Description

One can use another person email address when registering an account to send unwanted email to that person, or cause trouble for the wiki owner.

Steps to reproduce

  1. register a new account on a busy wiki, e.g here

  2. Use yourenemy@gemail.com as email address

  3. Select "Subscribe to trivial changes"
  4. Subscribe to all pages using '.+'

Repeat many times as you like, there is no limit on new account creation. To send mail to the same address from many account, use variations on the email address like yourenemy(bla)@gmail.com or yourenemy+bla@gmail.com.

As a side effect, your enemy will not be able to use this email address on that wiki :) see ../RegisterAccountChecksDisabledAccounts.

Details

Any version?

Workaround

Disable email on your wiki if you don't need this feature.

Discussion

The wiki should not send mail to email addresses without confirming that the subscriber is the owner of the address.

The correct behavior for email address should be:

  1. Do not require an email address when registering, to help people keep their privacy
    • Then wiki admin gets lots of mail from people who forgot their password. Not acceptable.

      • It should be the wiki admin decision, like require_email = 1.

      • If email is required, it should be confirmed when you enter it.
  2. On the first time you subscribe to a page, require an email address
  3. Send a confirmation email
  4. Require a reply email to activate the subscription

As a test, I registered a new account here, and use my unused gmail address to see how much email I'm going to get from this wiki. -- NirSoffer 2005-04-07 18:55:25

Above you write that your enemy can't use this wiki anymore. This isn't true - since it's his email address, your enemy can still do "send me my account data", login with this data and change the suscription. It would be like that if the suscription emails are still sent after disabling an account (which I believe is not the case.)

But I do second the need for email confirmation in MoinMoin. -- NicoDietrich 2005-04-07 20:52:12

True, the email owner can fix this, but only if he knows how to use moin. The general user will not be able to do this, and will probably complain to the wiki admin or worse report the wiki mail as spam.

Maybe this patch by RussellStuart could be used as a base to implement email activation in MoinMoin. -- EricVeirasGalisson

Plan

CategoryMoinMoinBugConfirmed

MoinMoin: FeatureRequests/AccountCreationAfterEmailConfirmation (last edited 2008-06-05 12:12:39 by EricVeirasGalisson)