News:

Wondering if this will always be free?  See why free is better.

Main Menu

Why is send email unprotected against misuse?

Started by PhilGer, January 19, 2019, 06:30:46 AM

Previous topic - Next topic

PhilGer

Hi!

We're using SMF 2.0.15 and recently had an incident where some registered user (or a bot under his control) misused the "send email" feature of SMF to send mass emails to registered users of our forum who had the option "Allow users to email me" enabled.

Now, I wonder why, in contrast to send PMs within the forum, the feature to send email is not protected by anti-bot/-spam technology (e.g. Captchas) for new users.

Why is there is no permission-rule to limit access to this feature? Why isn't there a global option to disable this feature?

This seems to be rather inconsistent with other features of SMF. - Am I missing something?

Is this issue fixed or mitigated in the future 2.1 releases?

I did some research on this matter, but all workarounds I came across, like the "Disable EMail-sending for users"-Mod or the hack to update the "smf_members" table and set hide_email to 1, appear to be rather incomplete and crude.

As a fix for our installation, I modified Sources/Security.php and added the line
$userProfile_hideEmail = true;
at the beginning of the showEmailAddress function.

IMO, this is better than the above-mentioned workarounds, as it completely suppresses the problem with just a single line of code. Nevertheless, a solution built-into SMF would obviously be much better. Unfortunately, my knowledge of SMF is too limited to provide a generally suitable fix to the issue.

What are your thoughts on this matter?

Best regards,
Philipp

Arantor

The web was a different place 15 years ago when the feature was first added, and still different 12 years ago when 2.0 was feature locked, where it wasn't perceived to be a problem.

I believe 2.1 removes this whole function though, its use long since no longer beneficial.

PhilGer

QuoteThe web was a different place 15 years ago [...]
Well, I guess, we both must have used different Internets 15 and 12 years ago. ;-)

Fair enough, "nobody spotted the problem" is still a valid answer to my questions. - So, I deduct, I was not missing the obvious approach to deal with this issue.

Is there a release roadmap anywhere for the transition of 2.1 from beta to mainstream?


Kindred

Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

vbgamer45

Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

Aleksi "Lex" Kilpinen

Quote from: PhilGer on January 19, 2019, 10:49:40 AM
Fair enough, "nobody spotted the problem" is still a valid answer to my questions. - So, I deduct, I was not missing the obvious approach to deal with this issue.
Well, the obvious solution IMO is to just remove the option.

The email options are permissions that you can basically take away from guests and newbies,
or everyone if you want (depending on the specific function).

For members email addresses:
In "Security and moderation", check "Do not reveal contact details of members to guests" and
uncheck "Allow viewable email addresses".

For sending topics:
The send topics permission is called "Send topics to friends"

Completely stop the emails between users:
https://www.simplemachines.org/community/index.php?topic=478265.msg3346281#msg3346281
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

PhilGer

Quote from: Aleksi "Lex" Kilpinen on January 20, 2019, 02:06:13 AM
The email options are permissions that you can basically take away from guests and newbies,
or everyone if you want (depending on the specific function).
Our forum was exactly configured as you advised. This does prevent emails from being viewed and used by guests, but not by registered members, not even newbies. - That is the reason why I posted these questions here.

Quote from: Aleksi "Lex" Kilpinen on January 20, 2019, 02:06:13 AMCompletely stop the emails between users:
I was unable to find anything of relevance to email permission in the linked thread, except linked info to removing the "Allow users to email me" option from forms. This is similar to what the "Disable EMail-sending for users"-Mod does. My alternative solution, posted previously, is equally crude, but simpler and more efficient.

Aleksi "Lex" Kilpinen

The exact message I linked to, advices how to remove the option from sight, and how to disable it from being used even with a manual address.
There is sadly no actual permission for that, so it requires edits.
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

PhilGer

Quote from: Aleksi "Lex" Kilpinen on January 20, 2019, 04:53:55 AM
The exact message I linked to, advices how to remove the option from sight, and how to disable it from being used even with a manual address.
But that message is only about the Send Topic feature. IMO that is of very little value to Spammers. So, it does not concern me much and was not the topic of my questions.

PhilGer

Quote from: vbgamer45 on January 19, 2019, 01:10:27 PM
The closest you get is to following the github milestones https://github.com/SimpleMachines/SMF2.1/milestones
Thank you! This is probably even better than a static roadmap document.

Aleksi "Lex" Kilpinen

Quote from: PhilGer on January 20, 2019, 05:34:43 AM
Quote from: Aleksi "Lex" Kilpinen on January 20, 2019, 04:53:55 AM
The exact message I linked to, advices how to remove the option from sight, and how to disable it from being used even with a manual address.
But that message is only about the Send Topic feature. IMO that is of very little value to Spammers. So, it does not concern me much and was not the topic of my questions.
No, actually it is not.

Quote from: Arantor on June 03, 2012, 10:44:23 PM
As far as users emailing each other, that's a code edit.

First to Sources/SendTopic.php
Code (find) Select
// Allow a user to send an email.
function CustomEmail()
{


Code (replace) Select

// Allow a user to send an email.
function CustomEmail()
{
fatal_lang_error('no_access', false);


That takes care of actually sending emails. Now we need to remove it from the display template too - your theme's Display.template.php:
// Don't show the email address if they want it hidden.
if (in_array($message['member']['show_email'], array('yes', 'yes_permission_override', 'no_through_forum')))
echo '
<li><a href="', $scripturl, '?action=emailuser;sa=email;msg=', $message['id'], '" rel="nofollow">', ($settings['use_image_buttons'] ? '<img src="' . $settings['images_url'] . '/email_sm.gif" alt="' . $txt['email'] . '" title="' . $txt['email'] . '" />' : $txt['email']), '</a></li>';


You should also remove the Send topics to friends permissions too, by the way, to remove the Send This Topic button which can do something similar.
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

PhilGer

Quote from: Aleksi "Lex" Kilpinen on January 20, 2019, 05:38:41 AM
No, actually it is not.
Oh, sorry, you are right. I was mislead by this function being in the SendTopics.php file. This would definitely be an alternative approach.

However, I still like my solution better, because I do not need to edit the Display.template.php for all themes, to prevent someone from running into the error.


Arantor

If it's a bot hitting the page, my solution saves on server load compared to yours ;)

PhilGer

Quote from: Arantor on January 20, 2019, 06:44:48 AM
If it's a bot hitting the page, my solution saves on server load compared to yours ;)
Thanks for the info.
As this was an isolated case for now, I will stay with my solution to keep the manual edits to a minimum when upgrading or installing new themes.

live627


Biology Forums

Now that the topic has been opened, I'm pondering what's the use of "send email" directly when you have a PM system?

Advertisement: