[tor-bugs] #7550 [BridgeDB]: BridgeDB email responder is not interactive

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Jun 29 04:30:46 UTC 2013 

#7550: BridgeDB email responder is not interactive
----------------------+-----------------------------------------------------
 Reporter:  aagbsn    |          Owner:                   
     Type:  defect    |         Status:  needs_information
 Priority:  normal    |      Milestone:                   
Component:  BridgeDB  |        Version:                   
 Keywords:            |         Parent:                   
   Points:            |   Actualpoints:                   
----------------------+-----------------------------------------------------

Comment(by sysrqb):

 Replying to [comment:6 aagbsn]:
 > Replying to [comment:5 sysrqb]:
 > > Replying to [comment:4 asn]:
 > > > Also, what is the point of rate limiting in BridgeDB? A user with a
 single IP shouldn't be able to get more than a bunch of bridges anyway,
 right?
 > >
 > > Right, maybe aagbsn (or arma, nickm, Karsten) have a better answer,
 because within a single time period we should return the same bridges.
 That being said, maybe the rate limiting is to reduce the number of emails
 bridgedb needs to process by disincentivizing users spamming it? I don't
 see a reason for bridgedb to respond to multiple emails within the time
 period if it will be responding with the same bridges each time.
 >
 > This. We also see a barrage of requests over HTTPS.
 >
 > Sadly, the attackers/scrapers simply register "creative" names
 (somename0001 at gmail.com, somename0002 at gmail.com .. somename0020 at gmail.com)
 and keep at it.
 >
 > Any ideas? Text CAPTCHA? ASCII-art cats?
 >
 > --Aaron

 Hrm, I do like the ASCII-art catz idea, that might do the trick.

 OTOH, I think if we make some progress with #7520 (however it's designed)
 and require some sort of earned token/credit, then I think this is a step
 in the right direction. If we assume accounts for this social distributor
 are a limited resource, then (short of compromised
 account/impersonation/malicious users) we'll be able to drop all
 unauthenticated requests and spamming/abuse will be linkable. Originally,
 restricting requests to specific domains *was* an okay solution, but the
 justification really is not as applicable anymore, afaict. I feel like
 this is veering OT for this ticket, however. (sorry)

 So, thoughts? More interactive email responder is good/bad? (choose one)

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7550#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list