High bounce rate due to attacker is using website's mail system

We got a realatively high bounce rate today, because someone decided to spread some links using our mail server. The implementation looked like this:
He used the registration form and planted a link in the firstname field, which appears in the email’s first line.
Then he sent out like 1200 emails like this.
And my question is what can we do to prevent this?
We can use captcha for sure, but can we do more about it?

It’s the verification email which is sent. Like if you register to any other sites, the website sends you an email to verify your email address. And what he did was to put the link in the firstname field of the registration field. so in the verification email in the place, when it would say – Hello XY! pls verify your email... – there is this instead – Hello <link>! pls verify your email...

I don’t think that those email addresses belong to him, because in most of the case we didn’t get a bounce, and also all the email messages had a different structure, plus there was more in the firstname field. Example: Здравствуйте Ваш профиль победил в акции. Заберите Ваш бонус на сайте: asuspeci.tk/9b939 ◄◄◄ All of them went to russian email addresses. The string in the link seems to be unique for each email address – I didn’t check all, but any of them I checked was different. It also redirects to a russian fake website – I checked it with Tor, javascript disabled

Also the verification email has a template which starts like this: Hello [firstname]!

I think it’s might be also good to validate the field and check if it contains some characters which can’t be part of a firstname as an extra. This might be better to be done with blacklisting some characters, because some languages has special characters in names, but those are not punctuations.

The recaptcha can’t do much against request forgery, so it might be a good idea to also implement an IP filter limit, where you allow only X registration in an Y amount of time only from the same IP address.

here is solutions:

I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.

Solution 1

Apart from captcha, another way in which the attacker should fail is by applying a character limitation. You can limit to 30 characters for each field or even less if you separate them properly. For example, not just let them place everything in the same “Name” field, and separating it by “First name”, “Middle name”, “Last name” and so on (even 20 characters would be OK here).

By this means, the attacker won’t be able to place links, nor important messages, so his attack won’t be useful for him, making himself try with another site.

Solution 2

Find a library you can use to parse out domains. Anything with a dot in it should use this library to look for a domain, and then a matching domain would get rejected from the form. This will at least require some obfuscation (like asuspeci . tk). You’ll likely still block some legitimate names (you might be surprised how varied naming conventions are), so don’t go after obfuscation too hard.

Captcha services have their own algorithms for ratcheting up the difficulty proportional to the user’s perceived risk, so I’d suggest them (in addition to traditional rate limiting) as a form of soft rate limiting even if your attacker(s) are passing them. Captcha providers also have analytics to look for abuse, so you’d be helping them help you in this regard.

Here’s a prospective rate limiting tweak: put the submitter’s IP in the confirmation link (which allows victims to potentially identify their attackers) and don’t let that IP submit more submission requests if there are already ~five pending (no confirmation click yet).

Note: Use and implement solution 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply