Potential Abuse of “Email Personalized Schedule” Feature

r6268-meta adds a new feature where WordCampWordCamp WordCamps are casual, locally-organized conferences covering everything related to WordPress. They're one of the places where the WordPress community comes together to teach one another what they’ve learned throughout the year and share the joy. Learn more. attendees can bookmark sessions on the schedule that they want to attend, and then e-mail themselves their personalized schedule (per #2733-meta). The feature is aimed at attendees, so it doesn’t require logging in to an account.

Screen Shot 2017-12-13 at 2.51.12 PM

The email portion of that is temporarily disabled, though, so that we can discuss the potential for abuse, and any necessary mitigations.

As far as I can tell, there are 3 primary scenarios for abuse:

“Dumb” bots

These are the ones that just search for any

they can find, and POST spam content to it. These shouldn’t work at all, since the
doesn’t have an action; instead, JavaScriptJavaScript JavaScript or JS is an object-oriented computer programming language commonly used to create interactive effects within web browsers. WordPress makes extensive use of JS for a better user experience. While PHP is executed on the server, JS executes within a user’s browser. https://www.javascript.com/. traps the click event and sends the request to the REST APIREST API The REST API is an acronym for the RESTful Application Program Interface (API) that uses HTTP requests to GET, PUT, POST and DELETE data. It is how the front end of an application (think “phone app” or “website”) can communicate with the data store (think “database” or “file system”) https://developer.wordpress.org/rest-api/.. Even if the bot tried to POST the request to the current URLURL A specific web address of a website or web page on the Internet, such as a website’s URL www.wordpress.org, that still wouldn’t trigger the handler.

“Smart” bots

These are advanced enough to be able to interact with the DOM. I still don’t think these would work, because the handler returns early if no session IDs are passed. In order to actually send an email, the bot would have to star a session, meaning that it would have to be tailor-made to this particular pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party.

I don’t think anybody would go to that much trouble, since they could get much more impact for far less effort elsewhere. They wouldn’t be able to send any spam content, all they would achieve would be annoying the recipient, and hurt our server’s spam reputation. Annoying the recipient could be done more easily with millions of web forms that don’t require any complex interactions. Hurting our server’s reputation is plausible, but still seems very unlikely.

That doesn’t seem like a compelling enough reason to burden the user with a CAPTCHA, or to take up our limited time and introduce non-essential complexity with a rate-limiter.

A human manually submitting the form

This is essentially the same as a “smart” bot; the costs seem to far outweigh the benefits.

If we get any reports of abuse, or notice our mail server being blacklisted, then we can definitely temporarily disable the emails with email_fav_sessions_disabled() and work on a fix, but it seems premature to do anything right now.

Waiting until there’s actually some sign of abuse saves us the opportunity cost of spending time on a feature we’ll probably never use, and it also puts us in a better position to correctly fix the abuse in the unlikely event that it does happen. Right now we’re just guessing at how it might be abused, but if it does actually happen, then we’ll know the details and will be able to address it directly.

What do you all think? Do you all have any objections to turning it on?