This repository has been archived by the owner on Apr 26, 2024. It is now read-only.
Verify email after solving CAPTCHA #14764
Labels
A-Email-Push
Email notifications
O-Occasional
Affects or can be seen by some users regularly or most users rarely
S-Major
Major functionality / product severely impaired, no satisfactory workaround.
T-Defect
Bugs, crashes, hangs, security vulnerabilities, or other reported issues.
Comments
|
Can confirm, mail sent before registration complete. |
|
I think there is issues on these lines For every flow there are inserting at position 0 , so registration_requires_token and enable_registration_captcha are conflicting. |
|
Any maintainer pls review and share whether i am right or there is some other issue! |
DMRobertson
added
S-Major
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Description:
When a new user registers through a client like Element with 3pid email and recaptcha turned on, the email verification gets sent immediately, before the user (or bot) has solved the captcha. This opens up the email infrastructure backing the synapse instance to abuse. Lots of smtp relays have monthly limits as well as monitoring of bounced emails and complaints. If you run your own mail system then you can get your ip blocked or a nasty email from your ISP. There is no reason to send the verification email before verifying that the user is a human and presenting both of these tasks to the user at the same time is a sloppy user experience too.
The text was updated successfully, but these errors were encountered: