News:

Want to get involved in developing SMF, then why not lend a hand on our github!

Main Menu

New member email checking

Started by SulevFan, September 27, 2017, 12:36:51 PM

Previous topic - Next topic

SulevFan

I know that SMF checks email addresses for uniqueness, but just had this spammer slip by my safeguards and register multiple handles under what is essentially the same email id.



Is there some way to prevent this? Can/should the validation in SMF be a bit more comprehensive?

br360

SMF only checks for exact matches. If spammers are getting through, take a look at this link for some solutions- https://wiki.simplemachines.org/smf/Spam_-_my_forum_is_flooded_with_spam,_what_can_I_do

Arantor

Should it? Maybe.

Can it be? Not without seriously compromising performance.

SulevFan

Quote from: br360 on September 27, 2017, 12:39:13 PM
SMF only checks for exact matches. If spammers are getting through, take a look at this link for some solutions- https://wiki.simplemachines.org/smf/Spam_-_my_forum_is_flooded_with_spam,_what_can_I_do

Thanks, I already have Stop Forum Spam mod and it works great. This was the first guy to get through in a while.

Quote from: Arantor on September 27, 2017, 01:06:46 PM
Should it? Maybe.

Can it be? Not without seriously compromising performance.

I'm sure you are in a better position to judge the impact on performance, but in my layman's mind, and leaving aside the issue of backwards compatibility, I'd have thought it was a single operation on the user portion of the email to remove all periods and perhaps strip the portion following a plus sign.  I' sure it's already normalizing for capitalization, right?

Biology Forums

The email id is not the same. I don't see why SMF should discriminate. You can use different browsers on the same computer and SMF won't mind.

Arantor

QuoteThe email id is not the same.

Not entirely correct.

[email protected] is identical for Gmail's purposes as [email protected]. Dots in the left hand side are ignored by Google but SMF sees them as separate addresses.

QuoteI'm sure you are in a better position to judge the impact on performance

Let me try to explain. It's totally possible to do in a reasonably efficient rate under some very specific circumstances but not with how SMF works overall.

Problem 1: applying this is not just a case of remove the dots. Databases don't exactly work like that and it's always considered a bug if the user puts in an email address that isn't 'stored by the software properly'. So you have to look at matching every permutation against every permutation.

And if only it were the dots... but it's not just dots.

[email protected] is the same as [email protected] is the same as [email protected] is the same as [email protected]

You have to search all these combinations together. And it's... complicated without being built for that purpose quite specifically.

Problem 2: it's not just on the kind of situation you're referring to. All of these rules have to be re-applied every few minutes for non-admin accounts. As in, every few minutes, the account will be checked against the ban list, which has to explicitly check all these rules. This is *massive* to implement.

Problem 3: @gmail.com not the only domain this applies to. A large number of Google Apps (or G Suite or whatever it's called this week) allow the same thing for their hosted email, so you have *that* to contend with as well.

SulevFan

Quote from: Arantor on September 27, 2017, 03:45:22 PM

Let me try to explain.

Thanks for the explanation. I appreciate the time you took to do that and your courtesy in doing so.

Advertisement: