Suspicious IP Setting

Post Reply
John Alan
Posts: 13
Joined: Tue May 24, 2022 10:50 am

Suspicious IP Setting

Post by John Alan » Tue May 24, 2022 10:57 am

A lot of my signups are done through piping an email to a script that ultimately uses Dada's subscribe_email.pl script to initiate Dada's double opt-in procedure, which works fine.

I am a little concerned about the "Enable Suspicious IP Address Activity Protection" option, though. Is this only used when the signup form(s) are used? I guess if there is an IP recorded for what I'm doing with this script, it'll always be the same IP (my server IP) which would obviously be bad to block.

User avatar
dadamail
Site Admin
Posts: 57
Joined: Fri Nov 29, 2019 10:47 pm
Contact:

Re: Suspicious IP Setting

Post by dadamail » Tue May 24, 2022 3:38 pm

That setting would be used for all subscription requests, but I'm not sure if you would be affected, unless some testing would be done. If you haven't had any problems yet, there's probably not going to be a problem in the future, as the limit is really low - only 3 subscription conformations from a given IP address can be made before this gets flagged as suspicious.

A little amazed the subscribe_email.pl script still functions at all. I would check out the RESTful API as an alternative.
Justin J
Creator, Dada Mail

John Alan
Posts: 13
Joined: Tue May 24, 2022 10:50 am

Re: Suspicious IP Setting

Post by John Alan » Tue May 24, 2022 4:07 pm

dadamail wrote:
Tue May 24, 2022 3:38 pm
That setting would be used for all subscription requests, but I'm not sure if you would be affected, unless some testing would be done. If you haven't had any problems yet, there's probably not going to be a problem in the future, as the limit is really low - only 3 subscription conformations from a given IP address can be made before this gets flagged as suspicious.
Ah... so it's the subscription confirmation IP, not the IP that initiates subscribe_email.pl that counts? That would be fine as they should be different every time.
dadamail wrote:
Tue May 24, 2022 3:38 pm
A little amazed the subscribe_email.pl script still functions at all. I would check out the RESTful API as an alternative.
Does the subscribe action on the API initiate the double-opt in, or automatically subscribe without any further intervention? Sorry if that's a daft question, but I have to make sure before spending any time on it :lol:

User avatar
dadamail
Site Admin
Posts: 57
Joined: Fri Nov 29, 2019 10:47 pm
Contact:

Re: Suspicious IP Setting

Post by dadamail » Tue May 24, 2022 5:45 pm

John Alan wrote:
Tue May 24, 2022 4:07 pm
Ah... so it's the subscription confirmation IP, not the IP that initiates subscribe_email.pl that counts? That would be fine as they should be different every time.
I'd have to test to confirm, but I would think the IP address of the server the script is running on would be the IP being passed. So in theory it should be flagging subscription requests as being suspicious with this option enabled. But if it's not, perhaps my thinking is wrong. Easy to try though: just get that script to fire 4 or more times. If each subscription request goes through correctly. no problems.

I'm looking through the test suite, and this check isn't actually covered, so I"m going to open up an issue about that, and make sure it itself is actually working,

https://github.com/justingit/dada-mail/issues/1100
John Alan wrote:
Tue May 24, 2022 4:07 pm
Does the subscribe action on the API initiate the double-opt in, or automatically subscribe without any further intervention? Sorry if that's a daft question, but I have to make sure before spending any time on it :lol:
There are two, one works as if you're administrating a list in the list control panel:

https://dadamailproject.com/d/features- ... s.pod.html

That's not the one you want to use.

There's another that's used as if you're subscription using a public form - in fact, this is what Dada Mail uses itself (most of the time):

https://dadamailproject.com/d/COOKBOOK- ... ESTful-API

I should really get around to having the subscribe_email.pl using the latter API so if/when people need a simple script to do the work, they've got it, and there's not two ways to do the same thing floating around. Note made!

https://github.com/justingit/dada-mail/issues/1099
Justin J
Creator, Dada Mail

John Alan
Posts: 13
Joined: Tue May 24, 2022 10:50 am

Re: Suspicious IP Setting

Post by John Alan » Tue May 24, 2022 7:01 pm

dadamail wrote:
Tue May 24, 2022 5:45 pm
John Alan wrote:
Tue May 24, 2022 4:07 pm
Ah... so it's the subscription confirmation IP, not the IP that initiates subscribe_email.pl that counts? That would be fine as they should be different every time.
I'd have to test to confirm, but I would think the IP address of the server the script is running on would be the IP being passed. So in theory it should be flagging subscription requests as being suspicious with this option enabled. But if it's not, perhaps my thinking is wrong. Easy to try though: just get that script to fire 4 or more times. If each subscription request goes through correctly. no problems.

I'm looking through the test suite, and this check isn't actually covered, so I"m going to open up an issue about that, and make sure it itself is actually working,

https://github.com/justingit/dada-mail/issues/1100
OK... so I might just be getting lucky in that it should be banning the server IP but isn't (I'll test it soon and report back). Would the API hits suffer the same fate? Either way, maybe add an option to whitelist IPs? Or automatically always allow the server's own IP?
dadamail wrote:
Tue May 24, 2022 5:45 pm
John Alan wrote:
Tue May 24, 2022 4:07 pm
Does the subscribe action on the API initiate the double-opt in, or automatically subscribe without any further intervention? Sorry if that's a daft question, but I have to make sure before spending any time on it :lol:
There are two, one works as if you're administrating a list in the list control panel:

https://dadamailproject.com/d/features- ... s.pod.html

That's not the one you want to use.

There's another that's used as if you're subscription using a public form - in fact, this is what Dada Mail uses itself (most of the time):

https://dadamailproject.com/d/COOKBOOK- ... ESTful-API
Thanks again!

John Alan
Posts: 13
Joined: Tue May 24, 2022 10:50 am

Re: Suspicious IP Setting

Post by John Alan » Mon Aug 29, 2022 2:13 pm

I wasn't sure if the suspicions IP was working (v11.19.0) but I was testing API connections and after a few they seemed to do nothing. I figured it was maybe this setting so unchecked it, and sure enough my tests went through again.

I know the IP that all the API connections will come from (on the same server as my Dada install), is it possible to whitelist IPs? I'd like to keep the suspicious IP checked, but also need to have multiple requests from a single IP for API requests.

User avatar
dadamail
Site Admin
Posts: 57
Joined: Fri Nov 29, 2019 10:47 pm
Contact:

Re: Suspicious IP Setting

Post by dadamail » Mon Aug 29, 2022 5:01 pm

A good idea! But that's not something that is currently possible.
Justin J
Creator, Dada Mail

Post Reply