Ted Johansson:
For example, a user with an account tied to bob@discourse.org is able to create another account tied to bob+again@discourse.org.
Discourse comes with the normalize_emails site setting which can be flipped to either allow or disallow this. When turned on, it considers both e-mails above to be the same for purposes of unique account validation, and Bob won’t be able to create the second account.
Why are we changing it?
We have seen a big increase in spam sign-ups lately, with some sites receiving hundreds or even thousands of sign-ups from a single e-mail through the use of plus addressing. Needless to say, this is a rather nasty surprise when it does happen.
This is great to hear. (I recall waaaay back when this was a huge problem for markersocial who had to really push hard for any changes to be made to core.)
Great thanks @sam and sorry I didn’t follow up on this yet.
Yes it still seems quite viable to make a lot of accounts using this trick (2.5.0.beta1).
For example, using the username+{randomstring}@gmail.com trick, someone created 748 accounts in the last 10hrs. They already have thousands of accounts on this single gmail address.
Pretty much the only way for me to be able to remove them from the admin area is manually going to each account individually to suspend and/or delete them. It’s not …
4 Likes