Preventing email spam when sending out activations
Posted: Fri Jul 21, 2006 4:51 pm
Perhaps someone has dealt with this before
Whenever a user changes their e-mail address, my script sends out an activation link to that new address. Once the link is clicked, their new e-mail address is updated in the database overwriting the old one. My concern is balancing usability of legit users with perhaps those who will use this feature to spam e-mail addresses not belonging to them.
Currently I have set a minimal interval between e-mail address changes of 5 minutes (to prevent users from changing their address 100 times, effectively sending out 100 emails in a matter of seconds to what may not be their address) however I feel like this may prevent legit users, who may have typo'd their new e-mail address, from changing their e-mail address to the correct quickly.
I have a lot of options in mind on how to solve this but all of them seem to be restricting legit users more than they are restricting potential spammers. An interval of 5 minutes may seem like forever to a legit user who made a spelling mistake while a spam script on a single account may send 20 * 24 emails a day (I've thought of CAPTCHA but again this is a big annoyance for legitimate users).
I understand I must give up usability to increase security but this seems like a very imbalanced situation. An extra minute between sends means nothing to a spam bot while users may find it much more annoying. I also understand I could detect spam or receive a complaint and block user's account manually but nothing is stopping them from creating 20 more accounts and it may take hours before the new ones are identified.
Whenever a user changes their e-mail address, my script sends out an activation link to that new address. Once the link is clicked, their new e-mail address is updated in the database overwriting the old one. My concern is balancing usability of legit users with perhaps those who will use this feature to spam e-mail addresses not belonging to them.
Currently I have set a minimal interval between e-mail address changes of 5 minutes (to prevent users from changing their address 100 times, effectively sending out 100 emails in a matter of seconds to what may not be their address) however I feel like this may prevent legit users, who may have typo'd their new e-mail address, from changing their e-mail address to the correct quickly.
I have a lot of options in mind on how to solve this but all of them seem to be restricting legit users more than they are restricting potential spammers. An interval of 5 minutes may seem like forever to a legit user who made a spelling mistake while a spam script on a single account may send 20 * 24 emails a day (I've thought of CAPTCHA but again this is a big annoyance for legitimate users).
I understand I must give up usability to increase security but this seems like a very imbalanced situation. An extra minute between sends means nothing to a spam bot while users may find it much more annoying. I also understand I could detect spam or receive a complaint and block user's account manually but nothing is stopping them from creating 20 more accounts and it may take hours before the new ones are identified.