Being used as a spam attack vector

Some time ago I was used as a spam attack vector.

I had just opened a new site where I host a list of courses.

Each of those courses has a signup form for a waiting list, where I asked for name and email, so when I launch the course you signed up for, you’ll get an email from me.

This is a double opt-in list. When you sign up, you’ll get a confirmation email before being actually on the list.

Double opt-in is a great way to avoid having in your list people that do not intend to be subscribed. If someone comes on my site and enters someone else’s email, they will get the confirmation email (there’s nothing I can do to prevent that) but at least until they confirm they are not in the list.

It’s also great to avoid spam and complaining (I have no idea how people do with single opt-in lists, TBH).

In this confirmation email I was using the name to greet the person. Something like this:

Hi <NAME>, please confirm your email by clicking here: <LINK TO CONFIRM>

I’ve had a similar format for years. What I realized after the attack was that anyone could go and type whatever message in the name field, and someone else’s email in the email field. In this way I am sending a message to the email with whatever message they wanted.

Now, that message was embedded inside the email in a weird way, and there’s escaping and HTML cleanup of course.

But it’s still a vector for spam.

Pair this with the fact that I forgot to add a captcha, and a malicious bot was able to send lots of emails through this form, until I (and AWS) noticed, and halted the process.

I noticed as I was getting multiple weird automatic email replies. Then I checked the DigitalOcean server analytics and it had a very high network and CPU activity, very unusual.

Initially I just shut the server off, as I wasn’t sure what was happening. I hate servers, I’ve been hacked in the past multiple times and despite all the safety measures you can think of, read about, and implement, my idea is that if someone tries hard to violate your server, they will.

After all, all the major corporations have been hacked in one way or another, data has been stolen, etc etc.

How can I even think about protecting a server, unless I become a security expert? There’s no way. And I do not care. It should be an implementation detail, yet it’s so prone to major disruptions.

This is one reason why my #1 preference is for creating static sites. The #2 preference is serverless, with Next.js and Vercel for example. #3 comes a PAAS like Heroku.

Anything that’s managed by anyone else. I am happy to pay for that, too, if it helps me clear this problem from my headspace.

A VPS to me is the last option, but sometimes you can’t avoid that. It also helps reducing costs, of course.

Since my list server is on a VPS, I immediately thought it got hacked. But it wasn’t. It was just a spam bot hitting my email signup form thousands of times.

Which is super bad, but at least the solution was easy, taking two minutes to implement a ReCaptcha. With that, the bot could not submit until solving the captcha, which is a very hard thing to do unless the bot is very sophisticated (and Google always improves their ReCaptcha implementation to fight bots).

Lessons learned: always add a captcha.

Download my free Programming Ebooks!