Reply to thread

Message

It is trivial to bypass XenForo email bans using sub-addressing (also known as "plus addressing") or, for some email providers such as Gmail, by inserting . dots between the local-part characters of the address.

To reproduce:
Ban example@gmail.com.
Attempt to register a new account with example+alias@gmail.com. The request should be blocked but it will be successful and the registration confirmation email will be delivered to example@gmail.com.
Attempt to register a new account with ex.ample@gmail.com. The request should be blocked but it will again be successful with the registration confirmation email delivered to example@gmail.com.
This allows spammers and abusive users to quickly create multiple accounts with a theoretically unlimited number of unique email addresses.

Although the + or . characters could simply be banned, they are widely used for legitimate reasons.

From Wikipedia:

Bypassing XenForo's email ban could be prevented by stripping . characters and dropping any +aliases from the local-part of email addresses before comparing them against the forum's banned email list. This would allow legitimate users to continue using dots and plus-addressing aliases in their email addresses while preventing malicious users from abusing these email features.

<blockquote data-quote="DeltaHF" data-source="post: 1504119" data-attributes="member: 9641">It is trivial to bypass XenForo email bans using sub-addressing (also known as &quot;plus addressing&quot;) or, for some email providers such as Gmail, by inserting <code class="bbCodeInline">.</code> dots between the local-part characters of the address.To reproduce:<ol>
<li data-xf-list-type="ol">Ban <code class="bbCodeInline">example@gmail.com</code>.</li>
<li data-xf-list-type="ol">Attempt to register a new account with <code class="bbCodeInline">example+alias@gmail.com</code>. The request should be blocked but it will be successful and the registration confirmation email will be delivered to <code class="bbCodeInline">example@gmail.com</code>.</li>
<li data-xf-list-type="ol">Attempt to register a new account with <code class="bbCodeInline">ex.ample@gmail.com</code>. The request should be blocked but it will again be successful with the registration confirmation email delivered to <code class="bbCodeInline">example@gmail.com</code>.</li>
</ol>This allows spammers and abusive users to quickly create multiple accounts with a theoretically unlimited number of unique email addresses.Although the <code class="bbCodeInline">+</code>&nbsp; or <code class="bbCodeInline">.</code> characters could simply be banned, they are widely used for legitimate reasons.From <a href="https://en.wikipedia.org/wiki/Email_address#Subaddressing" target="_blank">Wikipedia</a>:Bypassing XenForo&#039;s email ban could be prevented by stripping <code class="bbCodeInline">.</code> characters and dropping any <code class="bbCodeInline">+aliases</code> from the local-part of email addresses before comparing them against the forum&#039;s banned email list. This would allow legitimate users to continue using dots and plus-addressing aliases in their email addresses while preventing malicious users from abusing these email features.</blockquote>

[QUOTE="DeltaHF, post: 1504119, member: 9641"] It is trivial to bypass XenForo email bans using sub-addressing (also known as "plus addressing") or, for some email providers such as Gmail, by inserting [ICODE].[/ICODE] dots between the local-part characters of the address. To reproduce: [LIST=1] [*]Ban [ICODE]example@gmail.com[/ICODE]. [*]Attempt to register a new account with [ICODE]example+alias@gmail.com[/ICODE]. The request [I]should[/I] be blocked but it will be successful and the registration confirmation email will be delivered to [ICODE]example@gmail.com[/ICODE]. [*]Attempt to register a new account with [ICODE]ex.ample@gmail.com[/ICODE]. The request [I]should[/I] be blocked but it will again be successful with the registration confirmation email delivered to [ICODE]example@gmail.com[/ICODE]. [/LIST] This allows spammers and abusive users to quickly create multiple accounts with a theoretically unlimited number of unique email addresses. Although the [ICODE]+[/ICODE] or [ICODE].[/ICODE] characters could simply be banned, they are widely used for legitimate reasons. From [URL='https://en.wikipedia.org/wiki/Email_address#Subaddressing']Wikipedia[/URL]: Bypassing XenForo's email ban could be prevented by stripping [ICODE].[/ICODE] characters and dropping any [ICODE]+aliases[/ICODE] from the local-part of email addresses before comparing them against the forum's banned email list. This would allow legitimate users to continue using dots and plus-addressing aliases in their email addresses while preventing malicious users from abusing these email features. [/QUOTE]

Verification

Reply to thread

We value your privacy