How to limit sending SMS when registering users?

Y

yestodev2020-09-03 11:58:04

Java

yestodev, 2020-09-03 11:58:04

Hello!

There is such an interesting question:

A service is being made, registration is being filed (java/spring backing, although this is hardly important). As an option, it is possible to confirm the user either by mail or by SMS. And here the question is - how to limit the abuse of sending SMS? What are the ways to fight?

Suppose someone got to the api and starts to pull the sending of messages. What are the likely ways to fight?
Muesli:

1) Limit the capabilities of the api (not a good idea if suddenly a lot of users break down at once and someone cannot send a message)
2) Transition to the send endpoint only if there are certain steps, i.e. the conditional request /sendsms?number=xxx will not work if some intermediate stage has not been passed, which in theory you can think about how to control, for example, to prohibit a repeated registration attempt from one ip.

What ideas? :)

PS
It's not about sending to one number (it's easy to control), but a mass request to send SMS to different numbers
. someone with malicious intent makes 1000 requests for 1000 DIFFERENT numbers.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

H

HVV777, 2020-09-03
@yestodev

What if some identifier is passed to the API, for example, the CSRF token of the registration page? This is certainly not a panacea, but it will save you from using the apish for other purposes.

K

Kirill Gorelov, 2020-09-03
@Kirill-Gorelov

This question has been asked here several times.
There are a lot of options and the most effective and most offered of all, the limit on sending SMS to one number.
By the way, he himself did such a functional for the MP. There he made a limit on one number, otherwise he blocked it and that's it.