5

Recently, when I was subscribing to email newsletter on some website, I was surprised by not receiving confirmation email. Naturally I registered my mail alias to newsletter as well to verify that it was intended behavior. It was.

And it leaves me wondering - what are the dangers and downsides of not requiring subscribed users to confirm their subscription?

I can think of one possible scenario:

  1. Attacker programatically registers thousands to millions of real emails (either from some mail database or obtained on his/her own)
  2. Server under attack will reach point of sending a newsletter and starts sending mails
  3. Many users gets delivered emails they did not requested

Can sending server / website be attacked this way? Under which circumstances would this result in website being blacklisted from sending emails?

Can this cause issues related to IPS/IDS-like systems deployed around source or target servers? Considering for example, that the list of targeted mails would be exclusively with @company.com domain and the attacker would like to compromise attacked website/server's ability to deliver emails to the mentioned company? Attacker would execute the attack, and company.com's servers would blacklist mailserver/domain from which mails are coming. Is it a possibility to be considered?

And lastly - can you think of other security issues this could introduce?

FanaticD
  • 153
  • 6

3 Answers3

3

I see one of the possible inconveniences in a situation when company's newsletter can't be unsubscribed. An attacker programmatically subscribes many real users. The company sends its newsletter to subscribed users as usual. Some of the users who did not subscribe themselves might unsubscribe using the proper link included in the newsletter. Some might just move the message to spam. The attacker could then (periodically) make sure all the targeted users have subscribed again.

But I'm not sure about the efficiency of such attack and how likely it could cause real legal consequences for the attacked company. Nevertheless, the company could end up sending quite a lot of spam.

mvondracek
  • 46
  • 3
0

In Germany you got additional compliance problems if you don't use double opt in. From a security point of view you are right with your concerns. But: you cant do much about this threats. Of course you can behavior-blocking DDoS-like automatic registrations, use captchas to try avoid automatic registrations at all, only allow signed and sender-authorized e-mails...Even with this you cant avoid the risks. An attacker could always upset / ddos users through fake registering using fake E-Mail-Sender-addresses. He could set your server on any blacklist by sending SPAM in your name. He don't need your server for this. At the moment we are facing a big spam wave with perfectly spoofed sender addresses. And the recipient always know the sender. Spooky...

user689443
  • 88
  • 4
  • While I appreciate your reply, I can not accept it as answer. I am still interested in potential dangers of described scenario in bigger picture. It seems to me that it still is an issue, because basically what will happen is that great number of people starts to receive a lot of mails they are not interested in - regularly. – FanaticD May 20 '17 at 13:13
  • Also, from what you have mentioned, yes, we have too some legislative instructions in our country, on how opt-in and opt-out should be handled, but that does not mean that every company follows it. As for the easily blacklisting anyone without even using their server - are you sure that it is that easy? If it was, importance of that issue would be tremendous. – FanaticD May 20 '17 at 13:15
  • Look here how to fake e-mails: https://en.m.wikipedia.org/wiki/Email_spoofing – user689443 May 20 '17 at 21:35
  • I know how to fake e-mails. My point is that the traffic generated by the server will be legit - the server will send mails, regularly, BUT recipients did not sign up for anything. I am trying to find out what possible negative consequences are there for that server. :) – FanaticD May 20 '17 at 21:41
  • 1
    If you sent to much mails (e.g. 100+) from one E-Mail-address to a company with one E-Mail-Server (and there many recipients in this domain) you personally will be blocked automatically. Doesn't matter if you sent it or another person in your name. If one E-Mail-Sender (you or someone in your name) send many E-Mails to many recipients in many different domains, but not in one huge wave, all the emails will be arriving. If the recipients don't like this, they could block you manually or contact your provider or go to a lawyer to sue you. But no automatic blocking occurs. – user689443 May 21 '17 at 12:47
0

I think if the company was attacked and thousands and thousands of email newsletters were sent out one of the main impact I can think of is the reputational damage the company would sustain.

One that the company wasn't able to protect themselves against the attack in the first place, and secondly the negative views people would form of the company as a result of receiving spam mail they did not want.

user68786
  • 159
  • 1
  • 6