Hi devs,
I'm going to update DNS-Blacklist plugin (MyRoundCube) to play with the new Plugin API.
It checks if an IP is blacklisted. This is very usefull for public webmails to keep off spammers. It helped me very much on http://mail4us.net to keep spammers off my public test environment for MyRoundCube.
How would you like to see it? Should it lock out a user already at the front page (login) or is it better just to block certain tasks like sending messages, setting a forwarder or an autoresponder and let the user access for other tasks like reading his messages even he is blacklisted?
Regards, Roland
List info: http://lists.roundcube.net/dev/
Well, I was in the the mood for coding. The Plugin will set $_SESSION['dnsblacklisted'] = 'pass' on a negative result or $_SESSION['dnsblacklisted'] = [list host] on a positive result.
It is configurable on which plugin hook the dnsbl plugin is executed.
I think this is the most flexible approach. Admins can decide where it is exectuted and how to deal with a positive result by other plugins.
Plugin is attached. Feedback is very appreciated.
Regards, Roland ----- Original Message ----- From: Roland Liebl To: dev@lists.roundcube.net Sent: Sunday, May 17, 2009 8:12 AM Subject: [RCD] DNSBL Plugin
Hi devs,
I'm going to update DNS-Blacklist plugin (MyRoundCube) to play with the new Plugin API.
It checks if an IP is blacklisted. This is very usefull for public webmails to keep off spammers. It helped me very much on http://mail4us.net to keep spammers off my public test environment for MyRoundCube.
How would you like to see it? Should it lock out a user already at the front page (login) or is it better just to block certain tasks like sending messages, setting a forwarder or an autoresponder and let the user access for other tasks like reading his messages even he is blacklisted?
Regards, Roland
List info: http://lists.roundcube.net/dev/
--- 8< --- detachments --- 8< --- The following attachments have been detached and are available for viewing. http://detached.gigo.com/rc/BH/S7rUbyZh/dnsbl.zip Only click these links if you trust the sender, as well as this message. --- 8< --- detachments --- 8< ---
List info: http://lists.roundcube.net/dev/
On Sun, 17 May 2009 08:12:46 +0200, "Roland Liebl" roland@roland-liebl.de wrote:
Hi devs,
I'm going to update DNS-Blacklist plugin (MyRoundCube) to play with the
new
Plugin API.
It checks if an IP is blacklisted. This is very usefull for public
webmails
to keep off spammers. It helped me very much on http://mail4us.net to
keep
spammers off my public test environment for MyRoundCube.
How would you like to see it? Should it lock out a user already at the front page (login) or is it better just to block certain tasks like
sending
messages, setting a forwarder or an autoresponder and let the user access for other tasks like reading his messages even he is blacklisted?
Regards, Roland
Thinking from a purely security based point of view, I think the best solution is to deny all first and then customize to allow after.
From the exploiting from phishers I have seen, any vector of entry is a
cause for concern. Personal information being disclosed, post authentication exploits, etc.. are just some of the off the top of the head reasons I could see for doing a deny before login.