PyPI Prohibits inbox.ru email domain registrations
10 months ago
- #PyPI
- #security
- #spam
- PyPI has prohibited the inbox.ru email domain due to a spam campaign.
- The campaign involved over 250 new user accounts and 1,500 projects, causing confusion and potential security risks.
- All affected projects and accounts have been removed or disabled.
- PyPI uses a disposable-email-domains list and maintains an internal block list to prevent abuse.
- The spam campaign timeline shows a rapid increase in user accounts and project uploads over several days.
- Projects created had no code but may have been a setup for a future attack.
- A user reported the issue after an AI model recommended a non-existent project ('slopsquatting').
- PyPI encourages users to verify project names before installation and report suspicious activities.
- The decision to block inbox.ru may be reversed if the email provider improves abuse prevention.