Email domain blacklist is not consulted when receiving emails (and creating staged users)

File: email/receiver.rb
Func: process_internal

When an email is received, Email.Receiver only checks the following:

Regexp.new(SiteSetting.ignore_by_title) =~ @mail.subject  // Blacklisted TOPIC TITLE
raise BouncedEmailError  if is_bounce?  // Bounce mail
raise NoSenderDetectedError if @from_email.blank?    // No From field
raise ScreenedEmailError if ScreenedEmail.should_block?(@from_email)   // Screend Email address

After this, a new staged user is created via find_or_create_user.

The result is, when an email is received via email in, the originator address is not checked whether it is from a blacklisted domain.

EmailValidator.validate_each should be called on @from_email.

The procedure should be:

  1. Do the checks above
  2. Further check first if the user with that email address already exists (find_user?). If so, let it pass.
  3. If the email address doesn’t exist, call EmailValidator.validate_each to check if it is blacklisted. DO NOT create a staged user if the email domain is blacklisted.
  4. If not blacklisted, then create the user (create_user?)
  5. Continue processing
4 Likes

What do you think @zogstrip?

Wonder if anyone is working on this… It gets a bit inconvenient to keep having spammers create staged accounts when i know I should be able to blacklist them.

I can confirm @zogstrip is aware of this. We actually ran into this with one of our customers - they were being flooded by “spam” accounts whose domains were already blacklisted.

4 Likes

Looks like @gerhard actually committed the fixes. This should prevent staged user creation when the email domain is blacklisted:
https://github.com/discourse/discourse/commit/7f50380221f4a77bec7dfedc141ef99213de9438

We also will no longer staged accounts if the email was rejected:
https://github.com/discourse/discourse/commit/76706f91447de810f6aa3b618a2f5fe8c0924b4b

5 Likes

@gerhard you have a typo in the fix (76706f914)! deleted a character from a symbol

5 Likes

For the record, here’s the fix:
https://github.com/discourse/discourse/commit/9ff1c23a38cea1bbee247de3e842a0624e1460cd

5 Likes

This topic was automatically closed after 30 hours. New replies are no longer allowed.