Barebones Application Security — Spammers

Dave Stevens
Nov 9, 2015 · 4 min read
Image for post
Image for post

So far we’ve tackled Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF) and SQL Injection (SQLi). If you missed any, start with the introduction to get caught up. Next, we’ll look at the threat of unsolicited mail.


As a sidenote, Nigeria is a federal republic modeled after the United States (once it gained independence from us Brits of course) and doesn’t have a Royal Family. Nor did it within the reasonable lifespan of anyone who could have been a prince. Anyway…

Real Example

It’s a simple form that lets you enter an email address and a personal message. We then send an email to the entered address with the message and a link back to Insta-SPAM. Marketing!

Spammers find this form, thank us kindly while high fiving each other, then write a script to post to this controller with thousands of email addresses and their spam payload.

Prevent this threat

  • If you do have a message, limit the length of what can be entered, and don’t allow HTML or links.
  • You can use a CAPTCHA if you want, but they constitute the worst UX of all time. Instead, rate limit the number of emails that can be sent in a given time period, limit the number of email addresses that can be put in the email address field of your form, and use tokenization as in the CSRF step to prevent scripting.
  • Have your mail-sending controller check for patterns that suggest spam and flag for review before sending. And always use a message queue with a way to halt sending, so if you get hit by a spam attack, you can turn off processing of the message queue, clean it up, then turn processing back on.

Why you should care

How to detect if someone is trying to attack you

Non-security benefits of protecting yourself from this threat

End of Part 5

And, as a reminder — I will continue to repeat a disclaimer throughout: This is a barebones, do this rather than do nothing set of suggested approaches. THIS DOES NOT CONSTITUTE ROBUST, COMPLETE AND FOOLPROOF SECURITY. The goal of this effort is to provide non-security aware founders/hackers/developers/etc with a modicum of protection at a stage in the company’s growth where there are no budgets, let alone one for Information Security. The caveat is that as soon as the company experiences growth, one of their top priorities should be to mature in to a properly developed, professionally and thoroughly provisioned Information Security program, specific to their application, industry and environment.

Just as you scaffold certain items while doing rapid coding development, this is your scaffolded application security program. Think of it as the Twitter Bootstrap of web application security.

Your Feedback / Dissent

Constructive feedback will be reflected in the posts themselves at the most relevant points.

If you’ve got feedback for me, or you have questions about how to apply this to your own startup / project, you can get in touch:

Twitter: @dstevensio


Originally published at

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store