Remove moderator ability to view users email addresses

There were some excellent changes to mod permissions as per this topic Permission Changes (moderators have less). I feel removing the ability for mods to view email addresses should be considered too.

There are several reasons for this:

Data Protection - In the UK there are laws governing digital personal data and I feel that there isn’t sufficient reason to let moderators (who are usually unpaid volunteers) view people’s personal email addresses (somebody in the thread mentioned it helps with spam - but I think it would be better to improve spam tools instead).

Theft - I have lost count of the number of times I have heard about an ex moderator deciding to start a competing forum. It is bad enough when they use the original forum’s PM system to steal members but with the current Discourse settings they just need to make a note of everyone’s email address.

Spam/security - If a moderator’s account is breached the email addresses could be stolen/spammed.

User trust - I don’t think people expect moderators to have access to their email address when they sign up to a forum.

While we do our best to choose good honest mods we don’t always get it right - I think allowing them to see email addresses is extremely risky.


Are the logs recorded when Show Email is pressed not enough to provide accountability for rouge or compromised moderator accounts?

You may also want to hear @cpradio’s opinions on this.

I don’t believe that is enough.

I have run forums for quite a while and there has never been a need to give mods access to user’s emails - even when we were using the very first PHPBB forums, hehe.

1 Like

My opinion is closely aligned

Then you were either very fortunate or did not get to the point of seeing similarities in email address patterns of problem accounts.

Being able to see and compare email address patterns is a key facet of problem account recognition.

Discourse not showing the email addresses to Moderators without needing the accountability click is a hurdle that makes moderation more difficult.

Making them completely inaccessible - for Moderators - would be taking an important moderation tool away and giving problem accounts an advantage.


What kind of problems are we talking about here?

Spammers or people signing up duplicate accounts to cause mischief?

1 Like

SPAMmers - including “bots” and SPAM-mill humans
Zombies - Banned members that won’t stay away.

True, IMHO Discourse does a very good job at stopping bot Flood account seeding, but it doesn’t stop everything


We had a bad Zombie on Imgur Community, complicated by the fact that he was sometimes good at trolling as an art. Some of his accounts just spammed stuff on threads but others would get into seemingly legitimate debates with people before throwing out some flamebait and watching the pretty flames dance. The only way the mods kept up was seeing that the suspicious accounts were all coming from the same email provider.


I don’t think email accounts give much away tbh - there are only so many providers and anyone can think of a address to look legitimate.

IPs are more useful.

IPs and required fields are even more useful. Such as with a field for location (spammers IP country and location often differ).

When it comes to zombies or problematic members, on other forum platforms (like XF and vB) there are multiple account detectors that set a second cookie on the users computer and logging out does not clear it. So when someone logs in with more than one account you get notified. This has been extremely useful to us over the years! :smiley:

If Sam or Jeff are not convinced then please can we have it as an admin-option? That way everyone is happy.


I’m sorry, have you actually looked at the Discourse admin interface? Because…

Of course I have :stuck_out_tongue: I was just saying IPs are more useful in detecting problematic accounts than email addresses.

Also I was referring to a location user profile field (i.e. one that you fill out on registration). 9 times out of 10 a spambot or 3rd world spammer will enter a country that does not match their IP :wink:

1 Like

Also, supercookies are often a quite significant breach of a user’s expectation of privacy, so I cannot support doing that.

As well as the fact that multiple user accounts is the official solution for a couple of situations.


You can exclude accounts in most MAD systems.

Email addresses are validated. Unless you control the address and click on the GUID we mail you at that email address, it will not be valid, and nor will the user.

I see no value in this feature as described, clicking to reveal with audit trail should suffice. No customers are asking for this, and you are the first to request it in two years of development.

I would only work on this feature if an enterprise hosting client asked for it as a prerequisite. Nobody has so far.


Yes I know email addresses are validated - my point was anyone can sign up email addresses that look legitimate.


We are currently being plagued by fake account sign-ups using a wide range of IP addresses (although mostly the same hosting company) where the initial giveaway was the e-mail format. Once you spot a list of consecutive or near-consecutive sign-ups with the same string of characters or numbers in the e-mail address, you know there is a potential problem to investigate. And when more and more of them start appearing, you can spot them and deal with them - often before they get round to Spamming in the forum or by PM. Likewise when we had a whole batch of Spammers all using the same Korean e-mail domain, which was not used by anybody else. If I’d not had access to the e-mails to spot that connection, we’d have been unable to block it and reduce (although not eliminate) what was a severe problem.



Indeed - I have at least 5 other accounts on our instance. (4 primarily for testing TL stuff.)


@AstonJ, we’ve had problem accounts that were only able to catch ahead of their game because of their email address. They used multiple IPs spanning different regions. However, their email syntax/patterns were identical along with their username selection. Using the those two factors we’re able to squash them before they become a problem.

If you are seriously concerned, have your moderators sign a NDA (that’s what Sitepoint does). If you are a moderator, you sign a NDA so you cannot disclose those details outside of the private discussion areas and doing so, could lead you being liable.


I think it would be only a matter of time before they work that out (tho they don’t sound particularly bright to begin with).

I think what would serve you better is what I posted earlier - by having a required field on signup called ‘location’ and cross checking that with their IP. We find that bots, or spammers hired from poorer countries almost always put a different location country to the one where they are actually posting from.

If you really must give email access to staff then I suggest promoting them to admin instead - as this better reflects the amount of information they have access to.

I think once it becomes common knowledge that Discourse allows moderators to see email addresses, or after an event or admission of a mod or ex mod doing some of the things I warned about, it may well put people off joining any Discourse forum.


[quote=“AstonJ, post:18, topic:30261”]
I think what would serve you better is what I posted earlier - by having a required field on signup called ‘location’ and cross checking that with their IP.
[/quote]So they put a fake location and use a proxy to match…

Moderators on vBulletin forums also have access to e-mail addresses. I imagine it’s common to most forum software, although vBulletin is the only other I have moderator experience of.

1 Like

Very few people are going to mind the fact the moderators have access to emails. A large portion of the forum and cms software allow for the exposure of email addresses to moderators. It’s likely the userbase doesn’t differentiate between moderators and administrators and instead just considers them ‘Staff’.