Original link: https://lepture.com/zh/2023/signup-attack
I developed a blog and podcast hosting service Typlog , and the website you see now is hosted on Typlog. Today I would like to share with you a painful lesson in operating Typlog, hoping to help other developers.
A few days ago, a customer sent an email to Typlog to ask some questions. After I responded, several days passed before I received any feedback from the customer. So I used my private email to ask the customer if they had received my reply, and the answer was no. I had a bad premonition, so I used Typlog’s email address to send an email to my personal email address, and as expected it went into the trash. There are no problems with our email settings. DKIM, SPF, and DMARC are all set up normally, and Gmail has all marked us as “PASS”, but this email just went into the trash.
My hunch was correct, and I realized what the problem was. I checked into the AWS SES backend and found that there was something wrong with the domain reputation. Typlog’s contact email uses Google Workspace, and notification emails use SES. They all use the domain name typlog.com. The notification email service caused a reputation problem for the domain name, which affected the contact email address.
Why is there a problem with our notification email service? I have always ignored a problem. I noticed a lot of junk registrations in Typlog very early on, but I didn’t pay much attention to it. First, our registration interface has a frequency limit, and it can’t register many. Second, we are a paid service, and it can’t do anything if it’s registered but not activated. It wasn’t until there was a problem with Typlog’s contact email that I realized what I had overlooked.
Because when registering, the system will send an activation email to the user. If you have not registered for a service but you receive a registration email, you may mark the email as spam. When there are too many people flagging it, email providers will think that this domain name is a spam domain. Even if no one marks spam, but your email box often sends emails to non-existent email addresses, the email provider will think that this domain name is a domain name that sends spam emails. There is also an interface for retrieving passwords, which also sends emails. This results in you sending more emails. What’s more, some robots will click on the activation link. Maybe the robot also reported spam by the way.
If you develop a service and operate it for a period of time, you will always encounter some illegal robots. I still don’t understand why there are these garbage registration robots. How do they generate benefits for black producers?
Fortunately, Typlog’s mailing list service is another domain name, which does not affect the user’s mailing list function.
Now I need to rebuild Typlog’s domain name reputation, which will be a long process. Here is my plan:
- First of all, to prevent spam registration from robots, I added Turnstile verification to the account registration and password retrieval pages.
- Separate domain names for notification email and contact email.
- Add a text description to the registration page and ask users to check the trash so that users can register normally.
- Seek help from friends, use Typlog’s contact email to communicate with friends, and ask them to mark this email as not spam.
If you have better suggestions, please leave me a message. I also hope this article can help new developers. If I develop a new product, I will implement the following plan from the beginning:
- Do not use root domain as the notification email. For example, if the domain name is example.com, you can use [email protected] as the notification email.
- Use a verification code service, such as Turnstile, hCaptcha, reCaptcha, etc.
- Pay attention to the various statuses of the product
This article is reproduced from: https://lepture.com/zh/2023/signup-attack
This site is only for collection, and the copyright belongs to the original author.