Skip to content

Is Sendy vulnerable to Denial of Service type attacks?

edited May 2013 in Questions

I'm new so please forgive if this is an obvious question....

If, say, I have a double opt-in arrangement set up what will happen if some peeved customer, or group of customers, should keep subscribing with fictitious email addresses? So Sendy keeps automatically sending out response emails (to non-existent addresses) that request confirmation of subscription - and these emails are being bounced back and therefore Amazon SES doesn't like me anymore ? !!! Presumably Amazon SES strikes me off its Christmas card list and the MySQL email database grows to a size that is too big for its own good ? !!

I have in mind that one way of detecting and preventing this situation would be to store the ip address and registration date of all customers that need to confirm their subscription and then check the ip of each new registration against the ip's of the mails that are awaiting acknowledgement - and if, say, more than 5 (Sendy user/operator definable) emails were already outstanding and hadn't been confirmed then some action would be taken - which might be deleting the oldest outstanding email ('cos unlikely now to be confirmed) and processing the new request as per normal.

And presumably there is no way of preventing a DoS attack at all if only a single opt-in method is used?

Regards

Comments

  • Hi Gary,

    If you're worried about these sort of attacks, the simplest solution is to build your own subscription form that's protected by some kind of captcha.

    This applies to any forms on the Internet and is one of the reasons why captchas exist.

    Also, whether your site gets a DoS attack depends on how popular it is and whether it is worth the effort of any hacker performing this sort of attack.

    Thanks.

    Ben

  • Sods law says it will happen. Ok, Thanks - I'll do some research on captchas...

This discussion has been closed.