Rate-limit sending of e-mails #2992

reivilibre · 2024-07-24T10:47:15Z

'Resend email' button on account recovery form is not ratelimited
probably we need to apply the ratelimit overall to any e-mail initiated by an anonymous user, at the very least
- registration
- recovery
- resends of the above
Probably ditto for logged in users that are trying to add a new address to their account

Users spamming themselves is still undesirable, but less awful. But worth noting this probably still impacts the sender reputation so we should control that too.

For updates like 'your password has been changed' etc, I think the best way to do that might be to roll-up multiple updates into one e-mail, if we are past the limit. This is probably something that would need to shift to a different issue.

For my own IdP project I have used the governor crate and that seemed to do the business.

This kind of thing could also be done in the reverse proxy (e.g. nginx can do it) but it's probably best to have it work out of the box, given we don't want to make it hard for operators to set up.

The text was updated successfully, but these errors were encountered:

reivilibre added T-Defect Something isn't working S-Major Major functionality / product severely impaired, no satisfactory workaround. T-Enhancement New feature of request and removed T-Defect Something isn't working labels Jul 24, 2024

sandhose mentioned this issue Aug 7, 2024

Add rate-limiting for account recovery and registration #3093

Merged

reivilibre closed this as completed in #3093 Aug 7, 2024

matrixbot mentioned this issue Sep 10, 2024

Rate-limit sending of e-mails element-hq/matrix-authentication-service#2992

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Rate-limit sending of e-mails #2992

Rate-limit sending of e-mails #2992

reivilibre commented Jul 24, 2024

Rate-limit sending of e-mails #2992

Rate-limit sending of e-mails #2992

Comments

reivilibre commented Jul 24, 2024