Fixed Stop Forum Spam: Use HTTPS and "emailhash" for better privacy

Steffen

Steffen

Well-known member
Affected version
2.0.0 Beta 8
I have two suggestions to improve the Stop Forum Spam integration of XenForo. :)

1. This is the easy one: Stop Forum Spam supports HTTPS. Please update the class "XF\Spam\Checker\StopForumSpam" such that it uses HTTPS instead of HTTP (two spots). This should not cause any problems, SFS has been supporting HTTPS since at least November 2014.

2. In general I trust Stop Forum Spam. But giving the email address of a user to a third-party service is nevertheless a questionable practise and may violate privacy laws in some countries unless you explicitly ask the user for consent. Therefore, instead of sending the plain email address to Stop Forum Spam you can also send a hash of the email address instead (search for "emailhash" on https://www.stopforumspam.com/usage). As the page says, this may result in worse detection rates but this is a trade-off that at least we are willing to make. So if you don't want to do this by default I think an AdminCP option would be appropriate. What do you think?

The following post describes how to normalize an email address before calculating its hash: https://www.stopforumspam.com/forum/viewtopic.php?pid=41504#p41504 (lowercase, remove address extensions, and for some domains remove dots in the local part)
 
Last edited:
Steffen said:
1. This is the easy one: Stop Forum Spam supports HTTPS. Please update the class "XF\Spam\Checker\StopForumSpam" such that it uses HTTPS instead of HTTP (two spots). This should not cause any problems, SFS has been supporting HTTPS since at least November 2014.
Click to expand...
Done! Would certainly help if they updated their documentation code examples to reflect that (though I appreciate it mentions https support later).

Steffen said:
2. In general I trust Stop Forum Spam. But giving the email address of a user to a third-party service is nevertheless a questionable practise and may violate privacy laws in some countries unless you explicitly ask the user for consent. Therefore, instead of sending the plain email address to Stop Forum Spam you can also send a hash of the email address instead (search for "emailhash" on https://www.stopforumspam.com/usage). As the page says, this may result in worse detection rates but this is a trade-off that at least we are willing to make. So if you don't want to do this by default I think an AdminCP option would be appropriate. What do you think?
Click to expand...
I was less sure about this one because of it bypassing things like the blacklisting check, but have instead added an option to control it as you suggested. It's off by default, but you can toggle it on and the email will be normalised and then hashed and sent as the emailhash param.
 

Similar threads

T
Fixed stop forum spam email hashing doesn't seem to work
Replies
6
Views
1K
XF Bug Bot
XF Bug Bot
malachiel
  • Question Question
XF 1.5 Which is the .htaccess rules for use https and remove www?
Replies
2
Views
691
malachiel
malachiel
Shawn Gossman
  • Question Question
XF 1.5 Stop Forum Spam and Usernames
Replies
8
Views
2K
dougdirac
dougdirac
Back
Top Bottom