Why can I use the SENDPASS module (nickserv/sendpass) without the mail-authentication module (nickserv/mail-auth)?
Because allowing users to send mail (using SENDPASS) without first confirming that the address is actually valid can allow malicious users to send spam via Services. Consider the following example: • Attacker connects to the IRC network with a random nickname. • Attacker registers the nickname with victim’s E-mail address. • Attacker sends a SENDPASS command for the nick, causing an E-mail message to be sent to the victim. • Attacker drops the nick (to avoid the SENDPASS delay check). • Attacker disconnects from the IRC network (to avoid the REGISTER delay check). This would allow the attacker to flood the victim’s mailbox with potentially dozens of messages a second. Even if an IRC operator noticed the unusual activity quickly and autokilled the attacker, the victim could still be left with hundreds or thousands of junk messages. It is to avoid this potential situation that the SENDPASS module has been designed not to function unless the mail-authentication module is loaded.
