Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Please don't always send an email. A malicious person can now start signing up every day with a bunch of emails resulting in users who do have an account receiving an email from your site daily/hourly saying "we noticed you're trying to sign up again". At which point they become annoyed with your service and either unsubscribe or delete their account.

Hotmail do this everytime someone tries to reset my password which happens almost daily as I have what turns out to be an account name that is in demand and it's really irritating. And there is nothing I can do to stop someone attempting to reset my password - I have 2 factor switched on so they won't be successful.

Of course you can add more logic in to try and be more intelligent about when the emails are sent, but most sites won't get this right when they can't even store passwords correctly.



An attacker could already do this via nearly every service's "forgot my password" functionality, as you noted yourself in the case of hotmail.

As the original author noted, rate limiting is also a fundamental requirement for security. Eventually no more emails are sent because the offending IP addresses are effectively blocked.

Make email notifications an option for users (enabled by default, with an easy link in the email to disable), and you ensure your users that your service is secure, while giving them the ability and easy path to ignore it.


Regarding rate limiting, must really suck to live in Qatar and be behind a proxy server with a single IP address with the whole rest of the country...



Re your Hotmail problem, personally I would spend 30 seconds configuring sieve to filter those annoying emails into my Trash so I never have to see them again. Problem solved.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: