Starting some time last night, GDNet has been sending me emails every few seconds. They all look like this:
Guest has posted a new post titled "1". This post is pending moderator approval.
You can view the full post and comments at this link:
http://www.gamedev.net/page/news/index.html/_/general-news/1-r55927
The links go nowhere. Disabling all email notifications does not seem to stop it, and I got 446+ emails in the last few minutes. Please fix this. I have deleted my email address from my profile until you stop spamming me.
(edit: that didn't work, so maybe I have some other email record associated with my account because I'm a moderator? Please find and remove that if so. Until then I've had to resort to blacklisting *@gamedev.net from my servers).
The blacklisting works, but a few of the emails I saw as I've been deleting them it looks like these are maybe due to somebody try to spam the news posting endpoint.
🎉 Celebrating 25 Years of GameDev.net! 🎉
Not many can claim 25 years on the Internet! Join us in celebrating this milestone. Learn more about our history, and thank you for being a part of our community!
Hey GDNet, stop spamming me.
Yeah it's crazy.. somebody is either doing a security test on the site or trying to hack the site. All these reports come from automated attempts to exploit SQL injection vulnerabilities. It's exhaustive but should be done now.. I'm not sure how many emails got sent out of the queue but it could be a bit.
Weirdly enough, I didn't get a single email. It must have only picked up some moderator emails.
Author
This is the second time I've seen this happen (it happened around Christmas '15 as well, but I only got about 20 emails from it).
Do we know what notification option this was tied to? Are we sure it's one we as users can opt out of? I'm not really keen on putting a real email address back into this system if it's still susceptible to this problem.
Equally important: This is a massive DoS feature ("feature"), even more so as it's now published.
If every request that looks like it's a SQL injection attack triggers an email being sent to several people, well... I can easily do a hundred requests per second from my at-home computer if I'm so inclined (assuming I wanted to bring the site down). How many emails per second can the server send out in addition to handling its normal traffic and logging and doing whatnot else? How many emails per second are you willing to receive in the worst case? Seriously, this is not good.
If anything, it should batch alerts together, or do some other serious rate-limiting. Such as turning off email notifications for half an hour (or an hour) if more than three were sent within a minute.
If every request that looks like it's a SQL injection attack triggers an email being sent to several people, well... I can easily do a hundred requests per second from my at-home computer if I'm so inclined (assuming I wanted to bring the site down). How many emails per second can the server send out in addition to handling its normal traffic and logging and doing whatnot else? How many emails per second are you willing to receive in the worst case? Seriously, this is not good.
If anything, it should batch alerts together, or do some other serious rate-limiting. Such as turning off email notifications for half an hour (or an hour) if more than three were sent within a minute.
This topic is closed to new replies.
Advertisement
Popular Topics
Advertisement