Email domain blacklist is not consulted when receiving emails (and creating staged users)


(Stephen Chung) #1

File: email/receiver.rb
Func: process_internal

When an email is received, Email.Receiver only checks the following:

Regexp.new(SiteSetting.ignore_by_title) =~ @mail.subject  // Blacklisted TOPIC TITLE
raise BouncedEmailError  if is_bounce?  // Bounce mail
raise NoSenderDetectedError if @from_email.blank?    // No From field
raise ScreenedEmailError if ScreenedEmail.should_block?(@from_email)   // Screend Email address

After this, a new staged user is created via find_or_create_user.

The result is, when an email is received via email in, the originator address is not checked whether it is from a blacklisted domain.

EmailValidator.validate_each should be called on @from_email.

The procedure should be:

  1. Do the checks above
  2. Further check first if the user with that email address already exists (find_user?). If so, let it pass.
  3. If the email address doesn’t exist, call EmailValidator.validate_each to check if it is blacklisted. DO NOT create a staged user if the email domain is blacklisted.
  4. If not blacklisted, then create the user (create_user?)
  5. Continue processing

Email domain blacklist with wildcards (revisited)
(Jeff Atwood) #2

What do you think @zogstrip?


(Stephen Chung) #4

Wonder if anyone is working on this… It gets a bit inconvenient to keep having spammers create staged accounts when i know I should be able to blacklist them.


(Joshua Rosenfeld) #5

I can confirm @zogstrip is aware of this. We actually ran into this with one of our customers - they were being flooded by “spam” accounts whose domains were already blacklisted.


(Joshua Rosenfeld) #7

Looks like @gerhard actually committed the fixes. This should prevent staged user creation when the email domain is blacklisted:

We also will no longer staged accounts if the email was rejected:


(Kane York) #8

@gerhard you have a typo in the fix (76706f914)! deleted a character from a symbol


(Joshua Rosenfeld) #9

For the record, here’s the fix:


(Joshua Rosenfeld) #10

This topic was automatically closed after 30 hours. New replies are no longer allowed.