The Dangers of One-Step Email Subscriptions
Recently, when I was subscribing to email newsletter on some website, I was surprised by not receiving confirmation email. Naturally I registered my mail alias to newsletter as well to verify that it was intended behavior. It was.
And it leaves me wondering – what are the dangers and downsides of not requiring subscribed users to confirm their subscription?
I can think of one possible scenario:
- Attacker programatically registers thousands to millions of real emails (either from some mail database or obtained on his/her own)
- Server under attack will reach point of sending a newsletter and starts sending mails
- Many users gets delivered emails they did not requested
Can sending server / website be attacked this way? Under which circumstances would this result in website being blacklisted from sending emails?
Can this cause issues related to IPS/IDS-like systems deployed around source or target servers? Considering for example, that the list of targeted mails would be exclusively with @company.com domain and the attacker would like to compromise attacked website/server’s ability to deliver emails to the mentioned company? Attacker would execute the attack, and company.com’s servers would blacklist mailserver/domain from which mails are coming. Is it a possibility to be considered?
And lastly – can you think of other security issues this could introduce?
The Answer
I see one of the possible inconveniences in a situation when company’s newsletter can’t be unsubscribed. An attacker programmatically subscribes many real users. The company sends its newsletter to subscribed users as usual. Some of the users who did not subscribe themselves might unsubscribe using the proper link included in the newsletter. Some might just move the message to spam. The attacker could then (periodically) make sure all the targeted users have subscribed again.
But I’m not sure about the efficiency of such attack and how likely it could cause real legal consequences for the attacked company. Nevertheless, the company could end up sending quite a lot of spam.