Feature Proposal: Add more email controls to UI::Register.

Motivation

Others have pointed out that it is surprising behavior that any number of users can register using the same email address. It came up recently in a support question: Support.Question1046

I've also been seeing some of the SPAM registrations on foswiki.org repeatedly using the same email address.

MichaelDaum points out that his public sites see repeated registrations from a small number of spam domains, and suggested using a regex filter to cull matching addresses. He is using it successfully on some of his sites.

Finally, the "email recognition" regex is used to recognize valid email addresses for auto-linking, and is also applied to the email address submitted during registration. Most of the regex shown below in the discussion is generic but it does use a list of explicit TLD's that are longer than the 2-character country codes. With the new TLD process underway, this needs to be configurable.

Description and Documentation

  • Add a new Registration parameter {Register}{UniqueEmail} default disabled. If enabled, UI::Register::_validateRegistration will throw an oops if the email address is already registered.
  • Add MichaelDaum's suggestion. Implement a {Register}{EmailFilter}, and "oops" if the filter matches the registered email address.
  • Add {Email}{ValidTLD} to the Email general settings part of the configuration. This allows sites to tailor a list that is already in the code in Foswiki 1.1.4.

Examples

# **BOOLEAN**
# Normally users can register multiple WikiNames using the same email address.
# Enable this parameter to prevent multiple registrations using the same email address.
$Foswiki::cfg{Register}{UniqueEmail} = $FALSE;

# **REGEX 80**
# This regular expression can be used to block certain email addresses from being used
# for registering users.  It can be used to block some of the more common wikispam bots.
# If this regex matches the entered address, the registration is rejected.
# <code>^.*@(lease-a-seo.com|paydayloans).*$</code>
# To block all domains and list only the permitted domains, use an expression of the format:
# <code>^.*@(?!(example.com|example.net)$)</code>
$Foswiki::cfg{Register}{EmailFilter} = '';

# **REGEX 80 EXPERT**
# This parameter is used to determine which Top Level domains are vaild
# when auto-linking email addresses.  It is also used by UserRegistration to 
# validate email addresses.  Note, this parameter <em>only</em> controls 
# matching of 3 character and longer TLDs.   2-character country codes and
# IP Address domains are permitted.<br/>
# Valid TLD's at http://data.iana.org/TLD/tlds-alpha-by-domain.txt<br/>
# Version 2012022300, Last Updated Thu Feb 23 15:07:02 2012 UTC
$Foswiki::cfg{Email}{ValidTLD}    = qr(AERO|ARPA|ASIA|BIZ|CAT|COM|COOP|EDU|GOV|INFO|INT|JOBS|MIL|MOBI|MUSEUM|NAME|NET|ORG|PRO|TEL|TRAVEL|XXX)i;

Impact

%WHATDOESITAFFECT%
edit

Implementation

-- Contributors: GeorgeClark - 21 Feb 2012

Discussion

Hm, in principle there's nothing wrong registering with the same email address twice. I use this quite frequently to have a test account on the side.

I can imagine that spammers try to register more than once to get their message thru. Though it would be cooler to block them prematurely without having the registered at least once.

With regards to blocking spam registrations. Why not implement a {Register}{EmailFilter} to block them prematurely. Here's a patch:


Index: lib/Foswiki/UI/Register.pm
===================================================================
--- lib/Foswiki/UI/Register.pm  (revision 14063)
+++ lib/Foswiki/UI/Register.pm  (working copy)
@@ -462,7 +462,17 @@
         $data->{Email}, $data->{WikiName} );
 
     my $em = $data->{Email};
+    my $emailFilter = $Foswiki::cfg{Register}{EmailFilter};
+    if (defined $emailFilter && $em =~ /$emailFilter/) {
+            throw Foswiki::OopsException(
+                'attention',
+                def => 'registration_mailaddr_rejected',
+                web => $data->{webName},
+                topic => $topic,
+                params => [ $em ]);
+    }
 
+
     if ( $Foswiki::cfg{EnableEmail} ) {
         my $err = sendEmail( $session, 'registerconfirm', $data );
 
Index: templates/messages.tmpl
===================================================================
--- templates/messages.tmpl     (revision 14063)
+++ templates/messages.tmpl     (working copy)
@@ -680,4 +680,14 @@
 %MAKETEXT{"Please notify your [_1] administrator." args="<nop>%WIKITOOLNAME%"}%
 %TMPL:END%
 %TMPL:DEF{"enable_js"}%<div class="foswikiAlert"> *%MAKETEXT{"You cannot proceed because either Cookies or Javascript are disabled in your browser."}%* </div><p />%MAKETEXT{"Go back to the previous page, and enable Cookies and Javascript before trying again"}%
-%TMPL:END%
\ No newline at end of file
+%TMPL:END%
+
+%TMPL:DEF{"registration_mailaddr_rejected"}%
+---+++ %MAKETEXT{"Error registering new user"}%
+
+%MAKETEXT{"Your email address [_1] has been rejected." args="%PARAM1%"}%
+
+%MAKETEXT{"Please contact [_1]." args="%WIKIWEBMASTER%"}%
+
+%MAKETEXT{"You have *not* been registered."}%
+%TMPL:END%

Got that running on a public site using something like this as an EmailFilter:

'^.*(@lease-a-seo.com|strompreis|lottozahlen|anbieter|flirtenlernen|ledteelichter|outenplaner|gutenacht|strom.*vergleich|gaspreise|oekostrom|stromtarif|dieex@|flirten|abnehmenimschlaf|gewinn|guenstigerstrom|paydayloans).*$'

As you can see, there are a lot of silly spammers that you'll be able to block based on their email addr.

-- MichaelDaum - 23 Feb 2012

I do agree that duplicate emails are very handy. But at the same time, other than for developer testing, they are probably not all that useful and scanning Foswiki.org, seem to be abused - just register again with another wikiname if disabled.

Maybe if current user is Admin, then allow the duplicate email? Other than testing, it seems to me that blocking duplicates would be a very valuable control. Anyway, my proposal is to implement it as a configuration option. So it shouldn't impact anyone who wants to allow duplicates.

I've renamed the proposal to better reflect Michael's suggestion.

-- GeorgeClark - 23 Feb 2012

Email address is already validated against the "valid email" regex, which is also used to determine when to autolink email addresses.

    my $emailAtom = qr([A-Z0-9\Q!#\$%&'*+-/=?^_`{|}~\E])i;    # Per RFC 5322

    # Valid TLD's at http://data.iana.org/TLD/tlds-alpha-by-domain.txt
    # Version 2011083000, Last Updated Tue Aug 30 14:07:02 2011 UTC
    my $validTLD =
qr(AERO|ARPA|ASIA|BIZ|CAT|COM|COOP|EDU|GOV|INFO|INT|JOBS|MIL|MOBI|MUSEUM|NAME|NET|ORG|PRO|TEL|TRAVEL|XXX)i;

    $regex{emailAddrRegex} = qr(
       (?:                            # LEFT Side of Email address
         (?:$emailAtom+                  # Valid characters left side of email address
           (?:\.$emailAtom+)*            # And 0 or more dotted atoms
         )
       |
         (?:"[\x21\x23-\x5B\x5D-\x7E\s]+?")   # or a quoted string per RFC 5322
       )
       @
       (?:                          # RIGHT side of Email address
         (?:                           # FQDN
           [a-z0-9-]+                     # hostname part
           (?:\.[a-z0-9-]+)*              # 0 or more alphanumeric domains following a dot.
           \.(?:                          # TLD
              (?:[a-z]{2,2})                 # 2 character TLD
              |
              $validTLD                      # TLD's longer than 2 characters
           )
         )
         |
           (?:\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])      # dotted triplets IP Address
         )
       )oxi;

-- GeorgeClark - 24 Feb 2012
 
Topic revision: r7 - 05 Mar 2012, GeorgeClark
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy