This repository has been archived by the owner on Apr 26, 2024. It is now read-only.
Verify email after solving CAPTCHA #14764
Labels
A-Email-Push
Email notifications
O-Occasional
Affects or can be seen by some users regularly or most users rarely
S-Major
Major functionality / product severely impaired, no satisfactory workaround.
T-Defect
Bugs, crashes, hangs, security vulnerabilities, or other reported issues.
Description:
When a new user registers through a client like Element with 3pid email and recaptcha turned on, the email verification gets sent immediately, before the user (or bot) has solved the captcha. This opens up the email infrastructure backing the synapse instance to abuse. Lots of smtp relays have monthly limits as well as monitoring of bounced emails and complaints. If you run your own mail system then you can get your ip blocked or a nasty email from your ISP. There is no reason to send the verification email before verifying that the user is a human and presenting both of these tasks to the user at the same time is a sloppy user experience too.
The text was updated successfully, but these errors were encountered: