since all other posts seem to be out of date or not presenting good solutions:
My web app uses the gem "Devise" for people to register on my website.
Attack Description
I noticed that every few seconds somebody send a new registration with a different email address. I don't know if every request came from the same or a different IP since my heroku logs show only the latest logs and my SendGrid account is blocked.
What are good solution to stop attacker from sending multiple registrations?
I think one solution would be to add captcha.
Look at this:
https://github.com/plataformatec/devise/wiki/How-To:-Use-Recaptcha-with-Devise
The second, more complicated solution would be to try to block IP addresses.
Make a table of regestration attempts and if there are many registrations form the same ip block it. (ban the user, see link below)
I would also make sure he does not know it failed, make him think the registration was successful.
https://github.com/columbusrb/conclave/issues/16
Related
I have problems sending mail from a ruby production app on heroku by a gmail smtp account.
Here i found the solution
When i apply the solution all works wel, but after a while the problems comes back.
Do i have to set something in my google account to make it permanent ?
I think it has to do with the fact that i am using a free heroku account.
The servers stops after a while an perhaps has to login in gmail when it starts up again.
There's no way to make it permanent because Gmail doesn't want its service to be used to send out automated e-mails(*).
There are some providers that will make it much easier for you:
https://sendgrid.com/pricing/ has a free plan (up to 100 emails/day)
https://postmarkapp.com/pricing gives you 10k emails for 10$)
or take your pick, because the market seem to be pretty saturated: https://duckduckgo.com/?q=e-mail+delivery+service&ia=web
(*) What I suspect they do (though I could not find info about it) is that they can see if "same e-mails" are sent within short intervals.
You might try your luck (if it makes sens, when for example it's a toy project) to alter each e-mail contents to make it seem like different e-mail each time. But it will be just easier to go with free option in any other providers that actually want you to use it in your app.
I have an app hosted on heroku which for the last 5 years has done fine on free dyno hours. There's a single user, and it doesn't get much use throughout the day.
As of the last couple of months, we seem to be targeted by bots who created fake accounts. we are getting so many of these bots now, that they are waking our app up so often that it has consumed our free dyno hours.
Does anyone know how to get rid of them? I had tried using invisible_captcha but that did not seem to help.
You should consider to use RackAttack https://github.com/kickstarter/rack-attack
It's a middleware that allows you to block/allow a request.
For example, if they are using the same email domain for each new registration, you could only accept ten registrations (because it's not a big website) with this domain by hour, until they calm down.
Or, if they come from the same place, you can limit the requests of this country thanks to their IP
EDIT:
If you check the country based on the IP address, the dyno will be wake up (because you'll call an external service to get the information), so it's not a good solution in this case
Simple solution:
If you have only a single user, consider hosting the app on a secret subdomain which will not get crawled. And everytime you get an issue like this you can just change your subdomain and inform your user.
A more complex solution:
Use a solution like cloudflare and prevent unwanted traffic to the application.
I am looking to implement First Click Free in my rails application. Google has this information on how to verify a if a googlebot is viewing your site here.
I have been searching to see if there is anything existing for Rails to do this but I have been unable to find anything. So firstly, does anyone know of anything? If not, could anyone point me in the right direction of how to go about implementing what they have suggested in that page about how to verify?
Also, in that solution, it has to do a lookup every time to try and detect google, that seems like its going to be a big performance hit if I have to do it every page load? I could cache the IP if it has been verified in the past but Google have stated that their IP's change so at some point it may no longer belong to them. Although it probably doesn't happen regularly so it may not be that big of an issue.
Many thanks!!
Check out the browser gem: https://github.com/fnando/browser
What I'd do is use the
browser.bot?
method to check if your site is being accessed by a bot or not. If you care about the Googlebot specifically, you could check if
browser.name
includes googlebot. Keep in mind that this gem just checks the user agent sent by the client's browser, which could of course be spoofed. Sounds like that isn't a huge concern for your purposes.
I've built a Ruby gem for that recently, it's called "legitbot".
You may learn if a Web request comes from a supported bot using
bot = Legitbot.bot(userAgent, ip)
"legitbot" does this looking into User-agent and searching for a bot signature, i.e. how bots identify themselves. This doesn't guarantee that the Web request IP really comes from e.g. Googlebot. To make sure it is, call
bot.detected_as # => "Google"
bot.valid? # => true
bot.fake? # => false
Supported bots are Googlebot, Yandex bots, Bing, Baidu, DuckDuckGo.
One issue I'm seeing with Devise is that confirmation emails can go to the spam folder. If the user could simply respond to the email, that would serve to confirm the email address and it would train gmail that the sender is not spam.
Any recommendation on if this is worth doing and how would I do it?
Or maybe there's a much easier way to avoid having sent application mails go to spam?
I've been having the exact same issue, and after a long night I believe I have it sorted out.
1) Make sure you have an SPF record set up for your domain.
2) Set up DKIM on your mail server and put your public key in your DNS (TXT record).
3) Make sure your html email is properly formatted ( I had to add the html opening and closing tags to mine, Devise did not do this by default).
4) The last piece of the puzzle was making sure I was sending both plaintext and html MIME parts in my emails. Just creating an additional plaintext 'text.erb' file for each of my mail views seemed to do the trick (Rails auto-magically picked it up and constructed multipart emails for me).
You can verify 1 and 2 are setup right by viewing the 'original' email within Gmail and making sure you see something like "spf=pass" and "dkim=pass" in the headers.
A friend informed me about a service called SendGrid (and I'm sure there are other service providers that do exactly the same thing) after I had spent nearly an entire night going from WTH is DKIM? -- to getting way more familiar with SMTP, DNS, and postfix than I ever wanted to be. But it works now, and I'm probably too cheap to pay for a third party service anyway :)
This is not Devise's fault. Devise actually follows the best practices concerning confirmation of email address.
I believe you fall in the category of bulk email senders, and that you will have to follow quite a few guidelines to sort this out.
I would advise you to go through Google help pages for more information on how to fix this:
Configuration help: https://support.google.com/mail/bin/answer.py?hl=en&answer=81126
Help wizard: https://support.google.com/mail/bin/static.py?hl=en&ts=2696779&page=ts.cs
I am building an application using Ruby on Rails. I want to do something that I am not even sure is possible;
I have a mailer that is working, however I want to enable users to send emails using their own email address in the FROM parameter. Its almost as if the ":from" parameter has no effect on the email sent.
I'm a bit of a noob when dealing with email servers so please be as detailed as possible. I doubt there is a smtp mail server set up on my hosting account, so if I need to do something like install smtp on my hosting account please be as descriptive as possible.
You are able to set the From: field to whatever you want, theoretically, but in practice you are often limited as to what you can put in there. Many email providers will automatically replace the From address with your own regardless so that you can't masquerade as someone else.
You're probably intending to do something like this:
From: Example Customer Name <name#example.com>
Also keep in mind that sending email from arbitrary domains will result in a very high chance of being flagged as spam since you are most likely not listed as as a host authorized to send for those domains which is typically implemented with SPF.
The best practice is to set the address to be something like this:
From: Example Customer Name <you#yourdomain.name>
That way you're not spoofing your actual email address, only the associated label, which is not typically verified.