Email confirmation

Dear everyone,
I run a small pod in Switzerland and today I received a strange message, saying that someone used another’s persons email address to create an account on my pod. The legitimate owner of the email contacted me saying he was receiving unsolicited emails from my pod.
this could be avoided if new users had to verify their address. Of course they still could decide not to do it, but then it would become an account without an email.
What do you all think ?

Thanks!

2 Likes

3 posts were merged into an existing topic: How To Change Update Frequency

Yes, there is a general topic about emails and how diaspora* handles them. We don’t deal with hardbounces at the moment for example. So the idea was to send a welcome email (see this pull request) and to backlist the email address if the welcome email bounced. But it could be a good idea to simply set the address email as “not verified”, to add a verification link in the welcome email and to not send emails to it until it has been verified.

This should not be very hard to do as we already do that when the address e-mail is changed. I’m going to see if I can add it to my pull request.

Thank you for your report!

2 Likes

It would make sense if One Time Codes were used for these confirmation emails. I’ll layout the process below, but I agree, verifying email addresses should be forced.

  1. User signs up for an account
  2. User receives welcome email, yayyy!! :smiley:
  3. User receives OTC email asking them to verify their account
  4. User takes code (or url) from email and enters it into the site, validating their ownership of their email address.
  5. If user does not validate within a specified time frame, the user account is automatically locked for privacy protection and spam avoidance.
2 Likes

This is more or less I’ve implemented on one of my sites with devise:

  1. User has to register, 2. user has to confirm the mail.
    Unconfirmed user stay in database as long as someone deletes it. A Rake Task might collect these entries.
    In my experience: 1/10 till 1/100 of spammers confirm such a mail. but 99% of real user.
    With devise its a trivial task, even localized mails are possible.
1 Like

I guess this could be integrated but behind a setting. We already had complain about diaspora* asking for an e-mail to register, so not fully anonymous. On the other hand, we have a huge amount of spam…

1 Like

You can not have the one without the other - to open fully anonymous - diaspora opens for everyone.
If someone needs a Mail address its easy for humans to use temp-mails or create demo-persistent new mails.
But it hardens automatic (script-kiddies) mass-creating accounts.