Last modified: 2010-05-15 15:38:52 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 4227 - Add a throttle to new password requests - 3rd party mail bombing
Add a throttle to new password requests - 3rd party mail bombing
Status: RESOLVED DUPLICATE of bug 5370
Product: MediaWiki
Classification: Unclassified
User login and signup (Other open bugs)
All All
: Normal normal with 2 votes (vote)
: ---
Assigned To: Nobody - You can work on this!
Depends on:
  Show dependency treegraph
Reported: 2005-12-09 02:44 UTC by Jason
Modified: 2010-05-15 15:38 UTC (History)
0 users

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Description Jason 2005-12-09 02:44:43 UTC
If you enter any users name @ Special:Userlogin and endlessly click on the "Mail
me a new password" button you can generate a large amount of traffic to anyones
email. Automated versions creating DOS attacks against email services effectivly
using a wikisite as a 3rd party service.
Comment 1 Rob Church 2005-12-09 07:47:27 UTC
Is this still an issue in a release version of MediaWiki? What of CVS HEAD?
Comment 2 Jason 2005-12-10 23:59:16 UTC
Also saw this in version 1.5.3
Comment 3 Antoine "hashar" Musso (WMF) 2005-12-11 20:32:27 UTC
Old subject:
'Add a throttle to the "mail new password" feature to counter mass-email spam'
Comment 4 Rob Church 2005-12-11 21:11:35 UTC
Er, the old summary actually listed what the request was. This is a more
unhelpful summary.
Comment 5 Jason 2005-12-17 03:55:01 UTC
Noticed this was moved to Severity enhancement? fixing using a mediawiki server
as a mail bomb platform is an enhancemet?
Comment 6 Zigger 2005-12-17 13:20:38 UTC
(In reply to comment #5)
Is unthrottled sending regarded as a bug in SMTP servers and other mail services?
Also debatable is whether this counts as a DOS lever/accelerator when it would
cost more bytes than it generates.

But the request still gets my vote as it would remove another potential source
of nuisance and bad PR.
Comment 7 Rob Church 2006-05-16 03:04:58 UTC

*** This bug has been marked as a duplicate of 5370 ***

Note You need to log in before you can comment on or make changes to this bug.