FAQ: How can I prevent a scan from flooding me with Acunetix test string emails?

Apart from being an annoyance, if the problem of mass mailing has impacted your site then it could be a web application vulnerability in itself. A hacker or malicious user can perform the same steps to flood the mail system, for example by using automated bots. This issue is dependent on how the custom website actually works at the server-side, with certain type of requests. This mass mailing can be caused by more than one thing: forms, links, and multiple requests.

As a black box scanner, Acunetix WVS cannot predict if a website contains such entry points, since emails are actually sent at the server side.

It is important to be aware that this can be exploited like a vulnerability to cripple a server, therefore such mass mailing entry points should be made more secure. When using forms for sending emails (e.g. registration forms), techniques such as CAPTCHA (http://en.wikipedia.org/wiki/Captcha) should be implemented to validate the input and protect such forms against bots.

Resolution:

To avoid from receiving such emails while scanning your website with Acunetix WVS, follow the following steps:

  1. Configure Acunetix WVS to always use the same details when accessing a specific form which generates emails.  This can be done from the Input Fields node in the Acunetix WVS settings.
  2. Add a filter in the Directory and File Filters node to exclude the mailing script from being scanned.  E.g. if contact_us.html posts details to /cgi-bin/mailer.php, add the URL of mailer.php to the exclusion list.
  3. Control the request by denying any requests which try to access the script that generates emails directly, or from any other invalid referrers.  This will also protect your mail server when a malicious user tries to abuse the script's functionality.

You can read more about this issue and other ways how to tackle it from the following blog post; Ways to avoid email floods when running Web vulnerability scans

View all the Acunetix FAQs here.

ShareShare on FacebookTweet about this on TwitterShare on Google+

Leave a Reply


*