Menu
▾
▴
#1119 Limit number of subscribe requests in a period
Add limits (number of requests in a day, and minimum
number of days before resetting the counter) to the
number of subscribe requests for an email address.
Defaults would be 1 request in 1 day.
This is needed to prevent malicious mailbombing of an
innocent victim by someone repeatedly submitting their
address. Currently the victim gets the verify.txt
template email for each submission.
Logged In: YES
user_id=1474448
BTW, I've been running 2.1.5 with this problem, and 2.1.7
still exhibits the vulnerability.
Logged In: YES
user_id=67709
You can suppress sending confirmation by putting the
victim's email address in ban_list from the admin page
(privacy section), if she/he is not willing to be added in
your list. This may not work if the malicious user forges
the 'From:' header. In this case, the victim may well
introduce some mail filter to get junk mails discarded
before they reach her/his eyes.
Logged In: YES
user_id=1474448
Thanks for the suggestion. That helps if a user complains, but does not help
in this scenario:
A malicious evil-doer discovers a spamtrap email address used by any of the
many RBLs, and repeatedly submits that address in a subscribe request,
either by forging email (trivial to do) or by repeatedly submitting the HTML
form (also trivial to do). The spamtrap receives multiple confirmation
requests.
The first confirmation request should be ignored, because typos happen.
Subsequent confirmation requests may well be considered to be spam.
Especially if there are 5 a day, let alone 100 in the space of an hour.
so, does anyone think this just might be worth implementing? it's not like it would be rocket science, and it certainly doesn't look good when your software is an attack weapon of choice.