WebApp Sec mailing list archives

Re: Suggestion: email anti-spoof measure on web site

From: Georgi Alexandrov <georgi.alexandrov () gmail com>
Date: Mon, 23 Jan 2006 12:56:06 +0200

mike () sharecube com wrote:

These forms, like tell-a-friend are tremendously useful for a business. They allow two or more parties to notify each 
other of the company's products.

The preferred answer (from my point of view) is that several email throttle techniques be recommended/required: only 
permit a few emails within a time span of five or ten minutes. If a site normally only sees one or two consumer uses 
of this form per hour, suddenly having 300 emails is a sure indicator that they are being exploited. A limit of 10 
emails / 5 minutes and a limit of 20 / hour are reasonable.

And you can always add eye verification system to those limits ;-)

-- 
regards,
Georgi Alexandrov

Key Server = http://pgp.mit.edu/ :: KeyID = 37B4B3EE
Key Fingerprint = E429 BF93 FA67 44E9 B7D4  F89E F990 01C1 37B4 B3EE

Attachment: signature.asc
Description: OpenPGP digital signature

Current thread:

Suggestion: email anti-spoof measure on web site ma . huijuan (Jan 18)
- <Possible follow-ups>
- Re: Suggestion: email anti-spoof measure on web site mike (Jan 19)
  - Re: Suggestion: email anti-spoof measure on web site Georgi Alexandrov (Jan 23)
- Re: Re: Suggestion: email anti-spoof measure on web site ma . huijuan (Jan 19)
- Re: Re: Re: Suggestion: email anti-spoof measure on web site mike (Jan 20)