Page 1 of 1

Preventing email spam when sending out activations

Posted: Fri Jul 21, 2006 4:51 pm
by mu-ziq
Perhaps someone has dealt with this before

Whenever a user changes their e-mail address, my script sends out an activation link to that new address. Once the link is clicked, their new e-mail address is updated in the database overwriting the old one. My concern is balancing usability of legit users with perhaps those who will use this feature to spam e-mail addresses not belonging to them.

Currently I have set a minimal interval between e-mail address changes of 5 minutes (to prevent users from changing their address 100 times, effectively sending out 100 emails in a matter of seconds to what may not be their address) however I feel like this may prevent legit users, who may have typo'd their new e-mail address, from changing their e-mail address to the correct quickly.

I have a lot of options in mind on how to solve this but all of them seem to be restricting legit users more than they are restricting potential spammers. An interval of 5 minutes may seem like forever to a legit user who made a spelling mistake while a spam script on a single account may send 20 * 24 emails a day (I've thought of CAPTCHA but again this is a big annoyance for legitimate users).

I understand I must give up usability to increase security but this seems like a very imbalanced situation. An extra minute between sends means nothing to a spam bot while users may find it much more annoying. I also understand I could detect spam or receive a complaint and block user's account manually but nothing is stopping them from creating 20 more accounts and it may take hours before the new ones are identified.

Posted: Fri Jul 21, 2006 6:44 pm
by Benjamin
How would sending an activation link benefit spammers? That doesn't make any sense. If your really concerned about it, don't let them change their email address more than 3 times a day.

Posted: Fri Jul 21, 2006 7:08 pm
by mu-ziq
Spam doesn't have to be commercial to be a nuisance.

If someone uses a bot to spam an e-mail address with meaningless activations every 5 minutes surely the owner of the email address will not like it. What if I register 30 accounts and do the same?

I understand I am nitpicking and this is unlikely to happen at all but websites do get attacked and exploited in every way possible and I don't see a reason why this is not a legitimate concern unless you have a very low user base.

Posted: Fri Jul 21, 2006 7:20 pm
by Benjamin
Well that is understandable but regardless, if someone wants to nail your site, they are going to nail it. You can put in all kinds of protection mechanisms and someone can still go in and create 30 accounts through proxies. Even with all your protections, someone can Joe job you and the spam won't even be originating from your site.

As Roja has said before, just remove any potential gain from the user to do things like that.

Posted: Fri Jul 21, 2006 7:27 pm
by mu-ziq
Yeah you're right. I guess there is no way to make any site bulletproof without making it impossible to use.

Thanks for your help astions.

Posted: Sat Jul 22, 2006 5:18 am
by jmut
mu-ziq wrote:Yeah you're right. I guess there is no way to make any site bulletproof without making it impossible to use.

Thanks for your help astions.
can't you use CAPTCHA (pictures with messy string/numbers that are meant to distinguish computer from human)

Posted: Sat Jul 22, 2006 7:27 am
by matthijs
mu-ziq wrote:I've thought of CAPTCHA but again this is a big annoyance for legitimate users
I totally agree. Even for sighted persons it's annoying, let alone for a blind person...

Posted: Sat Jul 22, 2006 7:45 am
by Chris Corbyn
matthijs wrote:
mu-ziq wrote:I've thought of CAPTCHA but again this is a big annoyance for legitimate users
I totally agree. Even for sighted persons it's annoying, let alone for a blind person...
Some captchas are hideously difficult to read (the hotmail signup one for a start). They need to be in order to prevent bots sussing them out though.

Logic tests are a little nicer and a breath of fresh air to me. This could be something really simple like basic questions such as "How many days are there in a week?", or "10 + 2 = ?"

Posted: Sat Jul 22, 2006 7:55 am
by Weirdan
I really like hotcaptcha ;)

Posted: Sat Jul 22, 2006 8:38 am
by Chris Corbyn
Weirdan wrote:I really like hotcaptcha ;)
Haha that's funny :D

Posted: Sat Jul 22, 2006 9:47 am
by Ambush Commander
Actually, that's exactly how a logic test needs: A large database of possible questions. Not sure how many photos they've got there, but it should make it infeasible for a bot to copy down all entries which are hot or not.

Unfortunantely, it doesn't solve the accessibility problem.

Posted: Sat Jul 22, 2006 9:50 am
by Weirdan
Not sure how many photos they've got there
according to hotornot.com (their db is used on hotcaptcha.com) they have 24,100,000 photos.

Posted: Sat Jul 22, 2006 9:51 am
by Ambush Commander
Delightful! :twisted: