-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Email Spam Prevention #2184
Comments
I think it could be worth setting up an email server on Listing individual email addresses in a single file could be done, however it would replicate the problem that the PSL itself has, which is lag time. |
@wdhdev Yes, it might be a good idea to spin up an email server or set up a group email, so requestors can easily recognize emails coming from volunteers. Also, when volunteers send emails, we could maybe CC a group email or mailing list to keep others in the loop. That said, I am not too sure about volunteers using One possible approach could be registering an alternative domain like Lastly, we could think about updating the readme.md to mention that emails from the maintainers and the community tend to come from Lines 20 to 22 in 36aa83b
Currently, these emails to requestors are being sent in very low volume, so this is probably not a priority issue. However, with the domain expiry being over two years and _psl TXT rules now required and enforceable, it is expected that the community may need to send more reminder emails for this in the future. |
We could just use a subdomain on the already existing publicsuffix.org. |
Maybe we could do a combination of 1. and 3. by setting up a GitHub action which sends notifications for an issue or PR based on some kind of request. |
Yeah those last 2 could work. |
Yes, I agree with points 2 and 3, which can easily be implemented by adding them to the |
@simon-friedberger Email accounts for volunteers would likely be the best fit, as then people could simply filter emails from Adding GitHub issue/PR links could also work, but there is always the possibility of someone using hyperlinks in scam emails and redirecting people elsewhere. Does Mozilla run any email servers that publicsuffix.org could use, without too much hassle? It would require maintainence however it would be the safest bet in the long run. We could also setup a no-reply email with a simple dashboard which requires OAuth with GitHub to restrict it to volunteers or users on a certain team, which would require little effort to maintain, other than the mail server. |
I'm not sold on email addresses. That means they are somehow in contact with one specific volunteer and if that volunteer is unavailable they do not get a response. What we would want is some kind of CRM but that sounds like even more work. And since most spammers won't bother to customize their spam for the PSL (presumably, none will) it's also not necessary. At least that was my reasoning for (2.) and (3.). |
We could have a shared mailbox possibly, in that case. Spammers are exclusively using emails on the PSL, so I doubt it would be difficult for them to update their subject. |
Oh, how do you know? I assumed they just crawl the web including Github. |
Well, I'm not completely sure, however it seems fairly obvious. I mean the PSL is basically a huge datamine of email addresses. I've had this exact issue with another service I run, they aren't scanning for random email addresses, they were reading from specific services that publicise email addresses. Some may just crawl GitHub, however that's extremely inefficient and prone to rate limiting, when they could just pull once from https://publicsuffix.org/list/public_suffix_list.dat and scan the entire file for email addresses. |
I think regardless of how spammers collect email addresses, whether by crawling all over GitHub or specifically using the PSL as one of their sources, it seems that the spam emails the requestors received so far are generic fraudulent messages rather than targeted attacks aimed at misleading PSL requestors to make changes to the PSL blocks. This suggests that they are unlikely to change the email subjects to specifically target people listed in the PSL. So, I would still say that implementing (2) and (3) should be sufficient for now, as they are more practical to put in place. We can always reconsider email address-based filtering or an email server solution if both (2) and (3) fail to work. |
Tangentially related: In the future, when we reach out to people, it would be good to CC the psl-discuss mailing list so we can have the discussions in the open and have something to reference. |
@dnsguru I know you have a lot of personal contacts so the previous suggestion might not always apply but I think it would be good to try. |
This issue is created to follow up the discussion in #2182 (comment)
I know this is probably low priority, but I just wanted to document it here for future consideration.
Background:
Based on my experience sending confirmation emails to requestors, a very small portion of requestors respond. One likely cause is that emails listed on the Public Suffix List (PSL) are propagated to various places, leaving them vulnerable to spam. Over time, this can lead requestors to stop monitoring these email addresses, reducing the effectiveness of using them for important communications.
Related issues and case studies:
prvcy.page
contact email #2182 (comment)scooper6@my.ccri.edu
is not with PSL and "Compliance" emails are not being sent from this project #1849Proposal:
As both @o3o-ca and @wdhdev suggested in #2182 (comment), the community could possibly mitigate these issues by creating documentation in this repository that includes a list of source emails or email rules, indicating who can contact requestors for PSL matters. This would give requestors the option to apply an email filter or allowlist certain trusted domains and addresses.
Pros:
Cons:
@mozilla.org
emails).Proposed Action:
Example Approaches:
Domain-based allowlist: Instead of listing individual email addresses, we could use domain-based allowlists such as
*@mozilla.org
or*@volunteer.publicsuffix.example
, allowing emails from any user at those domains to pass through.@volunteer.publicsuffix.example
), which adds complexity and overhead.Individual email addresses: In cases where a dedicated domain is not feasible, we could list individual volunteer email addresses like
jane.doe@example.com
.Subject-based filtering: Instead of filtering based on email addresses or domains, we could ask volunteers and maintainers to include a specific string like "PSL Inquiry" in the subject line of all communications. Requestors could then configure their email systems to allow only messages containing this phrase in the subject and reject all others.
Looking for feedback from the community on how best to manage this process and whether it would be feasible to implement.
The text was updated successfully, but these errors were encountered: