From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <d.csapak@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with UTF8SMTPS id 874BF60A5B
 for <pmg-devel@lists.proxmox.com>; Wed, 18 Nov 2020 08:56:57 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with UTF8SMTP id 724CB182DB
 for <pmg-devel@lists.proxmox.com>; Wed, 18 Nov 2020 08:56:27 +0100 (CET)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [212.186.127.180])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with UTF8SMTPS id 8DA27182CE
 for <pmg-devel@lists.proxmox.com>; Wed, 18 Nov 2020 08:56:26 +0100 (CET)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with UTF8SMTP id 554B6438EA;
 Wed, 18 Nov 2020 08:56:26 +0100 (CET)
To: Thomas Lamprecht <t.lamprecht@proxmox.com>,
 Dietmar Maurer <dietmar@proxmox.com>, pmg-devel@lists.proxmox.com
References: <20201117145743.10561-1-d.csapak@proxmox.com>
 <925752189.205.1605630434708@webmail.proxmox.com>
 <536187425.206.1605631117830@webmail.proxmox.com>
 <febff702-2986-c67f-7cbb-79b524b09029@proxmox.com>
From: Dominik Csapak <d.csapak@proxmox.com>
Message-ID: <31d52e9d-fe70-acdb-b24c-3554df4c3b13@proxmox.com>
Date: Wed, 18 Nov 2020 08:56:25 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:83.0) Gecko/20100101
 Thunderbird/83.0
MIME-Version: 1.0
In-Reply-To: <febff702-2986-c67f-7cbb-79b524b09029@proxmox.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.345 Adjusted score from AWL reputation of From: address
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 NICE_REPLY_A           -0.001 Looks like a legit reply (A)
 RCVD_IN_DNSWL_MED        -2.3 Sender listed at https://www.dnswl.org/,
 medium trust
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [wikipedia.org]
Subject: Re: [pmg-devel] [PATCH pmg-api/gui] add quarantine self service
 button
X-BeenThere: pmg-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Mail Gateway development discussion
 <pmg-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pmg-devel>, 
 <mailto:pmg-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pmg-devel/>
List-Post: <mailto:pmg-devel@lists.proxmox.com>
List-Help: <mailto:pmg-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel>, 
 <mailto:pmg-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Wed, 18 Nov 2020 07:56:57 -0000

On 11/18/20 8:44 AM, Thomas Lamprecht wrote:
> On 17.11.20 17:38, Dietmar Maurer wrote:
>>
>>> On 11/17/2020 5:27 PM Dietmar Maurer <dietmar@proxmox.com> wrote:
>>>
>>>   
>>> IMHO this is too dangerous.
>>>
>>> This needs at least some kind of captcha ...
>>
>> i.e. This would allow direct DOS attacks to the internal mail server.
>>
> 
> I found this captcha solution, relatively sophisticated but not a PITA for the
> (human) user, Friendly Captcha[0] used by some official European Union websites.
> 
> It uses Proof of Work[2] (i.e. crypto puzzel ones device needs to solve by
> computation), the specific library used is "Friendly PoW"[1].
> 
> If we go for a captcha I'd like something like this (could be rebuild), as
> it avoids the issues with picture texts (easily solved by computers, bad
> accessibility for humans) and similar captchas.
> 
> 
> [0]: https://github.com/friendlycaptcha/friendly-challenge
> [1]: https://github.com/friendlycaptcha/friendly-pow
> [2]: https://de.wikipedia.org/wiki/Proof_of_Work
> 

i'd rather go with a rate limited approach
e.g. a file with a
mail -> last click time
mapping
and refuse if the last click time is not older than 5min ?
and only 1 per 5 seconds overall?

a captcha would be much harder to implement (more dependencies,
backend as well as dependent frontend code and in this example
it seems the code is only available for js/ts), though
if we find a simple solution, i am not against it