Email flooding
Description
It is possible to send emails massively to a victims inbox, causing its saturation.
Impact
- Send massive spam to a user email.
- Hide important information of another emails.
Recommendation
Restrict the consecutive send of emails through mechanisms like time delay.
Threat
Authenticated attacker from the Internet.
Expected Remediation Time
⌚ 60 minutes.
Score
Default score using CVSS 3.1. It may change depending on the context of the vulnerability.
Base
- Attack vector: A
- Attack complexity: L
- Privileges required: N
- User interaction: N
- Scope: U
- Confidentiality: N
- Integrity: L
- Availability: N
Temporal
- Exploit code madurity: H
- Remediation level: U
- Report confidence: C
Result
- Vector string: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H/RL:U/RC:C
- Score:
- Base: 4.3
- Temporal: 4.3
- Severity:
- Base: Medium
- Temporal: Medium
Code Examples
Compliant code
The email delivery settings include a time delay to prevent flooding users with spam in any attack event
email_delivery:
delivery_method: :smtp
smtp_settings:
enable_starttls_auto: true
address: "address"
port: 587
domain: "promotions_domain"
authentication: :plain
user_name: "appadmin"
time_delay: 24h
Non compliant code
There is no limit set in the email delivery configuration setting of the application
email_delivery:
delivery_method: :smtp
smtp_settings:
enable_starttls_auto: true
address: "address"
port: 587
domain: "yourdomain"
authentication: :plain
user_name: "appadmin"