|
Joined: Jul 2005
Posts: 45
newbie
|
newbie
Joined: Jul 2005
Posts: 45 |
Hi all,
We received an email from a member, saying they'd received over 100 'request for password' emails from our system, and due to the annoyance of this, they wished to be deleted from our database. We obliged the request but it's left us wondering how many other members might be affected similarly.
We're running 7.5.9
I suppose it was some rotten robot code responsible. Would anyone be able to please advise if there a way in the CP that would allow us to limit the number of password requests to a single user that is permitted within a given time frame? If not, is there any other method that would work to prevent this sort of thing? I've peeked around in the CP, admin manual and tried a quick search here but didn't spot anything.
Any thoughts would be greatly appreciated! mig
|
|
|
|
Joined: Jun 2006
Posts: 16,299 Likes: 116
|
Joined: Jun 2006
Posts: 16,299 Likes: 116 |
Do you have the ability to browse the mail log from your mail server? You can validate exactly how many emails left your system to this user if so. If someone other than him requested a new password it was likely either a bot or another malicious user trying to get access to his account (though I'm not sure what they thought requesting a new password would accomplish).
|
|
|
|
Joined: Jul 2005
Posts: 45
newbie
|
newbie
Joined: Jul 2005
Posts: 45 |
Hi Gizmo,
Yes, I think I do have the ability to browse the mail log. I haven't been in there in, well, years now so I'll have to muddle my way through. That sounds worth checking at least to validate what occurred. I'm guessing it was a dumb bot.
Thanks for the suggestion - I appreciate your reply!! mig
|
|
|
|
Joined: Jun 2006
Posts: 16,299 Likes: 116
|
Joined: Jun 2006
Posts: 16,299 Likes: 116 |
I was talking with Isaac last night and he made a good observation, it's possible that there could have been a server hiccup (aka the page wasn't loaded) and an impatient user could have hit the refresh button during a page load of the forgot password system, which could also result in multiple messages being sent to the user as well (though, the mail log should be able to tell us how many messages where actually sent to a user, what IP address requested the new password link, and with the IP you can see if it was any of your legit users by comparing via the member management tool in the CP).
|
|
|
|
Joined: Dec 2003
Posts: 6,562 Likes: 78
|
Joined: Dec 2003
Posts: 6,562 Likes: 78 |
If it were me, I would test it for myself; meaning just log out and request a lost password.
Even though it will send you an email with a temporary password, it is just that; you can ignore the new password and continue to use the original one.
I don't doubt the user had multiple emails sent by some fluke but 100 is a lot. Possibly he only had a few to many but 100?.
But anyway the software is designed to send only one email per request.
Blue Man Group There is no such thing as stupid questions. Just stupid answers
|
|
|
Bots
by Outdoorking - 04/13/2024 5:08 PM
|
|
|
|
|
|
1 members (Nightcrawler),
445
guests, and
142
robots. |
Key:
Admin,
Global Mod,
Mod
|
|
|
|