You Should Care About Email Flooding. This Is How to Avoid It.

June 23, 2020 · 2 min read

Silver MacBook turned on So Long And Thanks For All The Phishing” by Abraham Joel Pena Puelo / CC BY 4.0

Imagine this. Someone uses your website form to send thousands of spam emails. And you wake up to your email reputation being ruined and hundreds of “WTF happened” emails.

The horror.

We call this type of vulnerability email flooding and there are three ways to fix it:

  • Captchas
  • Rate limiting
  • Limiting by email address

But before we go into the details on how they work, here is how to make email flooding even worse:

  • Include free text in your email (like name) without length limitation
  • Render HTML in your email from user input
  • Send emails with large attachments (this can lead to email bombing)

Three ways to reduce email flooding

Let’s go into the details of how you can prevent email flooding from your systems. It’s best to use multiple of these techniques.

Use Captchas to prevent automated scripts

This is a simple way to limit email sending to humans and exclude automated robots.

You could use Google’s reCAPTCHA for this, or try out alternative bot traps such as honeypot fields.

This will repel most evildoers, but someone could still manually send these emails, or hire people who do it for them.

Use rate limiting to prevent mass emails from one user

Rate limiting is another way to limit how many emails someone can send with your forms.

There is certainly a rate-limiter library for your backend technology stack.

Limit by receiver address to prevent flooding of one user’s inbox

The last method works like this. When someone submits a form, you check your database if and when you last sent this particular type of email to that email address.

There are three distinct cases:

  • You never sent that type of email to that email address: send it and save type, email, and timestamp in your database
  • You already sent that type of email to that email address, but the timestamp is older than a few minutes: send it and update the timestamp in your database
  • You already sent that type of email to that email address, and the timestamp is just a few minutes old: don’t send the email


Seriously, go and implement some of these measures or someone will eventually use your email account to spam others.

If you want to tackle this issue, look at every action in your application that sends an email to someone. Prominent examples are:

  • Contact Us form
  • Sign Up form
  • Forgot Password form
  • Contact Other User form