Improve email address validation

[davidpanderson]

The current check of email addrs is syntactic; "1@1.1" passes. It's easy for spammers or people suspended on the forums to create new accounts. Possible changes (non-exclusive):

• Use a 3rd party validater like http://validateemailaddress.org/ (there are many; most of them charge)
• Add a project option to require new accounts to be email-validated (the code for this already exists) and to hide unvalidated accounts.

[grctest]

Related: https://github.com/Erkan-Yilmaz/Gridcoin-tasks/issues/106

If you know an user's email address (say you're a team founder who can see email addresses), given that there is no email confirmation (not validation) prior to granting access to the account, you can establish a preemptive permanent account compromise by simply registering accounts on an user's behalf and extracting the account key (which never changes).

This has caused some concerns within the Gridcoin community, but ultimately no case has yet to be found thus far.

[davidpanderson]

The email owner can log into the fake account, change its email address, and then create their own account.

[grctest]

The email owner can log into the fake account, change its email address, and then create their own account.

Certainly true, however if done on a small scale the victim may think they've just forgotten about registering in the past & unknowingly uses a permanently compromised account.

[RichardHaselgrove]

Following a persistent spam attack on the BOINC dev board by a spammer promoting (apparently) sports event streaming sites, David has added code preventing any new or edited post containing more than four hyperlinks. For which relief, many thanks.

But the definition of spam as 'more than four links' is clumsy, and will prevent many legitimate posts from being made or updated - BOINC test version release announcements typically contain nine, a recent SETI debugging post contained 21.

Can anyone suggest a cleverer method of deterring spammers without interrupting the normal workflow?

[lfield]

I discussed this with David at the BOINC Workshop. My initial view was that to register emails should be validated. He disagreed and said we need to reduce barriers and people should in theory be able to contribute without registering. Only allowing posts from people with credit will help, but this is a problem for new users who are asking for help. Maybe credit or validated email for posts would work. This will not stop spam accounts being created.

[Ageless93]

Problem with the BOINC forums is, we don't have credit. So our only options lie outside those restrictions. I just tested and noticed that I can post more than four links, so the solution is to make everyone an administrator. ;-)

[sekerob]

Could be done as a suggestion is, to have Spam suspect posts, we've seen quite a few in recent weeks with garbage titles, to mark/move these into a moderation place, 1 time, make them invisible to the general public. Then moderators, whenever present, can decide on final outcome i.e. if deemed not spam/inflammatory, the mods move them back in view as final decision, this to prevent a back and forth on such a 'not compliant' post.