To combat spam accounts, do not treat email plus addresses as unique

[asimons04]

Requirements

• [X] Is this a feature request? For questions or discussions use https://lemmy.ml/c/lemmy_support
• [X] Did you check to see if this issue already exists?
• [X] Is this only a feature request? Do not put multiple feature requests in one issue.
• [X] Is this a backend issue? Use the lemmy-ui repo for UI / frontend issues.

Is your proposal related to a problem?

Currently, Lemmy does not treat email plus addresses as unique which allows trolls/spammers to register many accounts on an instance using the same base email account. This is particularly effective on instances that have open registrations.

If the term is unfamiliar, a plus address is an email address like username+anything@example.com and username+somethingElse@example.com which would both send mail to username@example.com.

This can be useful, such as using +Lemmy or +Amazon to help with email sorting. However, since Lemmy treats them as unique email addresses for the purposes of account creation, it makes it trivial for spammers/trolls to mass-signup to Lemmy instances with a single email address.

Describe the solution you'd like.

I can see two reasonable solutions:

1. During account creation, when checking to see if an existing email is registered already, split the username portion of the address at "+" and only check against what returns to the left of that for the given domain. This would allow plus addresses to work, but only for one base email address. e.g. username+Lemmy@example.com would allow the user to plus-address tag emails without allowing multiple signups using different tags.

2. Do not allow plus addresses at all by stripping them out at registration time and providing a notification in the signup form.

Describe alternatives you've considered.

N/A

Additional context

Recommended labels: "moderation" and "security"

[codyro]

As someone who uses plus-addressing exclusively, I can't say I'd be behind this change. Plus-addressing is a very popular and a valuable tool for various legitimate reasons.

The better approach would be more satisfactory captcha/anti-bot/rate-limiting protections.

[daviessm]

• is a valid character in an email address, can you guarantee that no email service provides unique addresses containing the symbol?

[RobinFlikkema]

• is a valid character in an email address, can you guarantee that no email service provides unique addresses containing the symbol?

Nobody can. As the + sign is valid in email, and how it is handled is up to the mailserver. Heck, some even use the minus symbol, just because many websites block the +. However many large email providers DO support the + sign, and point them to the mailbox of the same user.

Therefore, I think the solution is not to limit +-signs but look at other waysof preventing spam accounts.

As, if we're going to limit +-signs, you might as well limit complete domain names. What's preventing a spammer from setting up a catch-all mailbox and just creating random mailadresses? Or just using a cloud mail provider where you can freely sign up.