Web apps are a target for abuse by individuals or other nefarious apps/bots. Dada Mail is no exception. Although we haven’t discovered a vulnerability in the app itself, it’s true that attempts are made, however unsuccessful they are. Here are a few ways to safeguard Dada Mail from these attacks.
Closed-Loop Opt-In Confirmation
The first line of defense doesn’t seem like one, but it’s the best defense against abuse of your app by hackers and spammers. Always makes sure Closed-Loop Opt-In Confirmation is enabled for your public mailing lists – there’s no excuse not to use it.
Closed-Loop Opt-In Confirmation main job is to make sure only valid email addresss are adding to your mailing list, and confirms that the actual person who owns the email address wants to receive your mailing list messages. Without this feature enabled, anyone may subscribe anybody to your mailing list, leading to all sorts of problems.
It’s enabled by default, but this option can be found inside the list control panel in, Mailing List: Options. Look for the checkbox labeled, Require Closed-Loop Opt-In Confirmation
Disallowing Multiple Confirmation Requests
By default, Dada Mail does not allow a user to try to subscribe to the same mailing list twice. This is to prevent simple abuse of your subscription forms, neglectful users, or automated processes that have run amok. If an additional confirmation attempt is tried, the user will still be allowed to have another subscription request, once a CAPTCHA is solved.
This option can be found inside the list control panel in, Mailing List: Options. Look for the checkbox labeled, Limit subscription confirmation sending. We suggest that this option is always enabled.
StopForumSpam is a third party service that keeps a database of usernames, email addresses and IP addresses that have been submitted as being abusive when used throughout the Internet. Dada Mail has support to look up both the email address and IP address of subscription requests. If either come up as positive, the subscription request is blocked from being completed.
This option is also enabled by default (see a trend?) and the option can also be found in the list control panel in, Mailing List: Options. Look for the checkbox labeled, Enable StopForumSpam Protection. StopForumSpam does require you to have the Perl CPAN module, LWP installed. But, even on shared hosts, this is usually available without additional installation. If you can send a webpage, you will be able to use this feature, as both rely on LWP Tools.
Rate Limiting is a feature in Dada Mail tracks where requests for various functions of Dada Mail comes from (not just subscription requests), and sets limits on what it’ll allow, before it senses there may be an attempt to abuse the app. Think Denial of Service (DOS) attacks, or brute-force password cracking. Rate Limiting can help nip this in the bud.
Rate Limiting is enabled by default, but its options can be customized during installation from within the Dada Mail installer. See the installer’s advanced configuration docs for more information.
Blocking Suspicious IP Address Activity
Sometimes, none of the above tests seem to help. Requests for subscription are from different email addresses, or a long time frame, and the email address and IP address aren’t listed on StopForumSpam. Still, there seems to be something fishy about all these different requests coming from the same IP Address. Enter, Suspicious IP Address Activity Protection. This features looks at the records for subscription requests and sees if there’s a strange correlation between requests of different email addresses from the same IP over a large amount of time. If there is, the subscription request is blocked.
This feature is also enabled by default and the option can also be found in the list control panel in, Mailing List: Options. Look for the checkbox labeled, Enable Suspicious IP Address Activity Protection.