[bridgedb/master] Remove Yahoo from our whitelisted email domains. - tor-commits

7 Jun 2019

commit 688e1ac015bcfe5a826032e207f9a0f671cd6174
Author: Philipp Winter phw@nymity.ch
Date:   Thu Jun 6 09:25:07 2019 -0700
Remove Yahoo from our whitelisted email domains.
Yahoo allows you to create up to 500 disposable email addresses, which
    BridgeDB interprets as unique:
    https://bugs.torproject.org/28496#comment:8
We could address this issue in BridgeDB but at this point we seem better
    off dropping support for Yahoo because the provider likely also fell
    behind in Sybil protection.
This fixes bug 28496: https://bugs.torproject.org/28496
---
 CHANGELOG                                       | 9 +++++++++
 README.rst                                      | 7 +++----
 bridgedb.conf                                   | 3 +--
 bridgedb/distributors/https/templates/base.html | 3 +--
 bridgedb/strings.py                             | 2 +-
 bridgedb/test/test_email_autoresponder.py       | 2 +-
 6 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index f45f56f..dd460ab 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,14 @@
 Changes in version 0.6.X - YYYY-MM-DD
+        * FIXES #28496 https://bugs.torproject.org/28496
+        Remove Yahoo from the list of allowed email domains.  Yahoo allows you
+        to create up to 500 disposable email addresses, which BridgeDB
+        interprets as unique:
+        https://bugs.torproject.org/28496#comment:8
+        We could address this issue in BridgeDB but at this point we seem better
+        off dropping support for Yahoo because the provider likely also fell
+        behind in Sybil protection.
+
         * FIXES #28655 https://bugs.torproject.org/28655
         When a bridge supports an active probing-resistant transport, it should
         not give out flavors that are vulnerable to active probing.  For
diff --git a/README.rst b/README.rst
index feb5227..ea4bc7c 100644
--- a/README.rst
+++ b/README.rst
@@ -401,10 +401,9 @@ Accessing the Email User Interface
 ----------------------------------
Any mail sent to the ``EMAIL_PORT`` with a destination username as defined by
-the ``EMAIL_USERNAME`` configuration option (the default is ``'bridge'``,
-e.g. bridges@...) and sent from an ``@riseup.net``, ``@gmail.com``, or
-``@yahoo.com`` address (by default, but configurable with the
-``EMAIL_DOMAINS`` option).
+the ``EMAIL_USERNAME`` configuration option (the default is ``'bridge'``, e.g.
+bridges@...) and sent from an ``@riseup.net`` or ``@gmail.com`` address (by
+default, but configurable with the ``EMAIL_DOMAINS`` option).
You can email our BridgeDB instance `here mailto:bridges@torproject.org`__.
diff --git a/bridgedb.conf b/bridgedb.conf
index 73b65b8..900ead1 100644
--- a/bridgedb.conf
+++ b/bridgedb.conf
@@ -561,7 +561,7 @@ EMAIL_SMTP_PORT = 25
 EMAIL_USERNAME = "bridges"
# Canonical versions of domains that we will reply to.
-EMAIL_DOMAINS = ["gmail.com", "yahoo.com", "riseup.net"]
+EMAIL_DOMAINS = ["gmail.com", "riseup.net"]
# Map from unofficial domain to canonical domain.
 EMAIL_DOMAIN_MAP = {
@@ -582,7 +582,6 @@ EMAIL_DOMAIN_MAP = {
 # Note that unrecognized options are ignored; be sure to spell them right!
 EMAIL_DOMAIN_RULES = {
     'gmail.com': ["ignore_dots", "dkim"],
-    'yahoo.com': ["dkim"],
     'riseup.net': ["ignore_dots", "dkim"],
 }
diff --git a/bridgedb/distributors/https/templates/base.html b/bridgedb/distributors/https/templates/base.html
index 93eb2b5..d7b6045 100644
--- a/bridgedb/distributors/https/templates/base.html
+++ b/bridgedb/distributors/https/templates/base.html
@@ -60,8 +60,7 @@ ${next.body(strings, rtl=rtl, lang=lang, **kwargs)}
               ${_(strings.OTHER_DISTRIBUTORS[1]) % \
                  ("""<a href="mailto:bridges@torproject.org">bridges@torproject.org</a>""",
                   """<a href="https://riseup.net/">Riseup</a>""",
-                  """<a href="https://mail.google.com/">Gmail</a>""",
-                  """<a href="https://mail.yahoo.com/">Yahoo</a>""")}
+                  """<a href="https://mail.google.com/">Gmail</a>""")}
             </p>
<h4>${_(strings.HELP[0])}</h4>
diff --git a/bridgedb/strings.py b/bridgedb/strings.py
index 49bb933..569f339 100644
--- a/bridgedb/strings.py
+++ b/bridgedb/strings.py
@@ -108,7 +108,7 @@ OTHER_DISTRIBUTORS = {
     1: _("""\
 Another way to get bridges is to send an email to %s. Please note that you must
 send the email using an address from one of the following email providers:
-%s, %s or %s."""),
+%s or %s."""),
 }
HELP = {
diff --git a/bridgedb/test/test_email_autoresponder.py b/bridgedb/test/test_email_autoresponder.py
index a1e376f..f59e5ef 100644
--- a/bridgedb/test/test_email_autoresponder.py
+++ b/bridgedb/test/test_email_autoresponder.py
@@ -520,7 +520,7 @@ class SMTPAutoresponderTests(unittest.TestCase):
         reported being from an email address at one supported domain and the
         email's 'From:' header reported another domain.
         """
-        smtpFrom = 'not.an.evil.bot@yahoo.com'
+        smtpFrom = 'not.an.evil.bot@riseup.net'
         emailFrom = Address('not.an.evil.bot@gmail.com')
         self._getIncomingLines(str(emailFrom))
         self._setUpResponder()

    