This is how i did test to Drupal.org i also sent a tweet to them for this bug need to be remove email notify active to email when user it url http://your-drupal-domain.com/toboggan/revalidate/[user_id]?destination=toboggan/revalidate/[user_id]
so you must re-code that module to show to user that each 10 ten minutes or just one time. Do not show more than one time. So i will explain steps to someone can able attach your site, it also effect to your mail server
Step 1: Create an an account with any email
Step 2: Edit account with a trust email , why do this, because some of server mail can be filter by spam domain, so need find a good trust domain (use it self domain) so we can turn off spam filter by server.
Step 3: You should see an message “Resend activation message” on a your Drupal site. you should get the link.
Step 4: Open in google chrome and active console mode and Remember in Drupal site Jquery is global that mean you can use window.jQuery and call to ajax , simple call
window.jQuery.get(url, () => {console.log(“done request”)})
so after that The module Toboggan will send to you a message with email activation link. (the email is trust email you selected) so it effect alot
so what happend if you call
for (var i = 0; i ≤= 10000000000; i++) { window.jQuery.get(url, () => {console.log(“done request”)}) }
so i that mean totals request and total emails will send to “trust email you selected” this effect alot to server mail and as you know drupal.org/user/register will be error return 5xx code
so what i recommend above turn off activation message and dont public that link as GET , need capcha that link or token require to request.
Thank you for reading my notes. Don’t do this just use it and make your site more safe.
