I've noticed in several places that the default settings for 4.5.0
are rather susceptible to exploitation by spammers. While the ideal
settings for any particular module will vary heavily depending on the
community using it, I'd like to see the defaults get a little
stricter.
Here's a very short list of places I think we could improve. Please
post your additions!
- Registration should require email confirmation by default.
(Approval by an admin would work also.) Failure to do email
confirmation means that someone could register a victim, sign them up
for notifications on every forum post, and sit back and watch the
screaming. Where will the complaints go? To the site administrator,
or maybe to THEIR upstream provider.
- Postcard needs an overhaul. At a minimum, it ought to use the
from address of the registered user (whose email is presumably
verified), not whatever address someone feels like typing in. Is
this enough? I'm not sure. I could still register, verify my email,
and then send junk spam postcards to a million emails. Sure, the
from address would be valid (free hotmail?), but since that spam goes
through the installations mail server, complaints about spam will go
back to the site admin or their upstream provider. I don't have a
total solution in mind, beyond not installing it, of course! Folks
using it, do you have a solution, and have you had problems?
- Bookmarks is exposing email addresses. I'm going to fix that one
TODAY.
- Posting to openacs.org (still running 3.2.x) provides a nice long
list of email addresses when notifications are done. If 4.x is still
doing this, I think it shouldn't.
What else?
