Dada Mail’s Subscription Abuse Prevention Systems

Web apps are a target for abuse by individuals or other nefarious apps/bots. Dada Mail is no exception. Although we haven’t discovered a vulnerability in the app itself, it’s true that attempts are made, however unsuccessful they are. Here are a few ways to safeguard Dada Mail from these attacks.

Closed-Loop Opt-In Confirmation

The first line of defense doesn’t seem like one, but it’s the best defense against abuse of your app by hackers and spammers. Always makes sure Closed-Loop Opt-In Confirmation  is enabled for your public mailing lists – there’s no excuse not to use it.

Closed-Loop Opt-In Confirmation main job is to make sure only valid email addresss are adding to your mailing list, and confirms that the actual person who owns the email address wants to receive your mailing list messages. Without this feature enabled, anyone may subscribe anybody to your mailing list, leading to all sorts of problems.

It’s enabled by default, but this option can be found inside the list control panel in, Mailing List: Options. Look for the checkbox labeled, Require Closed-Loop Opt-In Confirmation

Disallowing  Multiple Confirmation Requests

By default, Dada Mail does not allow a user to try to subscribe to the same mailing list twice. This is to prevent simple abuse of your subscription forms, neglectful users, or automated processes that have run amok. If an additional confirmation attempt is tried, the user will still be allowed to have another subscription request, once a CAPTCHA is solved.

This option can be found inside the list control panel in, Mailing List: Options. Look for the checkbox labeled, Limit subscription confirmation sending. We suggest that this option is always enabled.


StopForumSpam is a third party service that keeps a database of usernames, email addresses and IP addresses that have been submitted as being abusive when used throughout the Internet. Dada Mail has support to look up both the email address and IP address of subscription requests. If either come up as positive, the subscription request is blocked from being completed.

This option is also enabled by default (see a trend?) and the option can also be found in the list control panel in, Mailing List: Options. Look for the checkbox labeled, Enable StopForumSpam Protection. StopForumSpam does require you to have the Perl CPAN module, LWP installed. But, even on shared hosts, this is usually available without additional installation. If you can send a webpage, you will be able to use this feature, as both rely on LWP Tools.

Rate Limiting

Rate Limiting is a feature in Dada Mail tracks where requests for various functions of Dada Mail comes from (not just subscription requests), and sets limits on what it’ll allow, before it senses there may be an attempt to abuse the app. Think Denial of Service (DOS) attacks, or brute-force password cracking. Rate Limiting can help nip this in the bud.

Rate Limiting is enabled by default, but its options can be customized during installation from within the Dada Mail installer. See the installer’s advanced configuration docs for more information.

Blocking Suspicious IP Address Activity

Sometimes, none of the above tests seem to help. Requests for subscription are from different email addresses, or a long time frame, and the email address and IP address aren’t listed on StopForumSpam. Still, there seems to be something fishy about all these different requests coming from the same IP Address. Enter, Suspicious IP Address Activity Protection. This features looks at the records for subscription requests and sees if there’s a strange correlation between requests of different email addresses from the same IP over a large amount of time. If there is, the subscription request is blocked.

This feature is also enabled by default and the option can also be found in the list control panel in, Mailing List: Options. Look for the checkbox labeled, Enable Suspicious IP Address Activity Protection.

Dada Mail v9.5.0 Released

Dada Mail v9.5.0 has been released – download and install using the instructions here. Changelog is below:


StopForumSpam Integration

The StopForumSpam service ( keeps a database of email addresses, locations, and usernames known to be used for abuse attempts on web apps like forums, blogs, and mailing lists.

Dada Mail now supports looking up this information when a user goes through the subscription process. If the IP address or email address of the user is returned by the StopForumSpam service as being known to be abusive, the first step of the subscription process fails.

This new feature can help stop your mailing list from being abused, curbs the wasting of server resources, and keeps your mailing list cleaner. StopForumSpam integration should definitely be seen as a security enhancement, as these users being marked as abusive are possibly part of a botnet, trying to find vectors for attack.

This integration of StopForumSpam is currently enabled by default, and requires the LWP Perl CPAN library – if you can send a webpage using Dada Mail, you most likley have this library installed!

Options to enable/disable StopForumSpam integration can be found in the list control panel under Mailing List – Options. Look for the checkbox labeled, Enable StopForumSpam Protection.

If WWW::StopForumSpam needs to be installed, a notification will be shown below this option to alert you.

Viewing the Unconfirmed Subscribers sublist

Dada Mail keeps track of subscribers that have started the subscription process, but haven’t yet confirmed their subscription by clicking the confirmation link that’s sent to them via email. Internally, this sublist type is called, sub_confirm_list (catchy name, huh?). It’s used primarily to make sure the same address isn’t repeatedly submitted to be subscribed again and again by some automated process. Curbing abuse is a big part of web apps like Dada Mail!

We’ve now added the ability to view and interact with this sublist. In the, Membership – View screen, you will see a new tab labeled, Unconfirmed Subscribers. You may view, search, delete, and export addresses from this sublist. You may also resend the subscription confirmation email message: look for the button to the left of the email address. Pressing the button will resend the confirmation email message.

This sublist is tightly coupled with the subscription confirmation process itself. Dada Mail’s subscription confirmation system works with a unqiue token embedded in the confirmation email that corresponds with records in its database. These records do expire after a while (60 days by default). When these tokens expire, addresses in this sublist will also automatically be removed, keeping your mailing list tidy, and your database trimmed and fast, without any additional work by you.

Viewing this tab can be enabled/disabled in the list control panel under, Membership – Options. Look for the checkbox labeled, Show “Unconfirmed Subscribers” sublist.

New Subscriber Export Options

In previous versions, Dada Mail could export your Subscribers (as well as other sublists), but the data it exports is not customizable. It would include the added/subscribed date (timestamp), the email address itself, profile fields, as well as the delivery preferences (if that option is enabled). Some users have problems then utilizing this information as-is, since some of the information is not needed. Although this exported informaton is in CSV format, which you can open the exported file into a spreadsheet app, and do more manipulation, but many users were having trouble with this cumbersome extra step.

Now, Dada Mail also allows you to specify what data you would like exported:

  • Email Address (always exported)
  • Date Added
  • Profile Fields
  • Delivery Preferences (if enabled)

Among other things, this allows Dada Mail’s exported data to be easily read and imported back into Dada Mail itself – something it couldn’t do (embarrassingly) before!

Using this new functionality is simple: instead of exporting the data right away, after you click the Export button, a modal menu will open up, allowing you to choose what data you would like the exported data to hold.

Email Parsing Engine Advanced Tuning Options

Dada Mail now allows you to easily tune the underlying email parsing engine (called, MIME::Tools), so that you can either have a faster parser that’s more memory intensive (the default), or a somewhat slower parser that uses less memory.

We’ll be experimenting with the latter, as it should help with working with large, complex email messages with large attachments, as well as running Dada Mail as a long-running process.

More information on how to change these options are available at,

Dada Mail v9.4.0 Released – Rate Limiting

Dada Mail v9.4.0 has been released – download and install using the instructions here. Changelog is below:

Rate Limiting

We’ve enabled a Rate Limiting in Dada Mail! This is a safeguard against perhaps nefarious attempts at attacking the Dada Mail when there are many requests done in a short space of time. Before v9.4.0, Dada Mail would happily try to serve each request, and sometimes this would cause problems. One scenario:

Say you have a subscrption form, and say that form has been targeted by a bot in an attempt to exploit it. There aren’t any currently known exploits out there in the wild for Dada Mail, but perhaps the bot doesn’t know that, so it just tries to fill out your form multiple times a second. This can cause problems with resources on your hosting account reaching their limit, and cann also cause multiple emails to be sent to bogus addresses, and probably bounce back, which cause much annoyance. If you utilize a third party email service, like Amazon SES (which we highly recommend!), this can work against you, as this service monitors bounce rates closely and will not allow the rate to go too high. If it does, you’re in hot water with Amazon AWS.

Dada Mail’s Rate Limiting now monitors who is requesting what, and how many times. If it notices what could potentially be signs of abuse, it’ll deny the request for a small amount of time. This stops flagrant and out-of-control abuse of the app and does so easily.

Rate Limiting is enabled by default, and its options can be customized in Dada Mail’s included installer. More Information:

v9.4.0 Beta 1 is out – Rate Limiting!

Hello everyone, v9.4.0 Beta 1 is out.

Download and Install:

(Pro Dada versions are available)

This version has the new Rate Limiting feature built in. Seems to work really well! Now that it’s a part of the app, seems a little naked to run without it. Rate Limiting is currently enabled by default, and also has settings that can be customized in the installer. I’d love to get some more real-world feedback in seeing if the feature is working at all/as intended. I’m running it myself and seems to work well. It’s one of those, “Behind the scenes” features though, so nothing out of the ordinary seems to be different, unless something is terribly wrong!

Here’s what you need to know:

Rate Limiting

When enabled, rate limiting keeps track of the requests of certain features in Dada Mail – features like trying to log into the list control panel, or subscribing to a mailing list. Dada Mail keeps track of these requests by IP Address and can be configured to have a maximum amount of requests per timeframe. If more than the maximum amount of requests are made within the timeframe, the rate limit is said to be exceeded, and further requests will be denied.

This feature is especially important in any feature that involves filling out a form, then having that feature send out an email, like a subscription confirmation. Potentially nefarious bots may be filling out your subscription form quite blindly, with various bogus email addresses, causing all this unneeded email to be sent, then bounced back. If you’re using a third party email sending service, like Amazon SES, this out of control behavior could potentially lead to problems with you not following their Terms of Service.

Although rate limiting in Dada Mail was first implemented for the above scenario, it’s used in many other places:

• Running the Cronjob Schedule

• Subscription by the classic subscription form

• Subscription via the RESTful API

• Subscription and Unsubscription Confirmation via the token URL (or any URL with a token in it)

• Logging in and out

• Encrypting a password

• Requesting to download a file attachment

• Profile activation/registering/resetting password/login and out

• Accessing the list control panel login screen

Enable Rate Limiting

Check this option to enable Rate Limiting. Enabled by default

Timeframe (in minutes):

Timeframe is the amount of time a number of requests for a certain feature/function can be made

Max Hits

Max Hits are the amount of requests for a certain feature/function that may be done in the Timeframe set above.

If more requests than the Max Hits happens within the Timeframe, the feature/function will be inaccessible, until the number of requests is below the Max Hits threshold. Any other feature mentioned will still be available to the user, and any other users of the app will not be affected (unless of course they’re being tied to that same IP Address)

Config Variable:


That’s it! Give it a try,

Dada Mail v9.3.0 Released

Dada Mail v9.3.0 has been released – download and install using the instructions here. Changelog is below:


Subscriber Delivery Preferences editing on Membership – View screen

For discussion lists that have digest enabled, editing individual delivery preferences can be done on the Membership – View screen, rather than having to visit the individual subscriber’s membership screen to make the edit.

Delivery Preferences are now also exported, when you export Subscriber data via csv.


No Directory Listing in dada_mail_support_files directory

During installation/upgrade and when using the included Dada Mail Installer, the Installer will now create a .htacess file, with the following directive:

        Options -Indexes

This stops a directory listing to be returned for anyone/anything visiting the root of this directory. Since files/directories of older installs are backed up, and since some of the files in these backed-up directories could have exploits fixed in the more recent versions being installed, this simple removal of the directory index may stop these potential exploits.


As a full-service marketing agency, one of my deliverables is providing maillists for my clients, both in a newsletter format and a news/announcement/text format. I was one of the very early subscribers to Dada Mail, more than 15 years ago, if memory serves. I bought a “lifetime” subscription and have installed the program on dozens of sites over the years. My oldest version, still functioning, is 3.3 and I recall updating that one, so best guess is that I owned one of the very first versions.

My preferred method of delivery is to create a responsive web page for the content. For some clients, I have set up an admin back end so they can fill in the content within the framework. For others, I write the content. Once the page is uploaded to server, I (or client) use the “Send a web page” feature in Dada for a clean, easy delivery. The web page is then included in a listing on the client’s website for future review by new visitors.

Over the years, I’ve watched as Dada has grown and grown. The features are very impressive. I really appreciate the database component for the listeroos. Either I didn’t know how to do the mysql feature in the beginning, or it was a later add-on, but I take full advantage of it now and it is a lifesaver for managing the list.

I have run into a few things that were a puzzle, especially when a new version came out, but Justin has always been patient with me and responds immediately.

I have recommended Dada to all my colleagues, on several lists. I am 100% satisfied not only with the program, but with the extreme level of personal customer support when something eludes me.

Thanks, Justin, for your product and for your support.

– Patrice Olivier-Wilson,

Testimonial: Orienteering Utah

We’ve been using Dada Mail for several years now to keep our orienteering club members informed about events and other news. For about five years now, Dada Mail has worked flawlessly for us without requiring support. The feature set is robust and meets our modest requirements, yet the product is clearly scalable as our organization membership continues to grow. It integrates well with our Joomla installation and looks nice on our website.

Service from Justin at Dada Mail is superb! He is very responsive. The website is often updated with news and important information about the product. The documentation is clear and easy to read. Sometimes, I watch the videos and read the documentation to make sure that I haven’t missed anything and am using the product to its fullest capacity for our requirements.

– Darren Stanger, Orienteering Utah

Testimonial: Texas State Archery Association

I began writing the newsletters for the Texas State Archery Association in around 1999, transitioning the TSAA from paper & snail mail to electronic emailing, and creating our website at the same time, . I had to design and maintain a custom relational database of subscribers by hand to support that newsletter function.
So finding Dada Mail, a specific software designed to do all the hard work, a few years ago after searching and trying a variety of similar ‘wares was just incredible to me. The feature set was (and is) just huge! Dada Mail has a *lot* of useful features we can grow with, and I rest easier knowing we are fully compliant with the rules and regs for emailing newsletters. You do not want to expose your non-profit organization to “problems” and Dada Mail covers this base for us quite well.
I’ve done both the install myself, and then also paid the Pro fee for upgrades and things like optimizing sending via Amazon SES. Justin is fast and efficient, and the relief to me in having him “make sure” has been quite a comfort well worth the reasonable fees.
I have to also say that it is almost magic how easy it is to compose, test, and then release newsletters!

Justin is very personable, and a pleasure to work with. It’s hard to say whether the product or customer service is better but very easy to say they both are great.

A.Ron Carmichael, R.Ph.
USA Archery Level IV-NTS Coach
President, Texas State Archery Association

Dada Mail v9.2.2 Released!

Dada Mail v9.2.2 has been released – download and install using the instructions here. Changelog is below:

This is mostly a bug-fix release, fixing bugs found in the v9.2.1 release.


Resetting List Password after incorrect login attempt creates Server Error

Save for Multiple Lists does not work for Sending >> Options

Dada Mail v9.2.1 Released

This is mostly a bug-fix release, fixing bugs found in the v9.2.0 release.

Dada Mail v9.2.1 has been released – download and install using the instructions here. Changelog is below:


This is mostly a bug-fix release, fixing bugs found in the v9.2.0 release.


Default, “Break” email protection does not work on publically viewed archived messages

Plugin: password_protected_directories: Submission redirects to public Dada page

Amazon SES “Verify” will give false negative if email address belongs to a subdomain, and only domain is verified #559

Plugin: password_protected_directories: .htpasswd/.htaccess file not updated via cron

List Control Panel tablet/mobile view does not show a “log out” button, if there is < 2 mailing lists

Sending messages via the List Control Panel does not look for validity in template tags