Home > Software engineering >  Preventing verification email trolling
Preventing verification email trolling

Time:07-14

I'm working on user logins and email verification in Flask. I see a potential vulnerability in my setup, but it makes me wonder if it is a vulnerability that many sites face. Here's the scenario:

A competitor to my service wants to get my domain marked as spam. They register fake accounts with other people's email addresses, then repeatedly send verification emails to each account.

If I were to receive multiple verification emails to a website I'd never seen before, I don't think I'd hesitate to mark the sender as spam.

Currently, I'm sending a verification email to unverified users anytime they log in. Thoughts?

@app.route('/login', methods=['GET', 'POST'])
def login():
    if current_user.is_authenticated:
        flash('You are already signed in')
        return redirect(url_for('index'))
    form = LoginForm()
    if request.method == 'GET' and 'email' in request.args:
        form.email.data = request.args.get('email')
    if form.validate_on_submit():
        user = User.query.filter_by(email=form.email.data).first()
        if 'idea' in request.args:
            idea = request.args.get('idea')
        else:
            idea = ''
        if user is None or not user.check_password(form.password.data):
            flash('Invalid username or password', 'error')
            return redirect(url_for('login', idea=idea))
        login_user(user)
        next = request.args.get('next')
        if not next or url_parse(next).netloc != '':
            if idea != '':
                next = url_for('idea', idea=idea)
            else:
                next = url_for('home')
        if not user.confirmed:
            send_verification_email(user)
            flash('Please check your inbox at '   user.email   ' to verify your account.')
        return redirect(next)
    return render_template('login.html', title="Login", form=form)

CodePudding user response:

You can add a captcha after several attempts in a given timeframe from the same source IP. That is something some sites do and fairly usual. This makes automation harder.

Also you can hard limit the number of registrations in a given timeframe to reduce the risk of manual attempts if you think it is a relevant threat for you.

You can also maintain blacklists for source IPs you detected fraudulent registration attempts from.

Another similar area is the password reset email, which you can limit by captcha after a few attempts.

  • Related