Skip to content

No per-recipient email send rate limit — same address can be spammed #924

Description

@hman38705

Labels: security, reliability, email

Priority: High

Description

src/email/service.rs does not enforce a per-recipient send rate limit. If idempotency is bypassed (e.g., different template, different idempotency key), the same email address can receive unbounded messages within a short window.

Acceptance Criteria

  • Add a per-recipient Redis key rate limit: max N emails per recipient per hour (configurable via EMAIL_PER_RECIPIENT_HOURLY_LIMIT)
  • Enforce this limit before enqueueing any email job
  • Return a structured error when the limit is exceeded so callers can surface a user-friendly message
  • Add a test verifying the Nth+1 email send is rejected

Metadata

Metadata

Labels

Stellar WaveIssues in the Stellar wave programemailEmail service and queuereliabilityResilience, recovery, and uptimesecuritySecurity vulnerabilities and hardening

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions