A rate limit that applies equally to all accounts — new and established — provides no incremental protection against spam bots that register and immediately begin flooding. CWE-799 applies: the system fails to differentiate interaction frequency by account trust level. New accounts posting at the same rate as accounts with months of history is an anomaly signal that legitimate platforms exploit to catch automation. Reddit, Hacker News, and most major forums enforce reduced posting rates for new accounts specifically because this is the attack window that automated spam campaigns exploit most aggressively.
Medium because absent new-account rate differentiation, spam bots can reach full platform post velocity immediately after registration, maximizing the window of abuse before detection.
Implement tiered rate limits that apply stricter caps to accounts created within the last 7 days:
app.post('/api/posts', authenticate, async (req, res) => {
const user = await db.users.findOneById(req.user.id);
const accountAgeMs = Date.now() - user.createdAt.getTime();
const isNewAccount = accountAgeMs < 7 * 24 * 60 * 60 * 1000;
if (isNewAccount) {
const postsInLastHour = await db.posts.count({
where: {
userId: user.id,
createdAt: { gte: new Date(Date.now() - 3_600_000) },
},
});
if (postsInLastHour >= 3) {
return res.status(429).json({ error: 'New accounts are limited to 3 posts per hour.' });
}
}
// ... create post
});
A flat rate limit that applies equally to all accounts does not satisfy this check — the differentiation between new and established accounts is the required signal.
ID: community-moderation-safety.spam-prevention.account-age-limit
Severity: medium
What to look for: Check if new accounts face posting restrictions (rate limiting, delays, or posting quotas). Look for minimum account age checks before posting, or daily/hourly posting limits for new accounts (e.g., <7 days old).
Pass criteria: New accounts (created within the last 7 days) cannot post at the same rate as established accounts. Either they are rate-limited to no more than 3 posts per hour, face posting delays, or must wait a minimum of 1 day before posting. On pass, count all rate-limit rules that differentiate new vs. established accounts and report the ratio.
Fail criteria: New accounts can post immediately at full speed, same as established accounts. A rate limit that applies equally to all accounts does not count as pass for this check.
Skip (N/A) when: Platform has fewer than 100 active users or very low spam pressure.
Detail on fail: "New accounts can post unlimited content immediately. Spam bots can flood the platform within minutes of registration."
Remediation: Implement posting restrictions for new accounts:
// Check account age before posting
app.post('/api/posts', authenticate, async (req, res) => {
const user = await db.users.findOne({ _id: req.user.id });
// New accounts (created in last 7 days) have posting limits
const sevenDaysAgo = new Date(Date.now() - 7 * 24 * 60 * 60 * 1000);
if (user.createdAt > sevenDaysAgo) {
// Limit to 3 posts per hour for new accounts
const postsInLastHour = await db.posts.countDocuments({
userId: user.id,
createdAt: { $gte: new Date(Date.now() - 60 * 60 * 1000) }
});
if (postsInLastHour >= 3) {
return res.status(429).json({
error: 'New accounts are limited to 3 posts per hour. Try again later.'
});
}
}
// ... create post
});