When an email is received, Email.Receiver only checks the following:
Regexp.new(SiteSetting.ignore_by_title) =~ @mail.subject // Blacklisted TOPIC TITLE
raise BouncedEmailError if is_bounce? // Bounce mail
raise NoSenderDetectedError if @from_email.blank? // No From field
raise ScreenedEmailError if ScreenedEmail.should_block?(@from_email) // Screend Email address
After this, a new staged user is created via find_or_create_user.
The result is, when an email is received via email in, the originator address is not checked whether it is from a blacklisted domain.
EmailValidator.validate_each should be called on @from_email.
The procedure should be:
Do the checks above
Further check first if the user with that email address already exists (find_user?). If so, let it pass.
If the email address doesn’t exist, call EmailValidator.validate_each to check if it is blacklisted. DO NOT create a staged user if the email domain is blacklisted.
If not blacklisted, then create the user (create_user?)
Wonder if anyone is working on this… It gets a bit inconvenient to keep having spammers create staged accounts when i know I should be able to blacklist them.
I can confirm @zogstrip is aware of this. We actually ran into this with one of our customers - they were being flooded by “spam” accounts whose domains were already blacklisted.