Prevent verification email spam

[Changaco]

Report: https://hackerone.com/reports/87531

Simply copying Gratipay's solution won't be enough, because it doesn't entirely fix the problem: you can avoid the throttling by deleting and re-adding the address. (cc @whit537)

Also, I don't think adding a fixed delay is a good enough solution. At the very least the user being spammed needs an immediate way to stop the spam (a "I didn't request this, stop sending me emails" button). Stricter throttling would also be nice.

[Changaco]

I have a first case of this, here's a message received a few minutes ago in response to a verification email:

I didn't create an account on Liberapay. Please quit sending me emails.

[Changaco]

It was a single email though, not repeated spam.

[revi]

Maybe having a blacklist of unsubscribed people and stop sending if an address matches?

[Changaco]

+1 from a security researcher via email. I've added a link to https://github.com/liberapay/liberapay.com/issues?q=is%3Aissue+is%3Aopen+label%3ASelf-defense in https://liberapay.com/about/security to try to prevent reports of known issues in the future.

[chadwhitacre]

https://github.com/gratipay/gratipay.com/pull/4349 is what we came up with.

[Changaco]

Thanks @whit537. I don't want to use the email queue for throttling, because emails that are sent to a user at their request should not be queued, they should be sent immediately. Also, emails are removed from the queue as soon as they're sent, but I'd like to have more stable throttling (e.g. per day).

[Changaco]

1251 created an email_blacklist table that we can use to fix this issue.

[Changaco]

I'm reopening this issue because it's still too easy to create a large number of accounts using other people's email addresses, as illustrated by the unidentified bot who has been creating ghost Liberapay accounts for more than a month now.

[Changaco]

The real solution to this problem is #1687, but that's long term. In the meantime we need to make it more difficult for an attacker to create a large number of accounts. Our current mitigation is the use of Cloudflare's JavaScript challenge to hinder the creation of accounts by bots, but that's not ideal.

[Changaco]

For the record, the creation of a significant number of ghost accounts by the aforementioned bot raised our “complaint rate” enough to trigger a review process at AWS. After I explained the cause Amazon closed the review and reset our bounce and complaint rates to zero, so we're okay for now.

[Changaco]

Possible solution (not just a mitigation), at the cost of user friendliness: #2291.