Bugs item #1448537, was opened at 2006-03-12 15:30 Message generated for change (Comment added) made by eric_black You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1448537&group_id=103 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: security/privacy Group: None Status: Open Resolution: None Priority: 5 Submitted By: EricB (eric_black) Assigned to: Nobody/Anonymous (nobody) Summary: Limit number of subscribe requests in a period Initial Comment: Add limits (number of requests in a day, and minimum number of days before resetting the counter) to the number of subscribe requests for an email address. Defaults would be 1 request in 1 day. This is needed to prevent malicious mailbombing of an innocent victim by someone repeatedly submitting their address. Currently the victim gets the verify.txt template email for each submission. ----------------------------------------------------------------------

Comment By: EricB (eric_black) Date: 2006-03-12 19:30

Message: Logged In: YES user_id=1474448 Thanks for the suggestion. That helps if a user complains, but does not help in this scenario: A malicious evil-doer discovers a spamtrap email address used by any of the many RBLs, and repeatedly submits that address in a subscribe request, either by forging email (trivial to do) or by repeatedly submitting the HTML form (also trivial to do). The spamtrap receives multiple confirmation requests. The first confirmation request should be ignored, because typos happen. Subsequent confirmation requests may well be considered to be spam. Especially if there are 5 a day, let alone 100 in the space of an hour. ---------------------------------------------------------------------- Comment By: Tokio Kikuchi (tkikuchi) Date: 2006-03-12 19:19 Message: Logged In: YES user_id=67709 You can suppress sending confirmation by putting the victim's email address in ban_list from the admin page (privacy section), if she/he is not willing to be added in your list. This may not work if the malicious user forges the 'From:' header. In this case, the victim may well introduce some mail filter to get junk mails discarded before they reach her/his eyes. ---------------------------------------------------------------------- Comment By: EricB (eric_black) Date: 2006-03-12 15:47 Message: Logged In: YES user_id=1474448 BTW, I've been running 2.1.5 with this problem, and 2.1.7 still exhibits the vulnerability. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=100103&aid=1448537&group_id=103