Email Signup Attacks
Hiya,
I saw this post on HackerNews a while back, where the user has a b2c application that is being attacked. The application is open for sign ups and accepts an email address. The email address is then confirmed, allowing access to the application. Confirming an email address before allowing application access is a good idea.
However, the attacker is signing up many random email addresses, which sends confirmation messages to the unaware recipients. This results in reputational damage to the b2c application, since many of these emails are justifiably marked as spam.
There are a few options to deal with this, none great.
One, suggested by user LinuxBender, is to flip the script and have the user verify their email address by sending a randomly generated code to a known email address associated with the application. Here's an example of how this might work.
A user registers an account with the email
dan@example.com
on b2capp.com.They are shown a code like
cfvtkeay
in the application.They are told to email the code to
qjhgdgib@b2capp.com
.When they do this, their email address is considered confirmed/verified.
If they don’t, the email address is unverified.
Now, the abuse vector is removed, since the b2c app is no longer sending a large number of unsolicited emails to random addresses. I thought this was quite ingenious.
Other ways to mitigate this kind of attack:
Using social sign-on (Google, Facebook, etc) for sign ups rather than allowing email. With this choice, you're delegating email verification to parties with more resources, but you are limiting your userbase.
Rate limit sign ups based on IP address, including a CAPTCHA. This introduces additional friction which helps deter attackers.
Use a WAF like Cloudflare and rely on their DDOS protection.
Manually create users for a while. This again is going to introduce some friction which may deter the attackers.
Letting anyone sign up for an account on your application is pretty typical for a b2c application. And verifying emails prevents garbage accounts.
But as this post shows, each additional layer of protection can allow a different kind of attack.
Dan