Increasing IMPACT of No Rate Limit on Email Endpoints.

Shubham SRT
3 min readMar 7, 2024

--

So, have you ever come across an email system that feels like it’s on vacation? You know, no rate limits, just sending emails left, right, and center? Instead of shrugging it off, here’s a little trick to suss out what’s going on. 😉

  1. Check the Email Provider: First off, see if they’re using Amazon SES.

How to Check? Look for some reference to “SES” in your received E-mail

Why? Cause Amazon SES has its own set of rules. If the system ain’t playing nice with them, it’s like a red flag waving in the wind.

  1. Spot the Funky Emails: Next, keep an eye out for those weird email addresses. You know, the ones that look like they came from another planet? “hacker¤one@gmail.com” kind of vibe.
    If the system is cool sending to those, chances are it’s not sticking to the email rulebook. [Email RFC (5322)]
  2. Amazon SES 101: Let’s talk about Amazon SES for a second. It’s like the reliable uncle of email services.
    But here’s the deal: it’s got this thing called a “Hard Bounce Rate”. 🤷🏻‍♂️.
    AWS SES has a hard bounce rate of 10% (A hard bounce is an email that couldn’t be delivered for some permanent reasons. Maybe the email’s a fake address, perhaps the email domain isn’t an actual domain, or simply a mistyped Email) ⚡
    Long story short, if it keeps hitting up fake email addresses or Email addresses that can not exist because of the RFC standard, and they bounce back, Amazon SES ain’t gonna be pleased.
  3. Hit the Bounce Rate! : Well not quite Literally lmao! We don't do that, we are white hat. But all you need to do is make sure that there is No Rate Limit in that Email-sending endpoint. So you can send infinite emails to an invalid Email according to the RFC. 🎯
  4. Consequences, Baby: So, what if you catch a system breaking the rules?. Sending emails to dodgy addresses could get the whole operation flagged by Amazon SES.
    That means from a total of 1000 Emails if 100 of them were fake or invalid which caused all of them to bounce, AWS SES will block the company's service. This allows sending emails to invalid email addresses, leading to negative consequences such as AWS SES flagging. 🚩

In a nutshell, next time you spot an email system that’s too chill for its own good, don’t just roll your eyes. Take a closer peek. Check if it’s using Amazon SES and if it’s playing by the email rulebook. You might just uncover some sneaky vulnerabilities.

So there you have it, a no-nonsense guide to sniffing out email endpoint vulnerabilities.
H1 report: https://hackerone.com/reports/823915

Twitter: @shubham_srt

--

--

Shubham SRT
Shubham SRT

Written by Shubham SRT

Just another Noob Hacker on this planet.

Responses (2)