Please. Captcha by default. Email domain filters. Auto-block federation from servers that don’t respect. By default. Urgent.
And yes, to refute some comments, this publication is being upvoted by bots. A single computer was needed, not “thousands of dollars” spent.
please no, email filters are ridiculously easy to bypass.
Lets say you go with a whitelist all, and blacklist malicious email domains approach: i.e, temp mail and the sort are blocked. This is badness enumeration, it does not work. What does an attacker do? host their own mail server and create infinite emails, or use a lesser known temp mail service, you cannot block them all.
Lets suppose you go with a blacklist all, and whitelist popular email services approach. Wonderful, now a significant number of people cannot signup, you’ve successfully bottlenecked lemmy’s growth. This also does nothing, theres temp mail services which somehow give you a gmail address. An attacker would just use that.
Use captchas, they serve a purpose, aren’t snake oil and (usually) don’t prevent genuine humans from signing up. But don’t go extreme on email restrictions.
This right here.
Op, if you’re not ready to moderate, don’t spin up your own server or do your own private instance. If you’re going to moderate, do it properly and don’t spew bad ideas while hiding behind a dumb “alert” throwaway.
To be honest, I’m surprised that that username was allowed (or not reserved). It seems like it would introduce a risk where people could pose as Lemmy developers or something along those lines.
I believe you can literally just add a . To the end of your own gmail and it will go to yours. Ie hello.1@gmail.com will go to hello@gmail.com.
Actually, hello.1@gmail will go to hello1@gmail.
The one you are thinking I believe is hello+1@gmail will go to hello@gmail
BTW, it might be more inclusive language to use “allow list” and “block list”
I can’t imagine being so obsessed with race politics as to think that purely technical terms like “white list” and “black list”, which have never had any connection to race relations whatsoever, are somehow non-inclusive.
With all due respect, it’s from NIST’s guidance