Hey @Brass-Man,

I was able to make this account with the email address no@no. It’s not even no@no.com, let alone a valid email address. Yet here I am, able to post this message with my account. Perhaps you could add some basic email verification to cut down on the spambots?

Thanks!

I think the what is brainstorm idea of a bot check security question is really good.

last edited by Botvinik

I appreciate the concern for the wellbeing of the site. True email verification is non-trivial for me to implement (all email-related functionality has been broken for some time, I'd have to dig into the site's software and likely update software versions before redeploying, which could break existing theming and plugins so I'd have to fix those, too, etc etc). That might be worth doing, and the site is probably overdue for a software update, but I'm not convinced it'll have any impact on spambots, which are more likely to use real email addresses than a human is. Looking at the last few spambots who registered or posted, I don't have any reason to think they wouldn't have passed email verification

A magic-themed security question would probably help, but I'd still need to implement it. I won't say I'll never do it, but it's been hard to find time to put into TMD development. If any technical-minded TMD'ers want to reduce the effort necessary, that'd certainly make me more likely to add it. The forum runs on NodeBB software and there might already be a plugin that handles this. I can add arbitrary scripts to the page if someone wants to take a crack at solving the problem entirely with clientside js.

last edited by Brass Man

I’d be happy to help but where would this sites traffic and activity come from if we walled out spambots?

@securityforbrass said in Basic Security Idea:

no@no.

It’s not even no@no.com, let alone a valid email address.

@brass-man said in Basic Security Idea:

True email verification is non-trivial for me to implement

As an example of how difficult email validation is to implement, no@no is valid within the email specification.

IETF RFC 5322 Section 3.4.1

An addr-spec is a specific Internet identifier that contains a locally interpreted string followed by the at-sign character ("@", ASCII value 64) followed by an Internet domain.

no is a valid internet domain. It doesn't happen to resolve and there's almost certainly not any email accounts there, but it is a valid domain name. (In fact, it's the top level domain of Norway)

@thecravenone haha yeah, really perfect validation is sort of a gordian knot. Kind of like Datetimes and Telephone numbers where the full set of rules is vastly more complicated than people assume. Luckily the problem TMD would have to solve is much easier than that. In theory I don't really care whether someone is able to type in a valid email or not, I care that people are only using email addresses that they have access to. I don't need any clientside validation to confirm that, I need to send an email to that address and it's up to the user to confirm receipt. There's still a few issues there though:

  • the emailer on the site is broken. As in, the server software that runs TMD is supposed to send out emails and it just doesn't. I don't know why. It could end up being a very simple server-configuration problem, or it could be bugs deep in code I've never seen, it requires investigation

  • confirming emails doesn't do anything to stop bots with access to email addresses, and I suspect most of them do. Email verification is probably more of a hassle to humans than it is to bots.

Honestly out of principle I'd rather not collect any information I don't actually use or need, and since right now TMD doesn't send emails, I don't have any reason to collect or require email addresses. As a webdev, every site I've professionally worked for collects a bunch of data they don't use, and passes that data onto Google and Facebook for free (I think often without realizing or caring that they're doing it). It annoys me when other sites do it so I'd rather not do it myself.

Of course that's no reason for me not to fix the emailer, if people WANT to get notifications or account recovery emails I should give them that option, but not require it.

I think this is all separate from the spambot issue which is probably best solved by some MTG-Related Captcha (like "name this mox") on login. This is still not something I have as a priority to implement but enough people keep talking about it I'll probably feel guilty and build it 😛

@brass-man said in Basic Security Idea:

I think this is all separate from the spambot issue which is probably best solved by some MTG-Related Captcha (like "name this mox") on login. This is still not something I have as a priority to implement but enough people keep talking about it I'll probably feel guilty and build it 😛

The real trick is to tell people that this isn't possible so they'll code it for you 😛

@thecravenone Good thinking on the top-level domain stuff.

I just registered this account name with an email address that was only the @ symbol to test out how smart/dumb that field was. Here I am posting from it.

  • 8
    Posts
  • 351
    Views