| Issue 378: | Don't use links for email address validation | |
| 7 people starred this issue and may be notified of changes. | Back to list |
Spammers have apparently reached the point where they are now
signing up for accounts on websites, receiving the validation
emails, scanning them through an automated POP/IMAP client, and
actually hit the links contained in the message. (I've learned
of this through some MediaWikis which are now being spammed.)
Change our email address validation technique to be something
that requires more human intelligence.
For example, we should send an email like the following:
Welcome to Gerrit Code Review at review.source.android.com
To confirm your email address, please return to the website
and enter the following code:
https://review.source.android.com/#VE
$SHORT_RANDOM_CODE
Where #VE displays a form to accept the $SHORT_RANDOM_CODE, but
wouldn't complete itself normally.
To really make $SHORT_RANDOM_CODE validate an email and yet be
really short, we need to store proposed email addresses into a
database table, keyed by $SHORT_RANDOM_CODE.
Aug 17, 2010
I think that this would be easy for spammers to overcome too, a minor tweak. Why not simply integrate a true captcha on the first identity registration?
Aug 19, 2010
Captchas are also currently defeated by spam engines. :-)
Aug 20, 2010
Agreed, but if you integrate a captcha system such as an external free software capthca project, you could at least push off the arms race to that subsystem or library instead of attempting to fight it in gerrit. I am assuming that they have a better change of beating the spammers than us.
Nov 27, 2013
Captchas won't "stop" spammers, but they might slow them down. |
|
| ► Sign in to add a comment |
Owner: ---