Ways to avoid email floods when running Web vulnerability scans

If you’ve ever ran a Web vulnerability scan you’ve likely experienced this situation. You fire up your scanner, tweak your settings, and click Start. The next thing you know people in customer service, marketing, IT, etc. are wondering why they’re getting hit with hundreds – often thousands – of emails from the site. You immediately realize it’s your Web vulnerability scanner doing the misdeed. So you stop the scan and discuss some options with everyone. Odds are you couldn’t come up a good solution for the short term. After all, your auditor or compliance manager is breathing down your neck for the scan results in the name of PCI compliance or whatever. Everyone decides to continue on with the scan and they’ll just live with the consequences of the email floods.

Sound familiar? That’s the typical scenario I’ve seen. Before you go down this path – again – you have some options for preventing email floods to begin with. Depending on the environment, timing, etc., I’ve found the following to work well:
• Setup a rule in your email server to block, reject, or black-hole email messages coming from your scanner or specific forms
• Code the application with a dummy email account that just sends emails to the bit bucket
• Depending on application logic, (continue reading...)