Blocking registration/email automated spam in your web app
6 votes by fr33domlover — 6 votes, 7 comments

Hi everyone!

I'm writing a web app and looking for some advice about fighting automated spam, I haven't found any standard techniques for this (maybe there's no need?) and I'd love to hear your thoughts and experience.

My web app sends email in 2 cases:

  1. When you register a new account
  2. When you want to reset your passphrase

If some evil person sends automated HTTP requests to my web app, they could do things like these:

  • If they know a user's email address, they can automatically repeatedly trigger password reset email, causing my app to send many email messages
  • If they can get a list of email addresses of people around the world, they can automatically register all of them, causing my app to send tons of email messages

This not only creates tons of spam accounts and so on, it also makes my app send lots of email and potentially its mail server get blacklisted because of that.

So my question is, what's the standard (for free software web apps of course) to protect against these things?

for n.1: limit how many requests you send (for example 1 per user per hour)

for n.2: you can't prevent people from using other people's emails. If you want to be sure the email is legit, ask for confirmation. CAPTCHAs will also slow down automated requests.

Or.... use OpenID and don't ask for any user/password.

Agree for all this.

I might increase the requests to 2 per hour, or 2 per whatever period, just in case the end user deletes the first one. I've seen it happen so many times...

Good points. But unless I'm missing some facts about OpenID, it's not the magical solution maybe it appears to be. If you use one of the huge centralized OpenID providers, it creates a privacy problem and a dependency on these providers. And generally, encourages people to have accounts on such websites to get an OpenID. If you use a decentralized provider, it just delegates the problem to some other web app in the fediverse that's having the very same challenge. So I prefer to handle this in the web app itself.

Limiting the rate of requests is a great idea! I'll do that.

It's your job to limit the number of requests, either with hard limits (in your code) or with captchas.

Or rate-limit requests per IP.

The "standard" way is to use some kind of second authentication, even if it's a weak one like "security questions" or a puzzle to solve. This is a very informative post.

Thanks for the link!