Sec prob? allowing users to specify sender when sending mail

Hello!

I'm using the latest beta version of my little forum [2.0 beta 25 (2008-02-27)]!

Is there any way NOT to allow users to specify sender e-mail address when sending an email, or NOT to send a message to the sender e-mail address the user specifies, or to restrict the number of emails a user can send per unit time?
(But at the same time allow email messages)

Allowing a user to specify a sender address as well as sending a copy of the message to the sender address makes the system more or less a public mailing system - just specify any sender address and a "copy" of your message will be sent there!

This is not a nice default behaviour, since it is not obvious that this makes the system more or less a public mailing system. Removing the possibility to specify a sender address, and always use the address the user specified when logging in, makes it a little harder to use this "feature", but the best thing would, ofcourse, be to not send any message to the sender e-mail address.

Any comments?

Regards,
Erik Persson.

Doesn't anyone find it the least worrying that you can use my little forum to send mail to just about anyone in the world?

Is there anything that prevents this form being used by spammers?

/erikp

Doesn't anyone find it the least worrying that you can use my little forum to send mail to just about anyone in the world?

I have to agree, it would be better to show the email link only to people who are registered and logged in (similar to the user area).

People who do not want to register should not have the feature to address anybody through the forum...

Bert

Doesn't anyone find it the least worrying that you can use my little forum to send mail to just about anyone in the world?

I have to agree, it would be better to show the email link only to people who are registered and logged in (similar to the user area).

People who do not want to register should not have the feature to address anybody through the forum...

Bert

I think that no email should be sent to the "sender e-mail" adress, or that the *only* possibility should be to send it to the adress specified when registering.

Since the mail is sent to the "Sender e-mail" as well, and you can put any email address there, you can send email to anyone, not just the persons registered in the forum. Thus you can send an email to anyone!!! It would not be hard to construct a post request to the server which could be sent many times to do mass mailing! As I understand it, it would not be hard to use many my little forum installs as a means to transmit unsolicited bulk mail.

Many installs lets anyone register and the registering is automatic. A spammer could use this and register, and then use the email function to email anyone by using the contact form.

/erikp

Many installs lets anyone register and the registering is automatic. A spammer could use this and register, and then use the email function to email anyone by using the contact form.

Captcha prevents this to happen automatically but a sick person could type in his SPAM and send it manually and anonymous to anyone. No way to find the sender back to be able to block him through the banlist...

The User Area is deactivated when visitors are not logged in, a simple change of the code should be able to change that for the email address just the same...

For the time being I removed the code that shows the email and homepage information from the /lang/english.lang file...

Old:


posted_by =                 by <b>[name]</b>[email_hp], [time]
posted_by_location =        by <b>[name]</b>[email_hp], [location], [time]

New:


posted_by =                 by <b>[name]</b> [time]
posted_by_location =        by <b>[name]</b>, [location], [time]

The user infromation is still visible through the user area though but a nicer way would be appriciated (i.e. only visible for users logged in!) so that normal users do have the feature to write an email through the forum.

Bert

Many installs lets anyone register and the registering is automatic. A spammer could use this and register, and then use the email function to email anyone by using the contact form.

Captcha prevents this to happen automatically but a sick person could type in his SPAM and send it manually and anonymous to anyone. No way to find the sender back to be able to block him through the banlist...

The User Area is deactivated when visitors are not logged in, a simple change of the code should be able to change that for the email address just the same...

For the time being I removed the code that shows the email and homepage information from the /lang/english.lang file...

Old:
posted_by = by [name][email_hp], [time]
posted_by_location = by [name][email_hp], [location], [time]
New:
posted_by = by [name] [time]
posted_by_location = by [name], [location], [time]
The user infromation is still visible through the user area though but a nicer way would be appriciated (i.e. only visible for users logged in!) so that normal users do have the feature to write an email through the forum.

Bert

The captchas is a nice solution. They prevent bulk mailing (they are not that hard to break, but doing so involves a little more work so I guess they reduce the risk). I think I will look into the code and just remove the possibility to enter the sender address and instead always get it from the database.

/erikp

You can tell the forum software to use spam protection (mathematical,graphic) when sending emails you know. That will keep those nasty bots from using your email.

RSS Feed of thread

my little forum

Sec prob? allowing users to specify sender when sending mail (General)

Sec prob? allowing users to specify sender when sending mail

You're absolutely right!

Yes, this is a problem

Problem solved for now...

Problem solved for now...

Sec prob? allowing users to specify sender when sending mail