惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
Threatpost
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
S
Security Affairs
N
News and Events Feed by Topic
T
Tenable Blog
P
Proofpoint News Feed
W
WeLiveSecurity
Simon Willison's Weblog
Simon Willison's Weblog
Google DeepMind News
Google DeepMind News
C
CERT Recently Published Vulnerability Notes
Help Net Security
Help Net Security
I
Intezer
T
Threat Research - Cisco Blogs
S
Secure Thoughts
C
Cyber Attacks, Cyber Crime and Cyber Security
L
Lohrmann on Cybersecurity
AWS News Blog
AWS News Blog
Google Online Security Blog
Google Online Security Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Know Your Adversary
Know Your Adversary
Project Zero
Project Zero
The Hacker News
The Hacker News
Security Archives - TechRepublic
Security Archives - TechRepublic
T
Tor Project blog
N
News | PayPal Newsroom
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Hacker News - Newest:
Hacker News - Newest: "LLM"
A
Arctic Wolf
Forbes - Security
Forbes - Security
O
OpenAI News
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Security Latest
Security Latest
P
Palo Alto Networks Blog
S
Schneier on Security
S
Securelist
C
Cybersecurity and Infrastructure Security Agency CISA
H
Heimdal Security Blog
V
Vulnerabilities – Threatpost
www.infosecurity-magazine.com
www.infosecurity-magazine.com
博客园_首页
T
Troy Hunt's Blog
Latest news
Latest news
Recent Announcements
Recent Announcements
MyScale Blog
MyScale Blog
人人都是产品经理
人人都是产品经理
L
LINUX DO - 热门话题
M
MIT News - Artificial intelligence
N
Netflix TechBlog - Medium
V
Visual Studio Blog
H
Hacker News: Front Page

Buttondown's blog

Email could have been X.400 times better The physicists who convinced Fermilab to send Brazil's emails Better in-app previews Analytics 3.0 Subscriber ID variables Comments! Send latest premium action Automation filtering Free API subscribers Surveys in automations Reply to replies Labels for RSS feeds How Jeremy Singer-Vine curates curious datasets for readers 2023 (and what's next) Email vs web content Sort by engagement Better gift subscriptions How Andy Dehnart built a career reviewing television New email template Email-based automations Opt-in reply tracking Automatic alt text More social network integrations Sort by metadata Overlarge image warnings Automation tag actions Pause emails mid-flight Search tags and automations Gift via automations Subscriber-driving emails Programmatic webhooks Email page views Tag statistics Discord webhook formatting Automatic subscriber cleanup RSS subscriber count Weekly subscriber reports More list columns Customizable list views How Max Voltar turned a side gig into a trusted keyboard resource How Nick Disabato runs two newsletters from one design consultancy Made-for-you share images Automation improvements End-of-email surveys Filter by date Survey-triggered automations More automation functionality New webhooks How France Insider built a news service with paid subscribers Email as primary key How John Willshire unites two businesses in one newsletter Confirmation reminders Email churned subscribers Email-to-draft Subscriber metadata columns ChatGPT integration Faster web archives Referral program Better search results TikTok embeds Subscriber timeline Spotify embeds Improved RSS-to-email Subscribe page OG image New analytics page Google Tag Manager Even more subscriber types Integrating Duda with Buttondown Linktree integration guide Advanced and enterprise plans Framer integration guide API requests page Team collaboration In-email surveys Better CSS settings Better RSS automation fetching! Editor toolbar improvements Smart filters Faster emails page RSS automations Faster email analytics Zapier error codes Image accessibility checks Tags vs newsletters OG image picker Image editor improvements API bulk actions Improved OpenAPI spec Mastodon support Better subscriber filtering Better subscriber validation Hotkey support! Programmatic access to analytics Stronger bulk actions Faster archive page Custom canonical URLs Email slug and metadata Improved writing interface Generating a Typescript router in Django Filter emails by source
Firewall changes and improvements
Justin Duke · 2026-04-19 · via Buttondown's blog

Attack mode, embedded fingerprinting, and denied user agents — three new ways to keep spam out of your newsletter.

Justin Duke

Justin Duke

April 19, 2026

Depending on your perspective, it's either very boring or very interesting to read about changes to how we do firewalling. Ideally, of course, you would need to know nothing about the firewall — we would simply always do the correct thing at all points in time, invisibly and imperceptibly.

But different people want different things, and especially where subscribers are concerned, we try to err on the side of transparency and customizability so any author can get the exact setup that works for them. With that context, I'd like to walk through a handful of new additions to bolster your newsletter against incoming spam.

Attack mode

Attack mode, which is enabled for all accounts by default, automatically and temporarily turns on our strongest set of firewall functionality if we detect a surge of spam traffic headed your way. We send you an email whenever this happens.

While you can disable attack mode, I highly encourage you to keep it on even if you want lower firewall settings: few things can cause more serious long-term damage to your deliverability than a spate of a couple hundred or thousand bad email addresses getting associated with your newsletter or domain.

Embedded fingerprinting

If enabled (it's disabled by default), this setting will heavily penalize any incoming subscribers who subscribe through one of your embedded forms but don't have a fingerprint. This is a bit convoluted, so it's best explained in the context of what it catches: a particular genre of attacker that loads your subscription form in an iframe and then mass signs up to it programmatically.

If all of these words are meaningless to you and you don't know what an iframe even is, you likely don't have to worry about this one.

Denied user agents

If you've set up a custom hosting domain, you can now supply a list of user agents to block — things like GPTBot or Facebook's crawler. We'll automatically turn this into a robots.txt file for you, as well as inject <meta name="robots"> tags to (ideally) protect your content from unwanted traffic. It pairs nicely with our custom click tracking domains if you're already being thoughtful about how your newsletter shows up on the web.

As always, head to your firewall settings to configure any of this, and don't hesitate to reach out if you have questions.

Frequently asked questions

Why do I need a custom domain to use denied user agents?

Because robots.txt is domain-wide, you can't have a customized one unless you're on your own specialized domain.

This is a lot of stuff. What do I actually need to do?

In all honesty, very little. If you're reading this, you're likely one of the 99.7% of Buttondown customers who are not targeted by very annoying adversarial spammers. And if all of this stuff seems completely irrelevant to your life, then that is, trust me, a good thing.