyway if so desired.

    In this mail-list-like model, no emails are sent from my servers. The attacker has to spoof their victim which is harder to do now with DMARC, SPF, SA, SR25 regex, etc... Their proxies and cell phone farms become their own hindrance. It can still be done to people that do not have those measures in place, but it makes for a new conversation with the abuse complaint and gives the attacker more work to do.

    It's unfortunate that RSS is not in all the browsers any more.

  • by mooredson 3/25/2024, 3:00:05 PM

    You have a couple of options, none great.

    You could enable social sign-on (Google, Facebook, etc) and disable sign up by email.

    You could rate limit sign ups based on IP address, including a captcha (though it sounds like they may work around this).

    You could use a waf like cloud flare and hope it distinguishes bad actors.

    You could shut off new sign-ups or turn them manual for a time (make folks submit a form and add them yourself if you can verify they are interested) to make yourself a more painful target.

    Not a lot of easy options, though.

  • by spicykrakenon 3/25/2024, 2:58:52 PM

    A captcha might add enough friction to at least slow them down if they're doing this at scale.

    Also adding some fraud detection on top might help (e.g. MaxMind) you can tell if the requests are coming from a proxy, hosting service, etc and block those requests or present them with additional challenges.

  • by 1970-01-01on 3/25/2024, 3:00:27 PM

    Why not drop the email requirements?

    Unique username and password has worked since forever. If you need a 3rd gate, "something you have" is good enough - hardware based 2FA (not TOTP).

  • by alam2000on 3/26/2024, 3:02:24 AM

    [dead]