Consequences of not validating email addresses

(Felix Freiberger) #1

I’m using Discourse with SSO. The guidelines say:

I’m tempted to :fire: open the gates of hell :fire: and not send require_activation=true although I’m not validating addresses. There are good reasons why I cannot force email address validation in my SSO provider, and I’d really like my users to have a fully set-up Discourse account with a single click.

What terrible consequences will this have?

  • Users can sign up with a developer email address and become admins.
    Solution: All developer addresses are taken already.
  • I make spam sign-ups easier.
    Solution: Registration on the parent site is only open for a limited amout of time and to a limited set of people.
  • If I ever disable SSO, password recovery mails go to the wrong address.
    Solution: I will never disable SSO. Instead, the Discourse instance will be :bomb: when it is no longer needed.
  • Users can sign up with addresses they do not own and spam the owner of the address.
    Workaround: Not a new problem, they can already do that on the parent site. It has never been a problem.
  • Users can sign up with incorrect addresses accidentally and miss important emails.
    Workaround: Missing emails from the parent site is probably the bigger problem for these users :wink:

I know that I’m leaving the safe, established path if I go ahead. Still, does anyone see a significant problem with this?

(Jeff Atwood) #2

I would strongly recommend against it, but it sounds like you are hell bent on doing so… :mask:

(Felix Freiberger) #3

Not really – I’m totally willing to stick to validating addresses if there’s a risk I didn’t see before :slight_smile:

(Dean Taylor) #4

An additional consequence:

  • Will reduce outgoing mail server’s reputation to fall and possibly become blacklisted.
  • Sending mail to invalid email addresses or to addresses where mail is marked as spam or large amount of mail goes unopened will cause mail server reputation to fall.
  • Mail server IPs or entire IP ranges may be blacklisted for a short or extended period.
  • Mail to valid users may be filtered and flagged as spam or not delivered.
  • Discourse is setup as default to: send digests and reply emails if the user is not on the site.
  • Users may optionally set “mailing list mode” causing lots of emails to be sent to the users mailing address.

(Felix Freiberger) #5

That’s also a good point!
I think it should not be a problem in my case, given the limitations on sign-ups.