Hello Kitty, Destroyer of Worlds (rahaeli) wrote in suggestions,
Hello Kitty, Destroyer of Worlds

Place time-based throttling on Lost Information routines

Place time-based throttling on Lost Information routines

Short, concise description of the idea
Alter http://www.livejournal.com/lostinfo.bml so that it will only allow username/password requests once per hour.

Full description of the idea
(Idea from leora, writeup by me.) Place bounds on http://www.livejournal.com/lostinfo.bml so that a username/password request from a particular email address or username (or possibly from a particular IP address) can only be made once per hour. This will eliminate the possibility for a malicious user to "spam" a victim with no public email address and no comment boards enabled. Currently, a harrasser could use the Lost Information system to mailbomb the chosen victim with endless emails containing the user's username and password, apparently sent from LiveJournal itself. Placing a limit of one password request per hour for each user account would eliminate this risk, and not negatively impact legitimate users of the function.

An ordered list of benefits

  • Eliminate the risk of "mailstorms" limited only by the harrasser's Internet connection speed and the speed of the LiveJournal server;
  • Reduce the potential loss of face to LiveJournal;
  • Eliminate an additional potential form of harrassment which is currently not blockable or stoppable;
  • Provides the basis for code which could be added later, to detect multiple password-retrieval attempts and block them, to reduce load.
  • An ordered list of problems/issues involved

  • Must store information about last password request;
  • Increases processing time and server load to look up last password request with each subsequent request.
  • An organized list, or a few short paragraphs detailing suggestions for implementation

  • Add tracking for last password-request time;
  • Implement code which checks, with password requests, when the last request was, and does not send email if the last request has been within an hour.
  • Tags: ~ historical
    • Post a new comment


      Anonymous comments are disabled in this journal

      default userpic

      Your reply will be screened

      Your IP address will be recorded