19918: Disable the possibility to abuse Limesurvey as email bomber - LimeSurvey bugs and feature requests

This bug affects 1 person(s).

256

ID	Project	Category	View Status	Date Submitted	Last Update

19918	Feature requests	Security	public	2025-01-07 12:23	2025-01-08 16:39

Reporter	Deflator0677	Assigned To	tibor.pacalat
Priority	none	Severity	feature
Status	assigned	Resolution	open

Summary	19918: Disable the possibility to abuse Limesurvey as email bomber
Description	In Limesurvey, it is possible to switch a survey to close mode and to allow the survey administrator to import a CSV file with email and name. Problem : this feature could be abused by a malicious user in putting thousands of email address in the file. To be more precise, we do not trust our users so we would like to avoid to them to send email with Limesurvey, they have to use a mailing list with a survey link inside. Currently, it looks to be possible to enable email for all usages and disables it for all usage too. That means no password lost feature, for example. Is it possible to have a global setting to disable the possibility for users to send email ? Thank you
Steps To Reproduce	Create a survey go to participants import a CSV file with thousands of email popcorn
Tags	No tags attached.

Bug heat	256
Story point estimate
Users affected %

tibor.pacalat 2025-01-08 15:44 administrator ~81768	We currently don't have this feature. @Deflator0677 would you like to sponsor this feature?

Deflator0677 2025-01-08 15:59 reporter ~81780	You didn't pay me for the time I spend to write several issues. If you want, you could pay me and I will use this money for this feature. Nevertheless, I think it is security features, all Limesurvey instance could be abused.

tibor.pacalat 2025-01-08 16:18 administrator ~81783	We are going from the premise that admins are hand-picked and trustworthy. That is why we don't see this as a security issue. Every superadmin is responsible for their own application and how it is being used. That being said, we are open source company, meaning that we provide most of our work for free to general public, you included. If anyone has an idea for a feature, we can work on it, but since we have limited man power, we rely on sponsoring of such new features. We appreciate you as a member of our open source community and your contributions in form of tickets you created!

Deflator0677 2025-01-08 16:39 reporter ~81785	I will be surprise if it is how Limesurvey is used in big company. The organisations I know open Limesurvey to their company users, even if they are trained, that means hundred of them, and users are not trustworthy. And even if they are trustworthy, they could in good faith sending a survey to thousands of email. Is this feature is available in your public demo? Because if it is, that means even you didn't respect your premise... Do you wait an abuse occurred on your platform to do something about this feature? I don't know allowing to disable it totally is the better way, it could be like to set a limit of recipient or something else.

Date Modified	Username	Field	Change
2025-01-07 12:23	Deflator0677	New Issue
2025-01-07 12:24	DenisChenu	Issue Monitored: DenisChenu
2025-01-07 12:24	DenisChenu	Bug heat	250 => 252
2025-01-08 15:41	c_schmitz	Project	Bug reports => Feature requests
2025-01-08 15:44	tibor.pacalat	Note Added: 81768
2025-01-08 15:44	tibor.pacalat	Bug heat	252 => 254
2025-01-08 15:44	tibor.pacalat	Assigned To	=> tibor.pacalat
2025-01-08 15:44	tibor.pacalat	Status	new => feedback
2025-01-08 15:59	Deflator0677	Note Added: 81780
2025-01-08 15:59	Deflator0677	Bug heat	254 => 256
2025-01-08 15:59	Deflator0677	Status	feedback => assigned
2025-01-08 16:18	tibor.pacalat	Note Added: 81783
2025-01-08 16:39	Deflator0677	Note Added: 81785