Skip to main content

Email flooding

Description

It is possible to send emails massively to a victims inbox, causing its saturation.

Impact

  • Send massive spam to a user email.
  • Hide important information of another emails.

Recommendation

Restrict the consecutive send of emails through mechanisms like time delay.

Threat

Authenticated attacker from the Internet.

Expected Remediation Time

⌚ 60 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: A
  • Attack complexity: L
  • Privileges required: N
  • User interaction: N
  • Scope: U
  • Confidentiality: N
  • Integrity: L
  • Availability: N

Temporal

  • Exploit code madurity: H
  • Remediation level: U
  • Report confidence: C

Result

  • Vector string: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H/RL:U/RC:C
  • Score:
    • Base: 4.3
    • Temporal: 4.3
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

The email delivery settings include a time delay to prevent flooding users with spam in any attack event

email_delivery:
delivery_method: :smtp
smtp_settings:
enable_starttls_auto: true
address: "address"
port: 587
domain: "promotions_domain"
authentication: :plain
user_name: "appadmin"
time_delay: 24h

Non compliant code

There is no limit set in the email delivery configuration setting of the application

email_delivery:
delivery_method: :smtp
smtp_settings:
enable_starttls_auto: true
address: "address"
port: 587
domain: "yourdomain"
authentication: :plain
user_name: "appadmin"

Requirements