Email flooding

Description

It is possible to send emails massively to a victims inbox, causing its saturation.

Impact

Send massive spam to a user email.
Hide important information of another emails.

Recommendation

Restrict the consecutive send of emails through mechanisms like time delay.

Threat

Authenticated attacker from the Internet.

Expected Remediation Time

⌚ 60 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

Attack vector: A
Attack complexity: L
Privileges required: N
User interaction: N
Scope: U
Confidentiality: N
Integrity: L
Availability: N

Temporal

Exploit code madurity: H
Remediation level: U
Report confidence: C

Result

Vector string: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H/RL:U/RC:C
Score:
- Base: 4.3
- Temporal: 4.3
Severity:
- Base: Medium
- Temporal: Medium

Code Examples

Compliant code

The email delivery settings include a time delay to prevent flooding users with spam in any attack event

email_delivery:
  delivery_method: :smtp
  smtp_settings:
    enable_starttls_auto: true
    address: "address"
    port: 587
    domain: "promotions_domain"
    authentication: :plain
    user_name: "appadmin"
    time_delay: 24h

Non compliant code

There is no limit set in the email delivery configuration setting of the application

email_delivery:
  delivery_method: :smtp
  smtp_settings:
    enable_starttls_auto: true
    address: "address"
    port: 587
    domain: "yourdomain"
    authentication: :plain
    user_name: "appadmin"

Requirements

327. Set a rate limit

Description​

Impact​

Recommendation​

Threat​

Expected Remediation Time​

Score​

Base​

Temporal​

Result​

Code Examples​

Compliant code​

Non compliant code​

Requirements​