Paid Advertising
web application security lab

Changing Email Addresses For Spam

While looking back at some of my old speeches, and after writing the last blog post it occurred to me there is another attack I haven’t heard anyone talk about. Often times spammers will use contact member forms for spamming purposes. But most contact forms can’t spoof the contact name so this form of spamming is pretty limited. However, let’s consider another common scenario, which is that a user is allowed to change their email address. Almost never is there an email address confirmation link sent to make sure you are indeed the owner of the email address. So let’s take an actual example.

Let’s say Cathy wants to spam Alice, but Alice isn’t a member of the message board. Cathy signs up with two accounts, one to send messages from and one to receive them. Cathy logs in as the second user account and changes her email address to Alice’s. She then logs into the first user account and send the spam, which then gets routed to Alice. Then Cathy logs in to her second account, switches it to the next spam victim, logs back into her first account and sends a second spam and so on.

The limitations here are that the email must actually contain the spam message to work, so if it’s just a link back to the platform, that won’t suffice since Alice isn’t a legitimate user of the system, let alone has access to Cathy’s account. The second problem is that the email probably contains some site specific information which can easily identify the spam as such. And thirdly, many sites send an email change notification to alert users that their email has been changed, so when Cathy switches her address over and over, she will also inadvertantly be sending emails to her victims telling them that she’s switching accounts.

But in this way I believe many existing member to member communication functions can be used as spam gateways. Weird, huh?

8 Responses to “Changing Email Addresses For Spam”

  1. Ronald van den Heetkamp Says:

    Clever, and hard to protect against. If this is automated you can use those forums, boards what have ya, to router the sp4m through it. Kinda like a sp4m proxy ;) cool idea since the board of the proxy that sends the messages gets the complaints.

  2. mckt Says:

    Not really *that* hard to protect against.

    A properly designed database should be using non-recycled numeric indexes for that kind of thing. That’s really just basic database optimization, not even a security thing.

    That said, it’s not uncommon to see it done wrong. I know my company’s internal systems were all indexed on usernames until we made them rewrite the thing a year or so ago. It’s amazing to see how much faster it runs, not to mention avoiding namespace collisions when 38 jsmiths are in the company.

  3. mckt Says:

    oops… posted on the wrong article. Forgive me.

    But still… it’s not that hard to prevent, it’s just not a big enough issue yet that people do it.

    And still, even when it is a big enough issue, I have little faith in the coding community that came up with phpbb, mybb, and vbulletin.

  4. Ory Says:

    @ Ronald: you said “hard to protect against” - I actually think it’s pretty simple to protect against this. All you need to do, is send an email verification to the new email address you are trying to switch to. This means that Alice will always need to OK the email switch, thus no one else will be able to switch it for her, without her knowledge.


  5. ChosenOne Says:

    Just wanted to point out, what Ory just did :)
    If you dont want your services abused, you should require verification in every case that implies the use of someones email address.

  6. TheHorse13 Says:

    Seems that there would be a scaling issue with this given that the more you run through the process you decribe, the louder you’re going to be. Once you make enough noise, someone is going to shut you down, more than likely before you can make a serious spam run. Neat idea though. :-)

  7. Ronald van den Heetkamp Says:


    your right!

    I totally forgot that, to my knowledge that is being done already with most websites. :)

  8. Lawrence Pingree Says:

    Hi man,
    this has already been done for quite a while. There are trolling scripts that have been taking advantage of this technique for over a year or so. This is why most products send an email to confirm the email address change, if it’s not confirmed, then there’s no mail that can be sent. Now as far as denial of service, I imagine without the proper controls in place to detect the multiple email address changes, then one could potentially flood the recipient’s email address with change notifications…. potentially……