Dear everyone,
I run a small pod in Switzerland and today I received a strange message, saying that someone used another’s persons email address to create an account on my pod. The legitimate owner of the email contacted me saying he was receiving unsolicited emails from my pod.
this could be avoided if new users had to verify their address. Of course they still could decide not to do it, but then it would become an account without an email.
What do you all think ?
Thanks!
Yes, there is a general topic about emails and how diaspora* handles them. We don’t deal with hardbounces at the moment for example. So the idea was to send a welcome email (see this pull request) and to backlist the email address if the welcome email bounced. But it could be a good idea to simply set the address email as “not verified”, to add a verification link in the welcome email and to not send emails to it until it has been verified.
This should not be very hard to do as we already do that when the address e-mail is changed. I’m going to see if I can add it to my pull request.
Thank you for your report!
It would make sense if One Time Codes were used for these confirmation emails. I’ll layout the process below, but I agree, verifying email addresses should be forced.
This is more or less I’ve implemented on one of my sites with devise:
I guess this could be integrated but behind a setting. We already had complain about diaspora* asking for an e-mail to register, so not fully anonymous. On the other hand, we have a huge amount of spam…
You can not have the one without the other - to open fully anonymous - diaspora opens for everyone.
If someone needs a Mail address its easy for humans to use temp-mails or create demo-persistent new mails.
But it hardens automatic (script-kiddies) mass-creating accounts.