Add disposable/high-risk email signup scrutiny via check-mail.org
Classifies each signup's email domain (domain-only, GDPR-friendly) alongside the existing IP scrutiny signal, with matching held-welcome and auto email_domain_block behavior. A report against an account with a flagged domain suspends immediately (no reporter-count threshold) and blocks the domain, classified live from the report payload rather than any signup-time record so it also covers pre-existing accounts. Ships CHECK_MAIL_DRY_RUN=true by default, independent of ABUSE_DRY_RUN, so the new report-triggered suspend path stays inert until watched.
This commit is contained in:
@@ -117,3 +117,31 @@ IP_SCRUTINY_IPBLOCK_SEVERITY=sign_up_requires_approval
|
||||
# informational only (mobile carriers are never scrutinized).
|
||||
IP_SCRUTINY_HOSTING_RE=amazon|aws|google|microsoft|azure|digitalocean|ovh|hetzner|linode|vultr|contabo|choopa|m247|scaleway|leaseweb|hostinger|namecheap|godaddy|cloudflare|oracle|alibaba|tencent|akamai|fastly|packet|vpn|proxy|hosting|datacenter|data center|colo(?:cation)?|server
|
||||
IP_SCRUTINY_MOBILE_RE=mobile|wireless|cellular|verizon|t-mobile|tmobile|at&t|att mobility|vodafone|telstra|sprint|three\b|orange mobile|deutsche telekom|o2\b
|
||||
|
||||
# check-mail.org disposable/high-risk email domain scrutiny (roadmap item B,
|
||||
# anti-abuse.md). Domain-only query (never the full email) against
|
||||
# POST https://api.check-mail.org/v2/, Authorization: Bearer <key>.
|
||||
# Free tier: 1,000 req/month.
|
||||
CHECK_MAIL_ENABLED=true
|
||||
CHECK_MAIL_API_KEY=
|
||||
|
||||
# Log/DM only — no held welcome, no email_domain_block write, no
|
||||
# report-triggered suspend. Keep true for rollout until you've watched the
|
||||
# false-positive rate for a while (same role as IP_SCRUTINY_DRY_RUN /
|
||||
# ABUSE_DRY_RUN).
|
||||
CHECK_MAIL_DRY_RUN=true
|
||||
|
||||
# A domain is flagged if check-mail.org marks it is_disposable OR its risk
|
||||
# score (0-100) is at or above this threshold.
|
||||
CHECK_MAIL_RISK_THRESHOLD=80
|
||||
|
||||
# Hold the welcome DM for a flagged signup until account.approved fires, same
|
||||
# semantics as IP_SCRUTINY_HOLD_WELCOME.
|
||||
CHECK_MAIL_HOLD_WELCOME=true
|
||||
|
||||
# Auto-register a flagged signup's email domain into Mastodon's native
|
||||
# Admin::EmailDomainBlock. Requires ABUSE_BOT_TOKEN to carry the
|
||||
# admin:write:email_domain_blocks scope (see CLAUDE.md) — without it this
|
||||
# 403s and is logged as an error, but nothing else in the bot is affected.
|
||||
# Also gates the report-triggered suspend+block override in handle_report().
|
||||
CHECK_MAIL_AUTO_DOMAIN_BLOCK=true
|
||||
|
||||
Reference in New Issue
Block a user