Julian Fleischer wrote:
Am Freitag, 20. Oktober 2006 19:25 schrieb Sherool:
At least
one vandal seems to have spesialised in spamming people with passwod
reminders (he must have a bot), and growing number of people have been
complaining about it.
wouldn't the whole problem be avoided it the user had to fill in his
e-mail-address (which he hopefully hasn't forgot...) when asking for the
password reminding email?
greetz
--
Public Key at
http://keys.warhog.net/mediazilla_warhog_net.asc
Does that really avoid the problem? Let's use you as an example. And the sake of this
hypothetical example, let's suppose I want to
spam you with hundreds of password reminders.
From your
warhog.net domain name, I'll guess your
username is [[:en:User:Warhog]]. So I go to that page and it says you're
originally from the German Wikipedia. So now I view the whois record for your domain
at
http://whois.domaintools.com/warhog.net ,
and sure enough it's in Germany, and the domain owner name matches the name you used
in your email, so we can be fairly sure we've
got the right Wikipedia username for our password reset form. Now we just need your email
address.
So then we look at
http://keys.warhog.net/ and we can get an idea of the email addresses
you're using from the filenames. However we
don't see anything with "wikipedia" on it, so we can try resetting your
password using all the entries on that list, plus also
wikipedia _at_ the-various-domain-names-you-use-for-email.
Presumably the password reset form tells the user when the email address doesn't match
(for legitimate users who have multiple email
addresses and really do need their passwords reset), so we try the above addresses until
we get a successful match.
Now, maybe you're using an entirely different address for your Wikipedia account which
cannot be predicted using the above approach.
But most people won't be - they either use the same address, or one of a collection of
addresses, or they use a predictable format
to their email addresses. And once the spammer has that address, then they can spam you
with password resets (at least until you
change it). And now because they know that people are likely to change their email
addresses to stop the spamming, rather than being
a chronic pest by sending 100 password resets every couple of days, now they'll
probably do a once-only spam-run with thousands of
password resets before you can change your email address.
I'm just not sure having to enter an email address solves the problem. It would slow
it down some, but it also forces the spammers
who want to continue to become more like stalkers, which isn't good! ;-)
Anyway, it's probably moot, because it looks like this is fixed now with r17147
http://mail.wikipedia.org/pipermail/mediawiki-cvs/2006-October/018107.html ).
All the best,
Nick.