Site emails / SPAM

I've just had a member of my site spam most of my members using the "E-mail member" option.

While investigating this, I have noticed a few things about how ocportal handles email which I think are either problematic or could be improved.

1) There does not appear to be any option to limit the number of emails a given member can send in a given period. This could be used to not only stop the spam, but to quickly identify the spammer (via an alert email) so they can be dealt with.

2) All emails sent from the site come from the one email address defined in "Website e-mail address". This can, and has, caused confusion as the "from" address that members see when receiving a personal email is from that "Website e-mail address" field, but when they reply to the email they get the sending members address.

I know that the email "from" probably has to be from my domain because of anti-spoofing protection/protocols/standards, but it should be another configurable email address and not the general site one. My general site email is staff@mysite.com, and I really don't want member personal emails to come from staff@mysite.com, but rather something else like no-reply@mysite.com or member@mysite.com etc.

Any thoughts?

Anyone else have problem with personal email spamming?

I know that the email "from" probably has to be from my domain because of anti-spoofing protection/protocols/standards, but it should be another configurable email address and not the general site one.

It is .

Re '1' I think the contactmember module is pointless, we're planning to drop it. I suggest you deny access. I think we only implemented it because other forums had one, lol.

Chris Graham said

It is .

Great!, but where can I find it?

Re '1' I think the contactmember module is pointless, we're planning to drop it.

I don't thinks its pointless at all. My members have used it (the way it was intended that is).

email contact between members is still very useful.

Chris Graham said

Re '1' I think the contactmember module is pointless, we're planning to drop it.

My 2¢ worth:

• Agree with temp. Has proved very useful to my members who wish to contact 'long-lost-friends', etc., but who don't have any obvious contact details. An email sent via the site is usually the last resort, and strangely enough, the most successful. I've suffered from the same problem that temp reported, and I eventually banned Nigeria in toto when I found my warning messages were being ignored. But it was not much of an irritation as the idiot that wished to continue to abuse my site needed to register as a member each time, and I eventually managed to get ahead of him by deleting his membership before he could start sending his mails!

• Please reconsider 'dropping' it.

 

@temp the option is somewhere obvious in the configuration, rushing out the door so no time to find exact naming I'm afraid

Regarding contactmember, if it's popular it'll stay, but why not just do a PT?

Chris Graham said

… but why not just do a PT?

Ah, classic case of regular User/Admin syndrome!

There are often gaps of MONTHS between visits for some of my members. More importantly, they are simply not au fait with on-line communications of any description, and suggesting a PT to them would be interpreted as suggesting they look for a Part-Time job; not something they want to do at their age!

 

Chris Graham said

but why not just do a PT?

Yes, I agree–Why not use PT?

That's what I say to my members and it seems to work. However, by disabling the email option, am I not also disabling Newsletters from staff, judging from this comment on the profile option field:
" Allow other members to e-mail this account and opt-in to mass mailings (like newsletters) the staff may send." Shouldn't the two be separate options?

I've been meaning to ask about this for a long time now and thanks to Temp for the reminder .

"" Allow other members to e-mail this account and opt-in to mass mailings (like newsletters) the staff may send." Shouldn't the two be separate options?""

in v8 done

Chris Graham said

"" Allow other members to e-mail this account and opt-in to mass mailings (like newsletters) the staff may send." Shouldn't the two be separate options?""

in v8 done

 

Fletch said

… I've suffered from the same problem that temp reported, and I eventually banned Nigeria in toto when I found my warning messages were being ignored. But it was not much of an irritation as the idiot that wished to continue to abuse my site needed to register as a member each time, and I eventually managed to get ahead of him by deleting his membership before he could start sending his mails!

That's why the spammer database lookup in the feature tracker would be nice.
0000290: Spammer database - ocPortal feature tracker

I don't currently validate new members and it would be nice to know that email addresses and IP addresses were checked at registration.

I know that you have expressed some concern about using blacklist due to virtually all of Portugal having been blacklisted at one time or another but I have had several visitors from Portugal over the past couple of weeks and they are always clean. France, Germany and Sweden - not that's another story.

We need just 12 more credits to get this feature implemented.

Bob

I think the Email users feature should stay as well but I think some added security might be helpful.

Perhaps any or all of the following options:

1. Emails require admin approval before being sent.
2. Only Privileged Groups may send emails.
3. Limit the number of emails (message itself) and/or number of recipients one can send to in a period (day week month hour - I don't know).
4. Reply To addresses could require approval
5. Perhaps some sort of pre-sending spam filtering techniques?

I'm torn on this one.

I like the immediacy of email on the one hand but a member is typically notified if they receive a PT so that sort of evens things out (although that is likely a configuration thing). If you do drop contactmember, you should always send the email for the PT so that the sense of immediacy is maintained.

I do believe that getting a spammer database in place would help significantly by preventing registration.

I am not in favor emails requiring admin approval - that's just too much work, especially for active sites. The idea of trickling the number of emails per timeframe has merit, but I think that checking the 'reply-to' address against a spammer database would be even better (once this feature is put in place).

Bob

Chris Graham said

@temp the option is somewhere obvious in the configuration

Looks like in this case one persons obvious is another persons not so obvious.

Chris Graham said

rushing out the door so no time to find exact naming I'm afraid

No problem!

Chris Graham said

Regarding contactmember, if it's popular it'll stay

Here's hoping that it stays. Looks like I'm definitely not alone in seeing its usefulness.

Chris Graham said

but why not just do a PT?

Because email is a traditional, easy, and easy to comprehend method to reach out to someone.

Not everyone understands PT's or is comfortable in having their personal discussions accessible by site administrators/staff. They may even want to discuss the attitude/behaviour of staff privately.

Duck said

I think the Email users feature should stay as well but I think some added security might be helpful.

Perhaps any or all of the following options:

1. Emails require admin approval before being sent.
2. Only Privileged Groups may send emails.
3. Limit the number of emails (message itself) and/or number of recipients one can send to in a period (day week month hour - I don't know).
4. Reply To addresses could require approval
5. Perhaps some sort of pre-sending spam filtering techniques?

1 - I think that is overkill, and as BobS says, potentially way too much work.

2 - I thought about that also, but don't particularly like the idea of members having to prove themselves too much to get access to basic operations.

3 - Agree, and should be configurable.

4 - I like this (if optional of course) to prevent spoofing.

5 - BobS will love this one!

temp1024 said

5 - BobS will love this one!

I do like it as I think it provides the best trade-off for control without placing a burden on the site staff. And, of course, it dovetails nicely with the spammer database feature request which will also lighten the load for site admins.

Only 12 credits to get the spammer database implemented (that's just two sponsors for about US$53).

@Chris, can we get a quote to find out how much additional this would be.

Bob

Hmm…

I'd rather my members use PT communication versus email from site communication. If they want to remain in communication via e-mail they could exchange such information via the PT. That way they become repsonsible for the email they ge, and not the site.

As it stands now, the site sends notifications of a PT. A PT (personal topic) is basically an in-site email, a personal and private form of communication between two or more individuals. Same thing with email. So why have both beats me. I think it is waste myself, and the PT is much more secure than email from site.

But I am also against (as always) the removal of options that anyone may fin useful, even if I do not… So it sounds like v8 will satisfy thisthough by having the option to allow member email communication seperate from newsletters and such, so that those of us who don't want our site sued for harm done via spamming emails can disable that feature.

But I do have to add a comment…

temp1024 said

or is comfortable in having their personal discussions accessible by site administrators/staff. They may even want to discuss the attitude/behaviour of staff privately.

If they distrust the site administrator so much then why be on that site? I for one am against admin peeking, and think that this is simply a trust issue. If you do not trust the site admin not to peak in on your private and personal communications (which no site admin should do unless invited to via the invite function or the report post function), then how do you trust the same admin with all your other personal info that is in your member account? If the lack of trust exists, you may want to look elsewhere for a site or look inward to see if such trusts are personal paranoia or if there's something real there.

mythus said

Hmm…I'd rather my members use PT communication versus email from site communication.

That's the thing though, the fact that's comms is done via PT means that it may not be site related comms.

Just because members A & B first meet on my site does not mean that I should try and keep them communicating only via my site's PT. Providing them with an easy way of 'talking it outside' via email is I think is beneficial.

As it stands now, the site sends notifications of a PT. A PT (personal topic) is basically an in-site email, a personal and private form of communication between two or more individuals. Same thing with email. So why have both beats me. I think it is waste myself

I could argue why use PT at all if you're getting the comms via email and then have to go to the site to reply.

(I'm just playing devils advocate here, I like the way PT works)

But I am also against (as always) the removal of options that anyone may fin useful, even if I do not

Agree, same here.

If they distrust the site administrator so much then why be on that site?

Well, in most cases the site admin will be a total stranger to them. So its not so much that they don't trust the site admin, its just a desire to keep this stranger out of a conversation that they were not invited into.

I for one am against admin peeking, and think that this is simply a trust issue.

Agree, a definite no-no.

If you do not trust the site admin not to peak in on your private and personal communications … how do you trust the same admin with all your other personal info that is in your member account?

That's why a lot of people have fake or minimal info in their profiles when they join sites. They just don't know who to trust or are concerned that the info may get out accidentally or if the site gets hacked.

…see if such trusts are personal paranoia or if there's something real there.

Sure some people are more paranoid/cautious then others, but then again we all know that the Internet can at times be a no-so-pleasant place.

I see it like this:

If someone can email you directly, it exposes your email address to them when you reply.

Keeping everything in Personal Topics retains the anonymity, and also gives users the option to give out their email address at their leisure.

Robbie Goacher said

If someone can email you directly, it exposes your email address to them when you reply.

True, and the instructions at the top of the form make it fairly clear that your email will be exposed.

Keeping everything in Personal Topics retains the anonymity, and also gives users the option to give out their email address at their leisure.

Very true, but some people prefer to make email contact initially. This could just be a general preference, its the first thing that comes to mind, they don't know of PT, don't know how to use PT, or just don't want to use PT.

Good points.

I think it comes down to the fact that both members will have chosen to register on the website, and therefore all points of contact should remain on the website, unless both members explicitly choose to change that arrangement.