Protecting against gmail dot trick in Discourse

Yeah that’s kind of the point I was making on the call…

I guess we’re back to shipping a plugin, because IMHO the only effective “solution” is to completely block periods and plus .+ characters in emails when you are in lockdown mode.

Basically it is a blacklist regex for email and you’d tweak it as you see fit, to add certain providers, certain characters, whatever. Very flexible, very powerful.

2 Likes

I think improving email blacklist is an easy change that can benefit all sites, I can think of zero downsides

If I block sam@gmail.com do I really want to allow s.am@gmail.com

Regarding plugin, I guess we can deal with this when we have a real problem on our hosting. We already support blacklisting domains

4 Likes

Do many know this feature was added ? (Did they get a message telling them ? Maybe they don’t follow that much here on meta !?)

Personally, I don’t find the change “pointless” at all. I would actually put it in core and set it up as enabled by default. My own thinking here is: Does a user have the ability to create multiple accounts with the exact same email address ? Why let someone do it with a Gmail address, then ? (additionally, if it’s enabled by default in the first place, it “solves” the problem of letting one more account be created after activation)

The idea would be to have an option to ALLOW multiple accounts with a single gmail email and the “gmail tricks” (now, I can understand the desire to not want to add the canonical email storage if it feels all this isn’t needed)

This feature seems fine @sam I think we should ship that default off / blank.

A bit of background that you’re probably missing is that forum admins have been told that the plus addressing trick is an excellent way to create unprivileged test accounts on the forums, to check category permissions, many times here on Meta. Banning the trick can’t be done by default, because there are legitimate uses for multiple accounts and this is one legitimate use that shows up pretty much everywhere.

Giving special permissions to use a duplicate email for your “unprivileged user test account” is kind of an oxymoron.

6 Likes

You’re right on that.

I reverted my change here and instead introduced this new awesome default.

https://github.com/discourse/discourse/commit/cbceadf48b60b29fb710586e2b03bde4c5fe0883

This means that if evil.person+77@gmail.com gets blocked we will go ahead and block evilperson@gmail.com instead.

Then when e.v.i.l.person@gmail.com tries to sneak in they will be blocked due to canonical matching.

This entirely solves the OP here, and is a very clean and safe change all Discourse instances can benefit from.

Going to close this off as complete in a week.

13 Likes

This topic was automatically closed after 7 days. New replies are no longer allowed.