How can I prevent a scan from causing an email flood?
Apart from being an annoyance, if the problem of mass mailing has impacted your site then it could be a web application vulnerability in itself. A hacker or malicious user can perform the same steps to flood the mail system, for example by using automated bots. This issue is dependent on how the custom website actually works at the server-side, with certain types of requests. This mass mailing can be caused by more than one thing: forms, links, and multiple requests.
As a black box scanner, Acunetix cannot predict if a website contains such entry points, since emails are actually sent at the server side.
It is important to be aware that this can be exploited like a vulnerability to cripple a server, therefore such mass mailing entry points should be made more secure. When using forms for sending emails (e.g. registration forms), techniques such as CAPTCHA (http://en.wikipedia.org/wiki/Captcha) should be implemented to validate the input and protect such forms against bots.
Resolution
To avoid from receiving such emails while scanning your website with Acunetix, follow the following steps:
- Add a filter in the Directory and File Filters node to exclude the mailing script from being scanned. For example, if contact_us.html posts details to /cgi-bin/mailer.php, add the URL of mailer.php to the exclusion list
- Control the request by denying any requests which try to access the script that generates emails directly, or from any other invalid referrers; this will also protect your mail server when a malicious user tries to abuse the script’s functionality
You can read more about this issue and other ways to tackle it from the following blog post: Ways to avoid email floods when running Web vulnerability scans.