Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Duplicate
    • Affects Version/s: 1.5
    • Fix Version/s: None
    • Component/s: Enrolments
    • Labels:
      None
    • Environment:
      All
    • Affected Branches:
      MOODLE_15_STABLE
    • Rank:
      8447

      Description

      A moodle site that accepts enrolments with mail confirmation, is open to be used as a spam relay.

      The procedure is this:

      Make a script that creates accounts. There is no turing-like test in signing up to verify it is a human doing it, so 1000 signups could be done in a couple of minutes.

      One does not have to have control over a domain to send the confirmation emails to, there are plenty services out there that provide temporary email adresses. A catchal addres works too, but its own domain works best.

      Next each account is verified, if you have your own domain you could automate this with procmail and wget easily.

      Then the account is subscribed to a forum where the evil spammer can posts his messages. No turing here, so again simply automatable. (you will need soome trickery with cookies, but you can do it in one go with the account confirmation)

      The next step is to change the email adres of the account into that of the victim. moodle will allow this without reconfirming the email adres.

      The last step is the spammer posting it's evil sales pitches on the forum, complete with hyperlinks, html and spyware infested 'movie' named after a naked celebrity or whathaveyou.

      In Ohter words: Moodle needs a turing test (you know, one of those pictures containing random letters and lines) at the subscription point.

      It also needs to reconfirm a new eamil adres when it is changed.

        Issue Links

          Activity

          Hide
          Martin Dougiamas added a comment -
          Show
          Martin Dougiamas added a comment - See MDL-13811
          Hide
          Helen Foster added a comment -

          Advice on reducing the risk of spam in Moodle available here: http://docs.moodle.org/en/Reducing_spam_in_Moodle

          Show
          Helen Foster added a comment - Advice on reducing the risk of spam in Moodle available here: http://docs.moodle.org/en/Reducing_spam_in_Moodle

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: