Accepts email addresses without validation

[John Goerzen <jgoerzen@…>]

trac accepts email addresses without validation several different places — on the New Ticket screen, on the settings screen, etc.

This is bad for several reasons. For starters, it could be abused by spammers. They could put the email address of a victim in the "Your email" box on the New Ticket screen, and submit a ticket to any Trac instance configured to send notifications of new tickets to the submitter.

It could also be used by a miscreant to subscribe an unwitting victim to notifications, as an annoyance.

trac should never send any emails that aren't verified opt-in emails.

[eblot]

Sure. On the other side, do spammers really need a proxy such as Trac to relay their spam emails?

I'd rather see this feature as an enhancement than a defect.

[John Goerzen <jgoerzen@…>]

Yes, it really does happen in the wild, and in fact, has been:

​http://www.salted.com/unsalted/contact-form-spam

​http://www.google.com/search?q=email+form+spam&ie=utf-8&oe=utf-8&rls=org.debian:en-US:unofficial&client=firefox-a

Please set the type to whatever you like; you know better how your process fits this than I do.

thanks,

— John

[Pedro Algarvio, aka, s0undt3ch <ufs@…>]

Perhaps until this is implemented have a bad_email_addresses setting for [notification] allowing the admin to have a space delimited list of know bad email addresses which would serve to filter the addresses to be notified of changes?

[cboos]

Milestone 1.0 deleted

[Thijs Triemstra <lists@…>]

Replying to Pedro Algarvio, aka, s0undt3ch <ufs@…>:

Perhaps until this is implemented have a bad_email_addresses setting for [notification] allowing the admin to have a space delimited list of know bad email addresses which would serve to filter the addresses to be notified of changes?

This sounds like a lot more work than a simple regexp that checks for a valid address (which is probably already available in stdlib somewhere?).

Any reason why this hasn't been implemented other than time etc? What would a good patch have to do..

[thijstriemstra]

#9900 was closed as a duplicate.

[Carsten Klein <carsten.klein@…>]

cf. TracDev/Proposals/EmailValidation

[Carsten Klein <carsten.klein@…>]

An initial prototype of the e-mail address validation facility, for now a direct part of the notification subsystem, is available for review and comment.

See TracDev/Proposals/EmailValidation#CurrentDevelopmentStatus for some information on its state and also TracDev/Proposals/EmailValidation#Repository for information on how to access the repository.

Feel free to comment on the prototype by either putting the information here or in the TracDev/Proposals/EmailValidation#Discussion section of that page.

[rblank]

I'd like to take a look at it. It may take a bit of time, though, as I will have to learn git first :)

[Carsten Klein <carsten.klein@…>]

Replying to rblank:

I'd like to take a look at it. It may take a bit of time, though, as I will have to learn git first :)

see EmailValidation#UsingtheRepository? for a quick guide on how to use it…

[Carsten Klein <carsten.klein@…>]

here is the correct link: TracDev/Proposals/EmailValidation