“So Long And Thanks For All The Phishing” by Abraham Joel Pena Puelo / CC BY 4.0
Imagine this. Someone uses your website form to send thousands of spam emails. And you wake up to your email reputation being ruined and hundreds of “WTF happened” emails.
We call this type of vulnerability email flooding and there are three ways to fix it:
But before we go into the details on how they work, here is how to make email flooding even worse:
Let’s go into the details of how you can prevent email flooding from your systems. It’s best to use multiple of these techniques.
This is a simple way to limit email sending to humans and exclude automated robots.
You could use Google’s reCAPTCHA for this, or try out alternative bot traps such as honeypot fields.
This will repel most evildoers, but someone could still manually send these emails, or hire people who do it for them.
Rate limiting is another way to limit how many emails someone can send with your forms.
There is certainly a rate-limiter library for your backend technology stack.
The last method works like this. When someone submits a form, you check your database if and when you last sent this particular type of email to that email address.
There are three distinct cases:
Seriously, go and implement some of these measures or someone will eventually use your email account to spam others.
If you want to tackle this issue, look at every action in your application that sends an email to someone. Prominent examples are: