Preventing email spam when sending out activations
Moderator: General Moderators
Preventing email spam when sending out activations
Perhaps someone has dealt with this before
Whenever a user changes their e-mail address, my script sends out an activation link to that new address. Once the link is clicked, their new e-mail address is updated in the database overwriting the old one. My concern is balancing usability of legit users with perhaps those who will use this feature to spam e-mail addresses not belonging to them.
Currently I have set a minimal interval between e-mail address changes of 5 minutes (to prevent users from changing their address 100 times, effectively sending out 100 emails in a matter of seconds to what may not be their address) however I feel like this may prevent legit users, who may have typo'd their new e-mail address, from changing their e-mail address to the correct quickly.
I have a lot of options in mind on how to solve this but all of them seem to be restricting legit users more than they are restricting potential spammers. An interval of 5 minutes may seem like forever to a legit user who made a spelling mistake while a spam script on a single account may send 20 * 24 emails a day (I've thought of CAPTCHA but again this is a big annoyance for legitimate users).
I understand I must give up usability to increase security but this seems like a very imbalanced situation. An extra minute between sends means nothing to a spam bot while users may find it much more annoying. I also understand I could detect spam or receive a complaint and block user's account manually but nothing is stopping them from creating 20 more accounts and it may take hours before the new ones are identified.
Whenever a user changes their e-mail address, my script sends out an activation link to that new address. Once the link is clicked, their new e-mail address is updated in the database overwriting the old one. My concern is balancing usability of legit users with perhaps those who will use this feature to spam e-mail addresses not belonging to them.
Currently I have set a minimal interval between e-mail address changes of 5 minutes (to prevent users from changing their address 100 times, effectively sending out 100 emails in a matter of seconds to what may not be their address) however I feel like this may prevent legit users, who may have typo'd their new e-mail address, from changing their e-mail address to the correct quickly.
I have a lot of options in mind on how to solve this but all of them seem to be restricting legit users more than they are restricting potential spammers. An interval of 5 minutes may seem like forever to a legit user who made a spelling mistake while a spam script on a single account may send 20 * 24 emails a day (I've thought of CAPTCHA but again this is a big annoyance for legitimate users).
I understand I must give up usability to increase security but this seems like a very imbalanced situation. An extra minute between sends means nothing to a spam bot while users may find it much more annoying. I also understand I could detect spam or receive a complaint and block user's account manually but nothing is stopping them from creating 20 more accounts and it may take hours before the new ones are identified.
Spam doesn't have to be commercial to be a nuisance.
If someone uses a bot to spam an e-mail address with meaningless activations every 5 minutes surely the owner of the email address will not like it. What if I register 30 accounts and do the same?
I understand I am nitpicking and this is unlikely to happen at all but websites do get attacked and exploited in every way possible and I don't see a reason why this is not a legitimate concern unless you have a very low user base.
If someone uses a bot to spam an e-mail address with meaningless activations every 5 minutes surely the owner of the email address will not like it. What if I register 30 accounts and do the same?
I understand I am nitpicking and this is unlikely to happen at all but websites do get attacked and exploited in every way possible and I don't see a reason why this is not a legitimate concern unless you have a very low user base.
Well that is understandable but regardless, if someone wants to nail your site, they are going to nail it. You can put in all kinds of protection mechanisms and someone can still go in and create 30 accounts through proxies. Even with all your protections, someone can Joe job you and the spam won't even be originating from your site.
As Roja has said before, just remove any potential gain from the user to do things like that.
As Roja has said before, just remove any potential gain from the user to do things like that.
- Chris Corbyn
- Breakbeat Nuttzer
- Posts: 13098
- Joined: Wed Mar 24, 2004 7:57 am
- Location: Melbourne, Australia
Some captchas are hideously difficult to read (the hotmail signup one for a start). They need to be in order to prevent bots sussing them out though.matthijs wrote:I totally agree. Even for sighted persons it's annoying, let alone for a blind person...mu-ziq wrote:I've thought of CAPTCHA but again this is a big annoyance for legitimate users
Logic tests are a little nicer and a breath of fresh air to me. This could be something really simple like basic questions such as "How many days are there in a week?", or "10 + 2 = ?"
I really like hotcaptcha 
- Chris Corbyn
- Breakbeat Nuttzer
- Posts: 13098
- Joined: Wed Mar 24, 2004 7:57 am
- Location: Melbourne, Australia
Haha that's funnyWeirdan wrote:I really like hotcaptcha
- Ambush Commander
- DevNet Master
- Posts: 3698
- Joined: Mon Oct 25, 2004 9:29 pm
- Location: New Jersey, US
- Ambush Commander
- DevNet Master
- Posts: 3698
- Joined: Mon Oct 25, 2004 9:29 pm
- Location: New Jersey, US