Blacklist Email Working?


#1

In an effort to stop certain bad actors I’ve started to add blacklisted domain names in the settings:

The two that I added a few days ago link to one of the more well-used “burner” email sites, https://10minutemail.com

But, this morning, I saw the same user was able to register and post via the mvrht.net address that was blacklisted:

Seriously frustrating…!

Possible that it’s not working as intended?


(Joffrey Jaffeux) #2

are you sure mvrht.net doesn’t contain any leading/trailing space? It is something I will improve but at the moment it’s possible you added spaces without seeing it.


#3

double-checked. no lead/trail.

apparently i can add it twice.


(Jeff Atwood) #4

Can you repro this @jomaxro?


(Gerhard Schlager) #6

Did you change your configuration since you posted the bug report, because I can’t sign up at you site with an address from mvrht.net.


Wild guess: Maybe we do not check the blacklist for every oauth provider.
Can you go to Admin -> Users, search for the user, click on it and look at the value of “Logins”? Does it list an oauth provider?


#7

Nope. Went through a bunch of old users.


(Gerhard Schlager) #8

OK. Then I’m out of ideas.


(Jeff Atwood) #9

Old users who predate the setting change won’t be affected. So if new signups can’t use the address, the feature is working as designed…

Changing this to “support” since we can’t repro the problem, and it is working on your own site as shown in the screenshot @gerhard posted.


(Joshua Rosenfeld) #10

I just tested this on try.discourse.org, adding gmail.com to the blacklist and confirmed that I could not create a new account with my personal gmail. Also checked that Google and Facebook OAuth logins fail as well.