Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add canonical e-mail blocks for suspended accounts #16049

Merged
merged 1 commit into from
Apr 17, 2021
Merged

Add canonical e-mail blocks for suspended accounts #16049

merged 1 commit into from
Apr 17, 2021

Conversation

Gargron
Copy link
Member

@Gargron Gargron commented Apr 16, 2021

Prevent new accounts from being created using the same underlying e-mail as a suspended account using extensions and period permutations. Stores e-mails as a SHA256 hash

@Gargron Gargron added the moderation Administration and moderation tooling label Apr 16, 2021
@ClearlyClaire
Copy link
Contributor

ok, if this is bound to an actual account, maybe we don't need to hash the address?

@Gargron
Copy link
Member Author

Gargron commented Apr 16, 2021

Meh, I like the hash. Maybe it will replace keeping the user record on suspended accounts in perpetuity.

@Gargron
Add canonical e-mail blocks for suspended accounts
0a52597 
Prevent new accounts from being created using the same underlying
e-mail as a suspended account using extensions and period
permutations. Stores e-mails as a SHA256 hash
@Gargron Gargron force-pushed the feature-canonical-email-block branch from 1f276c1 to 0a52597 Compare April 16, 2021 21:48
@Gargron Gargron merged commit b3ceb3d into main Apr 17, 2021
@Gargron Gargron deleted the feature-canonical-email-block branch April 17, 2021 01:14
@anghenfil
Copy link

Hey,
doesn't this feature lead to blocked "firstnamelastname" when someone with "firstname.lastname" get's blocked and therefore leads to overblocking similar email addresses?

@nightpool
Copy link
Member

nightpool commented May 23, 2021
edited
Loading

@anghenfil Many email providers, such as gmail, do not distinguish between firstname.lastname and firstnamelastname—emails for both addresses go to the same inbox. This change prevents attackers from using such email providers to evade blocks

@anghenfil
Copy link

@nightpool yes, some/many, but not all. Personally I only know this behaviour from gmail. I think it's not a good idea to risk overblocking.

@nightpool
Copy link
Member

You're free to remove the restriction on your own server.

@DC7IA
Copy link

DC7IA commented May 23, 2021

Wow, did you know you can have a second email address? :D

@anghenfil
Copy link

If someone tries to get a new mastodon account they could just use a temporary email address or a new email address. I don't think using canonical email blocks will result in fewer new accounts from a banned person. It will just affect innocent people since especially big email provider have many really similar email addresses. I don't think "You're free to remove the restriction on your own server." helps, since new users mostly don't choose their instance based on an instance setting ...

Best
anghenfil

chrisguida pushed a commit to Start9Labs/mastodon that referenced this pull request Feb 26, 2022
@Gargron @chrisguida
Add canonical e-mail blocks for suspended accounts (mastodon#16049)
fdf4f04 
Prevent new accounts from being created using the same underlying
e-mail as a suspended account using extensions and period
permutations. Stores e-mails as a SHA256 hash
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ClearlyClaire ClearlyClaire ClearlyClaire approved these changes

Assignees
No one assigned
Labels
moderation Administration and moderation tooling
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@Gargron @ClearlyClaire @anghenfil @nightpool @DC7IA