Pete Posted November 5, 2004 Posted November 5, 2004 Hi there guys Here's a feature request as an owner of a busy board (once I port my two across into my new 2.0 board). I get sick of spammers signing up ay my forums, using real email addresses to validate their accounts, then logging in, altering their email address and spamming my forums. On that note, could we please have an option when a member validates to automaitcally create a GD image of their email address (so it's totally tamper proof and maybe even with the option of having the image folder outside the root of the webspace) just as they click the validation link. This way we'll have a permanent record of a working email address to help track down evildoers ;) Of course, I can see why it'd be easier just to put another field into the table, but this way is much more secure. For example, if you board goes down, you can compare GD email addresses against the email addresses in the table and most likely be able to spot the false address of the user who brought it down amongst the valid email addresses of real users who may simply have changed addresses. Most board hackers that I've encountered will change their addy to something obviously fake, so I really think some sort of extra security system like this would be worth it. This and thousands of other good suggestions available (I'll just hape to come up with the rest at a later date though, they've escaped me right now ;)).
Lloydy Posted November 7, 2004 Posted November 7, 2004 Okay lets consider this seriously... You would definitely want to do this in the database (i.e. add an originalemail column). This would allow you to run queries like: SELECT * FROM ipb_members WHERE email != originalemail Imagine if you had thousands of images to manually compare :whacko: Plus lets not forget all the space this would use on the server :(
Wolfie Posted November 7, 2004 Posted November 7, 2004 How about a log of changed emails? Including member ID, gmt of request, gmt of completion, original email of account, email changed from, email changed to. Before someone goes yelling that there is unneeded information... MemberID is obvious GMT of request, GMT of completion - not only help track how long before it was completed but if you see several accounts requesting a change at the same time, and the changes being completed in the same order and roughly the same time, then you know something is fishy. Emails, original - So a query for the original email will show all requests for the email used to sign up with. Useful if there are multiple members that started with the same email address. Emails, changed from - Same as above, but also for backtracking purposes. Emails, changed to - um, duh.
Pete Posted November 7, 2004 Posted November 7, 2004 Fair enough. Whichever way you think is best, although most attackers attack the database itslf anyway is my point ;)
outlaw Posted November 7, 2004 Posted November 7, 2004 Yes and making little GD images for something like this is still a bloat. ;)
Wolfie Posted November 7, 2004 Posted November 7, 2004 Fair enough. Whichever way you think is best, although most attackers attack the database itslf anyway is my point ;)<{POST_SNAPBACK}> Ok maybe I'm missing something here then.. If they attack the database, how would GD images protect it?
outlaw Posted November 7, 2004 Posted November 7, 2004 Because they would be stored on FTP. Your over valuing the usage of making images to track someone down Pete. If someone wants to attack your database and they know IPB does this they can just sign up for a free account.
Pete Posted November 9, 2004 Posted November 9, 2004 But you would still have their email address... Aww scrap it - let's just leave it to webhosting staff to resolve issues like this and just make frequent forum backups :) It was a nice idea while it lasted before all the problems in my idea were pointed out... ;)
Wolfie Posted November 9, 2004 Posted November 9, 2004 Perhaps the idea that I mentioned, but with the log also being written out to a file or emailed to a specific address (maybe in zip format?) If the idea is to track someone who tries to attack the database, then the idea would be to have an easily accessible resource (ie, AdminCP -> logs of email changes) and a backup of it (thus the logfile in webspace, emailed, whatever else).
Recommended Posts
Archived
This topic is now archived and is closed to further replies.