Opt-in email

[adehnert]

Another approach to handling our "we keep getting marked as spammers" issue (see also #357, #407) is to require users to opt-in or do something special to send mail, thereby preventing your average untargeted spammer from being able to exploit us to source spam.

We probably want to make sure that our autoinstallers (WordPress? and MediaWiki? in particular) are able to send account confirmation emails. We could automatically opt in anybody who runs those, but I bet that'll substantially limit the number of people we can catch. Another approach is to patch them to use some special default-enabled mechanism that untargeted spammers wouldn't try:

• have a magic string like current-locker-owner@scripts.mit.edu that's always allowed and rewrite it
• some simple API that allows unblocking mail for ten minutes, and call it right before sending mail
• SMTP server running on a separate port or IP that isn't blocked, and configure them to use it instead

Notes on some of our common autoinstalled things:

• WordPress? doesn't obviously document their mail setup
• MediaWiki? can be ​configured to use a custom SMTP server, or uses PHP's mail function by default
• Django has ​pluggable mail backends -- we could write our own, or configure the SMTP backend to use a [custom host/port ​https://docs.djangoproject.com/en/dev/ref/settings/#std:setting-EMAIL_HOST]