|
| 1 | +--- |
| 2 | +title: "inbox.ru Domain Prohibition Follow-up" |
| 3 | +description: A follow-up to the inbox.ru email domain prohibition. |
| 4 | +authors: |
| 5 | + - miketheman |
| 6 | +date: 2025-07-25 |
| 7 | +tags: |
| 8 | + - security |
| 9 | + - transparency |
| 10 | +--- |
| 11 | + |
| 12 | +A follow-up to the [previous post](./2025-06-15-prohibiting-inbox-ru-emails.md). |
| 13 | + |
| 14 | +We have since learned that the campaign was orchestrated |
| 15 | +by the company that owns the `inbox.ru` email domain, |
| 16 | +and not by a malicious third party as we initially suspected. |
| 17 | + |
| 18 | +<!-- more --> |
| 19 | + |
| 20 | +Following the previous post, |
| 21 | +a representative of the parent company for `inbox.ru` reached out |
| 22 | +to PyPI Admins to discuss the situation. |
| 23 | +They expressed their desire to resolve the issue, and reinstate the ability |
| 24 | +for their users to register for PyPI accounts with email addresses from the `inbox.ru` domain. |
| 25 | + |
| 26 | +They confirmed that the user account registrations on PyPI originated from an internal security team, |
| 27 | +"to prevent possible abuse of external libraries for attacks on our systems". |
| 28 | + |
| 29 | +They also confirmed that they have held staff meetings and have decided to abandon this practice, |
| 30 | +and develop alternate methods for detection and prevention of abuse, |
| 31 | +and have apologized for the incident. |
| 32 | + |
| 33 | +As such, we have re-enabled the ability for users to register accounts |
| 34 | +using the `inbox.ru` email domain, |
| 35 | +and to add `inbox.ru` email addresses to existing accounts. |
| 36 | + |
| 37 | +We will continue to monitor the situation, |
| 38 | +and if we see any further abuse from this domain or others, |
| 39 | +we will take appropriate action to protect PyPI users and resources. |
0 commit comments