XF 1.3 Awaiting email confirmation (from edit) can post?

[GIMPER]

I have a (spam) user who registered with a non-existent email address. He changed it to another non-existent email address and was able to post in the forum.

How can I change that behaviour? Also he is in the user group "registered" - thought that would only happen once the account is fully confirmed.

 

[Mike]

Users that aren't confirmed have the permissions of the "unregistered / unconfirmed" group, regardless of the groups they're in. So either they made the post while they had a confirmed email and later changed it or there are permissions set such that the above named group can post.

 

[GIMPER]

neat, damn I love this forum software. Was able to see via the user changelog that (s)he did exactly that (of course I only got two bounces):

1) reg with non-existent email
2) changemail to valid email
3) changemail to other non-existent email

This might be something interesting for your Anti-Spam system (incl. StopForumSpam).

-> he avoids his initial registration being blocked (works only with a fresh IP), as he can use any random non existent email which is not yet in StopForumSpam
-> changes it quickly to his real email, validates his account, makes a post
-> after posting he changes into a non-existent email again (random)
-> if admin "anti-spams" user, only his last used email will be sent to StopForumSpam (which was not his real email) and thus avoids his real email getting blocked - less work to fake email addresses.

Question:
1) obviously it would be better to send all email addresses to StopForumSpam
2) maybe some option to disallow mail changes?