HTML Logo by World Wide Web Consortium (www.w3.org). Click to learn more about our commitment to accessibility and standards.

Moving forward with Composr

ocPortal has been relaunched as Composr CMS, which is now in beta. ocPortal 9 will be superseded by Composr 10.

Head over to compo.sr for our new site, and to our migration roadmap. Existing ocPortal member accounts have been mirrored.


Site emails / SPAM

Login / Search

 [ Join | More ]
 Add topic 
Posted
Rating:
#78760 (In Topic #16090)
Avatar

Community saint

I've just had a member of my site spam most of my members using the "E-mail member" option.

While investigating this, I have noticed a few things about how ocportal handles email which I think are either problematic or could be improved.

1) There does not appear to be any option to limit the number of emails a given member can send in a given period. This could be used to not only stop the spam, but to quickly identify the spammer (via an alert email) so they can be dealt with.

2) All emails sent from the site come from the one email address defined in "Website e-mail address". This can, and has, caused confusion as the "from" address that members see when receiving a personal email is from that "Website e-mail address" field, but when they reply to the email they get the sending members address.

I know that the email "from" probably has to be from my domain because of anti-spoofing protection/protocols/standards, but it should be another configurable email address and not the general site one. My general site email is staff@mysite.com, and I really don't want member personal emails to come from staff@mysite.com, but rather something else like no-reply@mysite.com or member@mysite.com etc.

Any thoughts?

Anyone else have problem with personal email spamming?

Do you have a Samsung Galaxy S / Galaxy S II ? If so, why not check out my ScreenFree FM Radio .
Back to the top
 
Posted
Rating:
#78761
Avatar

I know that the email "from" probably has to be from my domain because of anti-spoofing protection/protocols/standards, but it should be another configurable email address and not the general site one.

It is ;).

Re '1' I think the contactmember module is pointless, we're planning to drop it. I suggest you deny access. I think we only implemented it because other forums had one, lol.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#78767
Avatar

Community saint

Chris Graham said

It is ;).
Great!, but where can I find it?
Re '1' I think the contactmember module is pointless, we're planning to drop it.
I don't thinks its pointless at all. My members have used it (the way it was intended that is).

email contact between members is still very useful.

Do you have a Samsung Galaxy S / Galaxy S II ? If so, why not check out my ScreenFree FM Radio .
Back to the top
 
Posted
Rating:
#78771
Avatar

Community saint

Chris Graham said

Re '1' I think the contactmember module is pointless, we're planning to drop it.
My 2 worth:
  • Agree with temp. Has proved very useful to my members who wish to contact 'long-lost-friends', etc., but who don't have any obvious contact details. An email sent via the site is usually the last resort, and strangely enough, the most successful. I've suffered from the same problem that temp reported, and I eventually banned Nigeria in toto when I found my warning messages were being ignored. But it was not much of an irritation as the idiot that wished to continue to abuse my site needed to register as a member each time, and I eventually managed to get ahead of him by deleting his membership before he could start sending his mails!

  • Please reconsider 'dropping' it.

 :thumbs:

Take my advice. I'm not using it!

View my working ocPortal site (version 9.x.x) at Anglo-Indian Portal
Back to the top
 
Posted
Rating:
#78773
Avatar

@temp the option is somewhere obvious in the configuration, rushing out the door so no time to find exact naming I'm afraid

Regarding contactmember, if it's popular it'll stay, but why not just do a PT?


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#78775
Avatar

Community saint

Chris Graham said

… but why not just do a PT?
Ah, classic case of regular User/Admin syndrome!

There are often gaps of MONTHS between visits for some of my members. More importantly, they are simply not au fait with on-line communications of any description, and suggesting a PT to them would be interpreted as suggesting they look for a Part-Time job; not something they want to do at their age!

 :thumbs:

Take my advice. I'm not using it!

View my working ocPortal site (version 9.x.x) at Anglo-Indian Portal
Back to the top
 
Posted
Rating:
#78776
Avatar

Community saint

Chris Graham said

but why not just do a PT?

Yes, I agree–Why not use PT?

That's what I say to my members and it seems to work. However, by disabling the email option, am I not also disabling Newsletters from staff, judging from this comment on the profile option field:
" Allow other members to e-mail this account and opt-in to mass mailings (like newsletters) the staff may send." Shouldn't the two be separate options?

I've been meaning to ask about this for a long time now and thanks to Temp for the reminder ;) .
Back to the top
 
Posted
Rating:
#78779
Avatar

"" Allow other members to e-mail this account and opt-in to mass mailings (like newsletters) the staff may send." Shouldn't the two be separate options?""

in v8 done


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#78780
Avatar

Community saint

Chris Graham said

"" Allow other members to e-mail this account and opt-in to mass mailings (like newsletters) the staff may send." Shouldn't the two be separate options?""

in v8 done
:thumbs:  :)
Back to the top
 
Posted
Rating:
#78784
Avatar

Community saint

Fletch said

… I've suffered from the same problem that temp reported, and I eventually banned Nigeria in toto when I found my warning messages were being ignored. But it was not much of an irritation as the idiot that wished to continue to abuse my site needed to register as a member each time, and I eventually managed to get ahead of him by deleting his membership before he could start sending his mails!
That's why the spammer database lookup in the feature tracker would be nice.
0000290: Spammer database - ocPortal feature tracker

I don't currently validate new members and it would be nice to know that email addresses and IP addresses were checked at registration.

I know that you have expressed some concern about using blacklist due to virtually all of Portugal having been blacklisted at one time or another but I have had several visitors from Portugal over the past couple of weeks and they are always clean. France, Germany and Sweden - not that's another story.

We need just 12 more credits to get this feature implemented.

Bob
Back to the top
 
Posted
Rating:
#78785
Avatar

Community saint

I think the Email users feature should stay as well but I think some added security might be helpful.

Perhaps any or all of the following options:

1. Emails require admin approval before being sent.
2. Only Privileged Groups may send emails.
3. Limit the number of emails (message itself) and/or number of recipients one can send to in a period (day week month hour - I don't know).
4. Reply To addresses could require approval
5. Perhaps some sort of pre-sending spam filtering techniques?
Back to the top
 
Posted
Rating:
#78793
Avatar

Community saint

I'm torn on this one.

I like the immediacy of email on the one hand but a member is typically notified if they receive a PT so that sort of evens things out (although that is likely a configuration thing). If you do drop contactmember, you should always send the email for the PT so that the sense of immediacy is maintained.

I do believe that getting a spammer database in place would help significantly by preventing registration.

I am not in favor emails requiring admin approval - that's just too much work, especially for active sites. The idea of trickling the number of emails per timeframe has merit, but I think that checking the 'reply-to' address against a spammer database would be even better (once this feature is put in place).

Bob
Back to the top
 
Posted
Rating:
#78806
Avatar

Community saint

Chris Graham said

@temp the option is somewhere obvious in the configuration
Looks like in this case one persons obvious is another persons not so obvious. :(

Chris Graham said

rushing out the door so no time to find exact naming I'm afraid
No problem!

Chris Graham said

Regarding contactmember, if it's popular it'll stay
Here's hoping that it stays. Looks like I'm definitely not alone in seeing its usefulness.

Chris Graham said

but why not just do a PT?
Because email is a traditional, easy, and easy to comprehend method to reach out to someone.

Not everyone understands PT's or is comfortable in having their personal discussions accessible by site administrators/staff. They may even want to discuss the attitude/behaviour of staff privately.


Do you have a Samsung Galaxy S / Galaxy S II ? If so, why not check out my ScreenFree FM Radio .
Back to the top
 
Posted
Rating:
#78807
Avatar

Community saint

Duck said

I think the Email users feature should stay as well but I think some added security might be helpful.

Perhaps any or all of the following options:

1. Emails require admin approval before being sent.
2. Only Privileged Groups may send emails.
3. Limit the number of emails (message itself) and/or number of recipients one can send to in a period (day week month hour - I don't know).
4. Reply To addresses could require approval
5. Perhaps some sort of pre-sending spam filtering techniques?

1 - I think that is overkill, and as BobS says, potentially way too much work.

2 - I thought about that also, but don't particularly like the idea of members having to prove themselves too much to get access to basic operations.

3 - Agree, and should be configurable.

4 - I like this (if optional of course) to prevent spoofing.

5 - BobS will love this one!

Do you have a Samsung Galaxy S / Galaxy S II ? If so, why not check out my ScreenFree FM Radio .
Back to the top
 
Posted
Rating:
#78811
Avatar

Community saint

temp1024 said

5 - BobS will love this one!
I do like it as I think it provides the best trade-off for control without placing a burden on the site staff. And, of course, it dovetails nicely with the spammer database feature request which will also lighten the load for site admins.

Only 12 credits to get the spammer database implemented (that's just two sponsors for about US$53).

@Chris, can we get a quote to find out how much additional this would be.

Bob


Back to the top
 
Posted
Rating:
#78823
Avatar

Community saint

Hmm…

I'd rather my members use PT communication versus email from site communication. If they want to remain in communication via e-mail they could exchange such information via the PT. That way they become repsonsible for the email they ge, and not the site.

As it stands now, the site sends notifications of a PT. A PT (personal topic) is basically an in-site email, a personal and private form of communication between two or more individuals. Same thing with email. So why have both beats me. I think it is waste myself, and the PT is much more secure than email from site.

But I am also against (as always) the removal of options that anyone may fin useful, even if I do not… So it sounds like v8 will satisfy thisthough by having the option to allow member email communication seperate from newsletters and such, so that those of us who don't want our site sued for harm done via spamming emails can disable that feature.

But I do have to add a comment…

temp1024 said

or is comfortable in having their personal discussions accessible by site administrators/staff. They may even want to discuss the attitude/behaviour of staff privately.

If they distrust the site administrator so much then why be on that site? I for one am against admin peeking, and think that this is simply a trust issue. If you do not trust the site admin not to peak in on your private and personal communications (which no site admin should do unless invited to via the invite function or the report post function), then how do you trust the same admin with all your other personal info that is in your member account? If the lack of trust exists, you may want to look elsewhere for a site or look inward to see if such trusts are personal paranoia or if there's something real there.

Legends of Nor'Ova: A site powered by ocPortal; home of the Legends of Nor'Ova tabletop RPG wiki and community.

Like ocPortal? Want to thank Chris and gang somehow? Then help out in the chat room! It really needs your help! Just open it in a tab everytime you open your web browser, and when you hear a "ding", check it out!

"Those who want help should first be willing to give help."
Back to the top
 
Posted
Rating:
#78839
Avatar

Community saint

mythus said

Hmm…I'd rather my members use PT communication versus email from site communication.
That's the thing though, the fact that's comms is done via PT means that it may not be site related comms.

Just because members A & B first meet on my site does not mean that I should try and keep them communicating only via my site's PT. Providing them with an easy way of 'talking it outside' via email is I think is beneficial.

As it stands now, the site sends notifications of a PT. A PT (personal topic) is basically an in-site email, a personal and private form of communication between two or more individuals. Same thing with email. So why have both beats me. I think it is waste myself
I could argue why use PT at all if you're getting the comms via email and then have to go to the site to reply.

(I'm just playing devils advocate here, I like the way PT works)
But I am also against (as always) the removal of options that anyone may fin useful, even if I do not
Agree, same here.

If they distrust the site administrator so much then why be on that site?
Well, in most cases the site admin will be a total stranger to them. So its not so much that they don't trust the site admin, its just a desire to keep this stranger out of a conversation that they were not invited into.
I for one am against admin peeking, and think that this is simply a trust issue.
Agree, a definite no-no.

If you do not trust the site admin not to peak in on your private and personal communications … how do you trust the same admin with all your other personal info that is in your member account?
That's why a lot of people have fake or minimal info in their profiles when they join sites. They just don't know who to trust or are concerned that the info may get out accidentally or if the site gets hacked.

…see if such trusts are personal paranoia or if there's something real there.
Sure some people are more paranoid/cautious then others, but then again we all know that the Internet can at times be a no-so-pleasant place.

Do you have a Samsung Galaxy S / Galaxy S II ? If so, why not check out my ScreenFree FM Radio .
Back to the top
 
Posted
Rating:
#78840
Avatar

I see it like this:

If someone can email you directly, it exposes your email address to them when you reply.

Keeping everything in Personal Topics retains the anonymity, and also gives users the option to give out their email address at their leisure.


Like ocPortal on Facebook:
Back to the top
 
Posted
Rating:
#78841
Avatar

Community saint

Robbie Goacher said

If someone can email you directly, it exposes your email address to them when you reply.
True, and the instructions at the top of the form make it fairly clear that your email will be exposed.
Keeping everything in Personal Topics retains the anonymity, and also gives users the option to give out their email address at their leisure.
Very true, but some people prefer to make email contact initially. This could just be a general preference, its the first thing that comes to mind, they don't know of PT, don't know how to use PT, or just don't want to use PT.

Do you have a Samsung Galaxy S / Galaxy S II ? If so, why not check out my ScreenFree FM Radio .
Back to the top
 
Posted
Rating:
#78842
Avatar

Good points.

I think it comes down to the fact that both members will have chosen to register on the website, and therefore all points of contact should remain on the website, unless both members explicitly choose to change that arrangement.


Like ocPortal on Facebook:
Back to the top
 
1 guests and 0 members have just viewed this: None
Control functions:

Quick reply   Expand