[irgeek]

In response, we implemented a shadow ban: On the surface, the attackers continued to receive a 200 HTTP response code, but behind the scenes we simply stopped sending document invitations after they exceeded the rate limit.

And right there they broke the service for legitimate users. Totally unacceptable collateral damage IMHO.

[lenzm]

Shadow ban for everyone that exceeded the rate limit or just the one attacker? As others have said that's shitty for legitimate users that go over the rate limit.

[sametmax]

You should only shadow ban manually marked attackers. The one you are sure, very sure that are not legitimate users. This way you can't annoy real customers, as the shadow ban is not automatic and can't trigger on them.

[karmakaze]

Without shadow ban, you're just telling the spammers how to be effective and stay just under the limit.

[scaryclam]

So? Users playing by the rules of the service get to use the service unhindered. A much better approach to shadow banning would be to make better rules and enforce them. Spammers don't want to jump through hoops, so if you implement rules based on bounces and spam reports you'll get the same result (less spammers) but without screwing over legitimate users.

This is how Mailgun and their ilk operate, and while it's annoying to get bitten by their rules (we forgot to warm up a mailing list once and got a temporary suspension as our bounce rate was too high) they treated us like adults, told us why our service had been suspended and proceeded to help us clean up the mailing list. If they had pulled some shadow banning BS we'd have just left the service as we wouldn't be able to trust that they're not messing us (and our clients) around.

Shadow banning works just fine for online forums and the like. It's a pretty terrible method of rate limiting though.

[forgottenpass]

This is how Mailgun and their ilk operate

That's because their business model is to facilitate the level of spamming that sits right below the threshold of anti-spam measures.

Of course they're going to help you send out as many messages as possible. That's what you pay them for.

Without saying that OPs approach was the most appropriate solution to their problem, I'll point out that Figma's bottom line isn't directly connected to how many document invite emails they shoot out. That's just a collaboration feature of a larger product.

[brightball]

Exactly. Shadow banning, when done right and very carefully, can be extremely effective against spammers. The trick is that you have to go out of your way to identify false positives correctly so that you don't accidentally do it to a legitimate user. You have to be very careful with it.

[jfoutz]

Manual review can't be that hard. They don't strike me as a huge scale, the author indicated the system wasn't tripped yet. Seems just about perfect for that scale.

[nullnilvoid]

The problem with rate limiting is to distinguish a normal user from a spammer. A normal user can send more requests than usual sometimes. If a normal user gets rate-limited by mistake, you are going to get lots of upset users.

[vacri]

Rate-limiting is also used to protect against legitimate users who have made mistakes in config (or are poorly-skilled), not just spammers. It's much better to let them know why things aren't working than actively lie about it.

[vacri]

Wow, that's really bad. I get shivers at the thought of trying to troubleshoot that as a client.

[ioddly]

I've had this happen before. Found out I was locked out from an email I read later while the login form happily rejected all my attempts.

[matt_wulfeck]

Agreed. This would be so absolutely frustrating to me and very easy to circumvent for nefarious people.