PHP Email Activation - How to Avoid Abusers?

views:

answers:

+1 Q:

PHP Email Activation - How to Avoid Abusers?

How do you avoid abusers for account systems requiring email activation? Abusers can basically hijack your account activation system to spam someone's (or multiple someone's) email's.

The most obvious solution is probably to set a limit of X reminders max per hour or per day. But: This doesn't give the non-abusing user the benefit of the doubt - what if their mail server is just having a bad day, for example? Are there better solutions other than just setting a brute-force limit?

+2 A:

Setting a limit of X reminders per Y hours/days is definitely something that should be done :

You could allow 2 or 3 mails in the first hour -- if one mail gets lost, it can be useful to allow more than one
Then only 5 mails in the newt whole day ; or even week.

If 3 mails don't make it to the user, chances are pretty low that a 4th one will...
(And 2 or 3 mails is already pretty generous -- I would say 1 mail per day is enough, in almost any possible situation)

Pascal MARTIN 2010-07-19 04:38:41

Hmm, are there solutions other than just setting a limit/limit over time?

ina 2010-07-19 04:40:29

If you want to make sure that a given user doesn't get too many mails, probably not ;;; on the other hand, don't forget to put a "contact us" page, so users who don't get the mail can ask you to do something to help them :-)

Pascal MARTIN 2010-07-19 04:41:31

I guess you're right - the safest way is probably to just have a "Contact us if you really can't get it to work" deadend "no send" after X/X per time. Although that seems wasted manlabor, especially... given all the automation best practices available now.

ina 2010-07-19 04:55:18

+1 A:

Abusers can basically hijack your account activation system to spam someone's (or multiple someone's) email's.

Presumably, they can't actually put their own content in such emails though? Because it's just an automated activation email? This should mean that apart from just 'general nuisance', there isn't really any incentive for people to abuse it as there would be if they could spam, right?

Flood control - that is, limiting the number of sign-up attempts per IP address per hour - is probably a good way to limit the troublemakers. After that, identify any serial offenders and block their IP address.

Are there better solutions other than just setting a brute-force limit?

As well as just having a limit, you can have a more generous number of 'grace' attempts such that the limit doesn't apply until after this number of grace attempts.

For example, 5 per day per IP address can be the limit, but only apply this limit after someone does more than 20 in a day. Adjust the numbers based on what you think is/isn't "abnormal" usage.

thomasrutter 2010-07-19 04:46:37

A problem with setting limit by IP is that abusers could just fake the IP. Also, what if the activation system is used for a large local event, a convention, for example, where most folks are on the same WiFi IP?

ina 2010-07-19 04:54:28

Yeah well limiting by IP is not highly reliable, but may at least help in some situations. If you knew lots of people were going to sign up from the same IP then you'd have to build that sort of tolerance into the timings - and it may not end up worth it.

thomasrutter 2010-07-19 05:06:46

hmm i guess an easier solution might be to just use openid verification, although that assumes the openid source is valid..

ina 2010-07-19 05:18:41

would be great if browsers could send mac addresses, so we could try limit by mac at least

ina 2010-07-19 05:19:10

@ina but quite alot of devices allow changing the mac address? The rabbit hole does not end.

zaf 2010-07-19 07:01:01

ansaurus

tags:

views:

answers:

PHP Email Activation - How to Avoid Abusers?

related questions