Not a bug Email bans can be bypassed with sub-addressing and dots

DeltaHF

DeltaHF

Well-known member
Affected version
v2.2.3 Patch 1
It is trivial to bypass XenForo email bans using sub-addressing (also known as "plus addressing") or, for some email providers such as Gmail, by inserting . dots between the local-part characters of the address.

To reproduce:
  1. Ban example@gmail.com.
  2. Attempt to register a new account with example+alias@gmail.com. The request should be blocked but it will be successful and the registration confirmation email will be delivered to example@gmail.com.
  3. Attempt to register a new account with ex.ample@gmail.com. The request should be blocked but it will again be successful with the registration confirmation email delivered to example@gmail.com.
This allows spammers and abusive users to quickly create multiple accounts with a theoretically unlimited number of unique email addresses.

Although the + or . characters could simply be banned, they are widely used for legitimate reasons.

From Wikipedia:

Subaddressing​

Some mail services support a tag included in the local-part, such that the address is an alias to a prefix of the local part. For example, the address joeuser+tag@example.com denotes the same delivery address as joeuser@example.com. RFC 5233,[13] refers to this convention as sub-addressing, but it is also known as plus addressing, tagged addressing or mail extensions.

Addresses of this form, using various separators between the base name and the tag, are supported by several email services, including Andrew Project (plus),[14] Runbox (plus), Gmail (plus),[15] Rackspace (plus), Yahoo! Mail Plus (hyphen),[16] Apple's iCloud (plus), Outlook.com (plus),[17] ProtonMail (plus),[18] Fastmail (plus and Subdomain Addressing),[19] postale.io (plus),[20] Pobox (plus),[21] MeMail (plus),[22] MMDF (equals), Qmail and Courier Mail Server (hyphen).[23][24] Postfix and Exim allow configuring an arbitrary separator from the legal character set.[25][26]

The text of the tag may be used to apply filtering, or to create single-use, or disposable email addresses.
Click to expand...

Bypassing XenForo's email ban could be prevented by stripping . characters and dropping any +aliases from the local-part of email addresses before comparing them against the forum's banned email list. This would allow legitimate users to continue using dots and plus-addressing aliases in their email addresses while preventing malicious users from abusing these email features.
 
Periods not being relevant is a GMail-only thing.

Sub-addressing can be done with any character, depending on the server's setting. + addressing is the default, but others use - addressing, + or -, or other characters. I use underscores on my server, for example.

While this is certainly a desirable feature, it is ultimately going to be ESP specific and thus will need to be its own maintained project.
 
I think this is worth doing but strictly speaking it's not a bug.

There is now a suggestion opened by @digitalpoint where this will be tracked for inclusion in the future:

xenforo.com

Normalize emails for uniqueness

Spammers leverage Gmail (and other email providers) ability to create multiple accounts using the same Gmail account, but each account has a "unique" email address by leveraging dots (".") and pluses ("+") in the email address. For example, these all go to the same Gmail account inbox...
xenforo.com xenforo.com
 
Back
Top Bottom