Preventing email spam when sending out activations

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
mu-ziq
Forum Newbie
Posts: 11
Joined: Fri Jul 08, 2005 9:42 pm

Preventing email spam when sending out activations

Post by mu-ziq »

Perhaps someone has dealt with this before

Whenever a user changes their e-mail address, my script sends out an activation link to that new address. Once the link is clicked, their new e-mail address is updated in the database overwriting the old one. My concern is balancing usability of legit users with perhaps those who will use this feature to spam e-mail addresses not belonging to them.

Currently I have set a minimal interval between e-mail address changes of 5 minutes (to prevent users from changing their address 100 times, effectively sending out 100 emails in a matter of seconds to what may not be their address) however I feel like this may prevent legit users, who may have typo'd their new e-mail address, from changing their e-mail address to the correct quickly.

I have a lot of options in mind on how to solve this but all of them seem to be restricting legit users more than they are restricting potential spammers. An interval of 5 minutes may seem like forever to a legit user who made a spelling mistake while a spam script on a single account may send 20 * 24 emails a day (I've thought of CAPTCHA but again this is a big annoyance for legitimate users).

I understand I must give up usability to increase security but this seems like a very imbalanced situation. An extra minute between sends means nothing to a spam bot while users may find it much more annoying. I also understand I could detect spam or receive a complaint and block user's account manually but nothing is stopping them from creating 20 more accounts and it may take hours before the new ones are identified.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

How would sending an activation link benefit spammers? That doesn't make any sense. If your really concerned about it, don't let them change their email address more than 3 times a day.
mu-ziq
Forum Newbie
Posts: 11
Joined: Fri Jul 08, 2005 9:42 pm

Post by mu-ziq »

Spam doesn't have to be commercial to be a nuisance.

If someone uses a bot to spam an e-mail address with meaningless activations every 5 minutes surely the owner of the email address will not like it. What if I register 30 accounts and do the same?

I understand I am nitpicking and this is unlikely to happen at all but websites do get attacked and exploited in every way possible and I don't see a reason why this is not a legitimate concern unless you have a very low user base.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Well that is understandable but regardless, if someone wants to nail your site, they are going to nail it. You can put in all kinds of protection mechanisms and someone can still go in and create 30 accounts through proxies. Even with all your protections, someone can Joe job you and the spam won't even be originating from your site.

As Roja has said before, just remove any potential gain from the user to do things like that.
mu-ziq
Forum Newbie
Posts: 11
Joined: Fri Jul 08, 2005 9:42 pm

Post by mu-ziq »

Yeah you're right. I guess there is no way to make any site bulletproof without making it impossible to use.

Thanks for your help astions.
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

Post by jmut »

mu-ziq wrote:Yeah you're right. I guess there is no way to make any site bulletproof without making it impossible to use.

Thanks for your help astions.
can't you use CAPTCHA (pictures with messy string/numbers that are meant to distinguish computer from human)
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

mu-ziq wrote:I've thought of CAPTCHA but again this is a big annoyance for legitimate users
I totally agree. Even for sighted persons it's annoying, let alone for a blind person...
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

matthijs wrote:
mu-ziq wrote:I've thought of CAPTCHA but again this is a big annoyance for legitimate users
I totally agree. Even for sighted persons it's annoying, let alone for a blind person...
Some captchas are hideously difficult to read (the hotmail signup one for a start). They need to be in order to prevent bots sussing them out though.

Logic tests are a little nicer and a breath of fresh air to me. This could be something really simple like basic questions such as "How many days are there in a week?", or "10 + 2 = ?"
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

I really like hotcaptcha ;)
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

Weirdan wrote:I really like hotcaptcha ;)
Haha that's funny :D
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Actually, that's exactly how a logic test needs: A large database of possible questions. Not sure how many photos they've got there, but it should make it infeasible for a bot to copy down all entries which are hot or not.

Unfortunantely, it doesn't solve the accessibility problem.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

Not sure how many photos they've got there
according to hotornot.com (their db is used on hotcaptcha.com) they have 24,100,000 photos.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Delightful! :twisted:
Post Reply