Email confirmation


#1

Dear everyone,
I run a small pod in Switzerland and today I received a strange message, saying that someone used another’s persons email address to create an account on my pod. The legitimate owner of the email contacted me saying he was receiving unsolicited emails from my pod.
this could be avoided if new users had to verify their address. Of course they still could decide not to do it, but then it would become an account without an email.
What do you all think ?

Thanks!


(goob) #2

3 posts were merged into an existing topic: How To Change Update Frequency


(Flaburgan) #4

Yes, there is a general topic about emails and how diaspora* handles them. We don’t deal with hardbounces at the moment for example. So the idea was to send a welcome email (see this pull request) and to backlist the email address if the welcome email bounced. But it could be a good idea to simply set the address email as “not verified”, to add a verification link in the welcome email and to not send emails to it until it has been verified.

This should not be very hard to do as we already do that when the address e-mail is changed. I’m going to see if I can add it to my pull request.

Thank you for your report!


(Eric Wright) #5

It would make sense if One Time Codes were used for these confirmation emails. I’ll layout the process below, but I agree, verifying email addresses should be forced.

  1. User signs up for an account
  2. User receives welcome email, yayyy!! :smiley:
  3. User receives OTC email asking them to verify their account
  4. User takes code (or url) from email and enters it into the site, validating their ownership of their email address.
  5. If user does not validate within a specified time frame, the user account is automatically locked for privacy protection and spam avoidance.