Advertisement:

Author Topic: Why is send email unprotected against misuse?  (Read 772 times)

Offline PhilGer

  • Semi-Newbie
  • *
  • Posts: 19
Why is send email unprotected against misuse?
« on: January 19, 2019, 06:30:46 AM »
Hi!

We’re using SMF 2.0.15 and recently had an incident where some registered user (or a bot under his control) misused the “send email” feature of SMF to send mass emails to registered users of our forum who had the option “Allow users to email me” enabled.

Now, I wonder why, in contrast to send PMs within the forum, the feature to send email is not protected by anti-bot/-spam technology (e.g. Captchas) for new users.

Why is there is no permission-rule to limit access to this feature? Why isn’t there a global option to disable this feature?

This seems to be rather inconsistent with other features of SMF. - Am I missing something?

Is this issue fixed or mitigated in the future 2.1 releases?

I did some research on this matter, but all workarounds I came across, like the “Disable EMail-sending for users”-Mod or the hack to update the “smf_members” table and set hide_email to 1, appear to be rather incomplete and crude.

As a fix for our installation, I modified Sources/Security.php and added the line
Code: [Select]
$userProfile_hideEmail = true;at the beginning of the showEmailAddress function.

IMO, this is better than the above-mentioned workarounds, as it completely suppresses the problem with just a single line of code. Nevertheless, a solution built-into SMF would obviously be much better. Unfortunately, my knowledge of SMF is too limited to provide a generally suitable fix to the issue.

What are your thoughts on this matter?

Best regards,
Philipp

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 70,173
    • StoryBB/StoryBB on GitHub
Re: Why is send email unprotected against misuse?
« Reply #1 on: January 19, 2019, 07:02:54 AM »
The web was a different place 15 years ago when the feature was first added, and still different 12 years ago when 2.0 was feature locked, where it wasn’t perceived to be a problem.

I believe 2.1 removes this whole function though, its use long since no longer beneficial.
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline PhilGer

  • Semi-Newbie
  • *
  • Posts: 19
Re: Why is send email unprotected against misuse?
« Reply #2 on: January 19, 2019, 10:49:40 AM »
Quote
The web was a different place 15 years ago [...]
Well, I guess, we both must have used different Internets 15 and 12 years ago. ;-)

Fair enough, "nobody spotted the problem" is still a valid answer to my questions. - So, I deduct, I was not missing the obvious approach to deal with this issue.

Is there a release roadmap anywhere for the transition of 2.1 from beta to mainstream?


Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 57,639
  • Gender: Male
    • Kindred-999 on GitHub
Re: Why is send email unprotected against misuse?
« Reply #3 on: January 19, 2019, 11:51:08 AM »
no....   as always --- when it is ready.
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

Online vbgamer45

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 20,896
    • smfhacks on Facebook
    • VBGAMER45 on GitHub
    • @createaforum on Twitter
    • SMF For Free
Re: Why is send email unprotected against misuse?
« Reply #4 on: January 19, 2019, 01:10:27 PM »
The closest you get is to following the github milestones https://github.com/SimpleMachines/SMF2.1/milestones
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

Offline Aleksi "Lex" Kilpinen

  • A Peculiar Finn
  • Lead Support Specialist
  • SMF Super Hero
  • *
  • Posts: 17,926
  • Gender: Male
  • Don't worry, I'm n00b friendly
    • Aleksi.Kilpinen on Facebook
    • LexArma on GitHub
    • aleksi-kilpinen on LinkedIn
    • There's No Place Like 127.0.0.1
Re: Why is send email unprotected against misuse?
« Reply #5 on: January 20, 2019, 02:06:13 AM »
Fair enough, "nobody spotted the problem" is still a valid answer to my questions. - So, I deduct, I was not missing the obvious approach to deal with this issue.
Well, the obvious solution IMO is to just remove the option.

The email options are permissions that you can basically take away from guests and newbies,
or everyone if you want (depending on the specific function).

For members email addresses:
In "Security and moderation", check "Do not reveal contact details of members to guests" and
uncheck "Allow viewable email addresses".

For sending topics:
The send topics permission is called "Send topics to friends"

Completely stop the emails between users:
https://www.simplemachines.org/community/index.php?topic=478265.msg3346281#msg3346281
A Finnish Support Specialist
 Happily running multiple SMF 2.0 installations.

How you can help SMF

"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum.
 Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

Offline PhilGer

  • Semi-Newbie
  • *
  • Posts: 19
Re: Why is send email unprotected against misuse?
« Reply #6 on: January 20, 2019, 04:32:32 AM »
The email options are permissions that you can basically take away from guests and newbies,
or everyone if you want (depending on the specific function).
Our forum was exactly configured as you advised. This does prevent emails from being viewed and used by guests, but not by registered members, not even newbies. - That is the reason why I posted these questions here.

Completely stop the emails between users:
I was unable to find anything of relevance to email permission in the linked thread, except linked info to removing the “Allow users to email me” option from forms. This is similar to what the “Disable EMail-sending for users”-Mod does. My alternative solution, posted previously, is equally crude, but simpler and more efficient.

Offline Aleksi "Lex" Kilpinen

  • A Peculiar Finn
  • Lead Support Specialist
  • SMF Super Hero
  • *
  • Posts: 17,926
  • Gender: Male
  • Don't worry, I'm n00b friendly
    • Aleksi.Kilpinen on Facebook
    • LexArma on GitHub
    • aleksi-kilpinen on LinkedIn
    • There's No Place Like 127.0.0.1
Re: Why is send email unprotected against misuse?
« Reply #7 on: January 20, 2019, 04:53:55 AM »
The exact message I linked to, advices how to remove the option from sight, and how to disable it from being used even with a manual address.
There is sadly no actual permission for that, so it requires edits.
A Finnish Support Specialist
 Happily running multiple SMF 2.0 installations.

How you can help SMF

"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum.
 Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

Offline PhilGer

  • Semi-Newbie
  • *
  • Posts: 19
Re: Why is send email unprotected against misuse?
« Reply #8 on: January 20, 2019, 05:34:43 AM »
The exact message I linked to, advices how to remove the option from sight, and how to disable it from being used even with a manual address.
But that message is only about the Send Topic feature. IMO that is of very little value to Spammers. So, it does not concern me much and was not the topic of my questions.

Offline PhilGer

  • Semi-Newbie
  • *
  • Posts: 19
Re: Why is send email unprotected against misuse?
« Reply #9 on: January 20, 2019, 05:35:52 AM »
The closest you get is to following the github milestones https://github.com/SimpleMachines/SMF2.1/milestones [nofollow]
Thank you! This is probably even better than a static roadmap document.

Offline Aleksi "Lex" Kilpinen

  • A Peculiar Finn
  • Lead Support Specialist
  • SMF Super Hero
  • *
  • Posts: 17,926
  • Gender: Male
  • Don't worry, I'm n00b friendly
    • Aleksi.Kilpinen on Facebook
    • LexArma on GitHub
    • aleksi-kilpinen on LinkedIn
    • There's No Place Like 127.0.0.1
Re: Why is send email unprotected against misuse?
« Reply #10 on: January 20, 2019, 05:38:41 AM »
The exact message I linked to, advices how to remove the option from sight, and how to disable it from being used even with a manual address.
But that message is only about the Send Topic feature. IMO that is of very little value to Spammers. So, it does not concern me much and was not the topic of my questions.
No, actually it is not.

As far as users emailing each other, that's a code edit.

First to Sources/SendTopic.php
Code: (find) [Select]
// Allow a user to send an email.
function CustomEmail()
{

Code: (replace) [Select]
// Allow a user to send an email.
function CustomEmail()
{
fatal_lang_error('no_access', false);

That takes care of actually sending emails. Now we need to remove it from the display template too - your theme's Display.template.php:
Code: [Select]
// Don't show the email address if they want it hidden.
if (in_array($message['member']['show_email'], array('yes', 'yes_permission_override', 'no_through_forum')))
echo '
<li><a href="', $scripturl, '?action=emailuser;sa=email;msg=', $message['id'], '" rel="nofollow">', ($settings['use_image_buttons'] ? '<img src="' . $settings['images_url'] . '/email_sm.gif" alt="' . $txt['email'] . '" title="' . $txt['email'] . '" />' : $txt['email']), '</a></li>';

You should also remove the Send topics to friends permissions too, by the way, to remove the Send This Topic button which can do something similar.
A Finnish Support Specialist
 Happily running multiple SMF 2.0 installations.

How you can help SMF

"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum.
 Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

Offline PhilGer

  • Semi-Newbie
  • *
  • Posts: 19
Re: Why is send email unprotected against misuse?
« Reply #11 on: January 20, 2019, 06:12:57 AM »
No, actually it is not.
Oh, sorry, you are right. I was mislead by this function being in the SendTopics.php file. This would definitely be an alternative approach.

However, I still like my solution better, because I do not need to edit the Display.template.php for all themes, to prevent someone from running into the error.


Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 70,173
    • StoryBB/StoryBB on GitHub
Re: Why is send email unprotected against misuse?
« Reply #12 on: January 20, 2019, 06:44:48 AM »
If it’s a bot hitting the page, my solution saves on server load compared to yours ;)
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline PhilGer

  • Semi-Newbie
  • *
  • Posts: 19
Re: Why is send email unprotected against misuse?
« Reply #13 on: January 22, 2019, 05:21:31 AM »
If it’s a bot hitting the page, my solution saves on server load compared to yours ;)
Thanks for the info.
As this was an isolated case for now, I will stay with my solution to keep the manual edits to a minimum when upgrading or installing new themes.

Offline live627

  • Developer
  • SMF Hero
  • *
  • Posts: 5,525
  • Gender: Male
    • live627 on Facebook
    • live627 on GitHub
    • live627 on LinkedIn
    • @live627 on Twitter
    • livemods
Re: Why is send email unprotected against misuse?
« Reply #14 on: January 22, 2019, 06:55:42 PM »
You can still skip the template edit.
Try not to become a man of success, but rather try to become a man of value.
- Albert Einstein

Offline Study Force

  • SMF Hero
  • ******
  • Posts: 3,411
    • StudyForcePS on Facebook
    • @studyforceps on Twitter
    • Study Force
Re: Why is send email unprotected against misuse?
« Reply #15 on: January 22, 2019, 07:52:22 PM »
Now that the topic has been opened, I'm pondering what's the use of "send email" directly when you have a PM system?