Partial email address should not be allowed as username

K

Kirby

Well-known member
Affected version
2.3.2
Users sometimes mess up the registration form by pasting their email address as username and successfully submitting the form.

As the username is (by default) limited to 25 characters the pasted email address is truncated and the username might end up as smth. like firstname.lastname@gmail. which is not considered a valid email address and thus not blocked.

Users usually do not want their email address to be public so this causes somewhat unnecessary support workload to change their username.

Suggested Mitigation
Disallow usernames that are identical with the beginning of the email address.
 
Old Nick said:
This should already be the case, but it doesn't seem to work effectively.
Click to expand...
Nope.

XenForo blocks usernames that are considered valid email addresses , eg. name.lastname@gmail.com would be blocked as username, but very-loooooong-local-part would not be blocked if the email address is very-loooooong-local-part@gmail.com for example.

XenForo currently also does not block firstname.lastname@gmail as flag allow_local is not set when checking if the username might be a valid email address.
 
Kirby said:
Nope.

XenForo blocks usernames that are considered valid email addresses , eg. name.lastname@gmail.com would be blocked as username, but very-loooooong-local-part would not be blocked if the email address is very-loooooong-local-part@gmail.com for example.

XenForo currently also does not block firstname.lastname@gmail as flag allow_local is not set when checking if the username might be a valid email address.
Click to expand...
We have a lot of issues with people using the prefix of their email address, everything before @ as a member name. It would be better (IMHO) if no part of the email address was allowed in the member name field. I just feel like that is a concern since people tend to use common email providers, it doesn't take much effort to generate a list from scraping and then matching them to common email domains. (Could be turned into an attack vector or spam lists) Just a thought on the edge here...
 
In the meantime, we can accomplish a great deal of work with these settings.

1724145815860.webp

What would be the regex to use to exclude an email from a username?
 
Alpha1 said:
There are plenty of legitimate users who have the email prefix as their username. I would not disallow it unless there is a major issue.
Click to expand...
It's not about them being illegitimate, it's about the data scrapers scooping up the user names and tying them to commonly used email services.
 
ENF said:
It's not about them being illegitimate, it's about the data scrapers scooping up the user names and tying them to commonly used email services.
Click to expand...

That's on the users, they make that decision. It's not on every website's job to ensure they're using a unique ID from their email address. We do the same with just blocking @ from usernames, because when users try to input their emails there and it fails, that's their cue to change it. If they decide to just remove @domain.com, and continue with it, that's their decision. That's their freedom of choice.
 
Dragonfruit said:
That's on the users, they make that decision. It's not on every website's job to ensure they're using a unique ID from their email address. We do the same with just blocking @ from usernames, because when users try to input their emails there and it fails, that's their cue to change it. If they decide to just remove @domain.com, and continue with it, that's their decision. That's their freedom of choice.
Click to expand...
No, just the better sites have improved controls in place to prevent unnecessary leakage. :)
 
ENF said:
No, just the better sites have improved controls in place to prevent unnecessary leakage. :)
Click to expand...

Or you're just asserting unnecessary control. I go by a very specific username for my personal online profile. And I do have it as an email as username@gmail.com

If you choose to not allow me to register as that username because I'm also using it as an email address, then I'm not registering on your forum. Because it's my choice to have that username, and have that email address.

It's on the user's due diligence to be online safe, it's also why that same email address is just for specific online accounts, not for online banking, shopping, anything that really have financial uses.

And I'll argue, the better improved security for your site is you stop the data scrapers, not block the users from using the usernames they want.
 
Dragonfruit said:
Or you're just asserting unnecessary control. I go by a very specific username for my personal online profile. And I do have it as an email as username@gmail.com

If you choose to not allow me to register as that username because I'm also using it as an email address, then I'm not registering on your forum. Because it's my choice to have that username, and have that email address.

It's on the user's due diligence to be online safe, it's also why that same email address is just for specific online accounts, not for online banking, shopping, anything that really have financial uses.
Click to expand...
No, it's a very necessary control. Once people understand the rule and why it's there, they are appreciative. Everyone has their own due diligence and that doesn't fall on the user alone. We don't assume what they may or may not use that account for, so the risk appetite is set accordingly.

Dragonfruit said:
And I'll argue, the better improved security for your site is you stop the data scrapers, not block the users from using the usernames they want.
Click to expand...
We do have controls in place for this as well, but it's impossible to block 100% of the attempts.
 
ENF said:
No, it's a very necessary control. Once people understand the rule and why it's there, they are appreciative. Everyone has their own due diligence and that doesn't fall on the user alone. We don't assume what they may or may not use that account for, so the risk appetite is set accordingly.


We do have controls in place for this as well, but it's impossible to block 100% of the attempts.
Click to expand...

This is something impossible to police.

Like how I'm using 'Dragonfruit' here.

Oh look, a dragonfruit@gmail.com exists - but it's not my email address, that means the fact that I'm using "Dragonfruit" as username is causing data leakage to someone else.

Screen Shot 01-11-25 at 06.32 PM.webp

Are you going to develop an username to email validation addon so it checks every username on registration to see if they exist with major email services before you allow them?

This is such a slippery slope, I'll choose to stay away from. If it works for you, keep at it. I rather let people keep their identity & individuality.
 
ENF said:
We have a lot of issues with people using the prefix of their email address, everything before @ as a member name. It would be better (IMHO) if no part of the email address was allowed in the member name field. I just feel like that is a concern since people tend to use common email providers, it doesn't take much effort to generate a list from scraping and then matching them to common email domains. (Could be turned into an attack vector or spam lists) Just a thought on the edge here...
Click to expand...

Meh - I think you're inventing problems where there are none.

Scrapers gonna scrape. A large percentage of people on some of my sites use their real names, and firstname.lastname@gmail.com is a pretty obvious choice for scrapers. I have one of those email addresses myself and almost never see any spam (unless I check the spam folder), so 🤷‍♂️

It doesn't matter what username you choose - someone will scrape it and try it against common email domains. Stopping users from registering usernames that match their email addresses is short-sighted and counter-productive. You're only hurting yourself for no tangible benefit to anyone.
 
Dragonfruit said:
Are you going to develop an username to email validation addon so it checks every username on registration to see if they exist with major email services before you allow them?

This is such a slippery slope, I'll choose to stay away from. If it works for you, keep at it. I rather let people keep their identity & individuality.
Click to expand...
We have a moderation team that validates accounts manually before being allowed in. If the account makes it past the automated checks, the mod team makes a final check and then approves the account. If an account comes up with email data in the member name field, it's rejected and notification sent as to why. 9 out 10 times, they register again correctly. It's completely possible that someone's member name could match some random email address out there, but the focus is on what we hold in our possession.

It's not a slippery slope for us, it's what we have been doing for years.
 

Similar threads

I
Pages not having "200 OK" status response code should not be reported as Last activity
Replies
0
Views
55
ivp
I
Sim
  • Suggestion Suggestion
Moderator menu should not be at the bottom of the page
Replies
6
Views
1K
Lukas W.
Lukas W.
Stuart Wright
  • Suggestion Suggestion
Users should not be allowed to ignore members of the moderator or admin usergroups
Replies
1
Views
651
Digital Doctor
Digital Doctor
md_5
Not a bug Contact Us Form should not send email 'from' users address
Replies
3
Views
970
md_5
md_5
Back
Top Bottom