Wedge
Public area => The Pub => Off-topic => Topic started by: xrunner on May 27th, 2013, 12:51 AM
-
I was talking with another forum Admin about spam and member email options and we got into user's ability to be emailed.
I told him I wouldn't personally use it (if another member had it enabled). If I see anyone that has it enabled I turn it off (in their profile) and send them a PM warning that their email address could be gathered by spammers. Then once they realize this they can do as they wish, although I'm not sure that it should even be allowed at all. Anyone that wants to email another member can request it through a PM.
I couldn't remember, so I went through the registration process again, and it does offer a check box upon registration to enable members to email you. Of all the possible options to give a new registering member, why was "allow other users to email me" picked to be so important that it needs to be presented at registration time? Is this a legacy thing left over from back in the day when email was a big thing and was just never removed from the registration screen?
In SMF, I think they should have given the Admin an option in
Themes and Layout Settings --> Member Options --> Configure guest and new user options for this theme
for the ability to make this unchecked for new users and in registration settings, unavailable on the registration screen for new members by default. As it is, it's a check box that is unchecked but available to be checked at registration; many people unaware that this is a bad idea may think "Oh email is important and they're offering to let me enable it now - how nice of them, I need to turn this on ..."
What would you think of taking that check box off the registration screen in Wedge, or at least giving the Admins the option to have it not even appear at registration time?
-
Themes and Layout Settings --> Member Options
OK, here's the bad news. That screen doesn't exist in Wedge. At all. It's not pining, it's passed on. This parrot is no more. It has ceased to be. It's expired and gone to meet its maker. It's a stiff, bereft of life, it rests in pieces. If you hadn't mentioned it, it'd be pushing up the daisies. It's rung down the curtain and joined the choir invisible. This is an ex-screen!
The good news is that I turned them all into a single, sane, screen inside the Admin > Members > Member Options screen.
To answer your actual question. There's several facets to it. Firstly, it's not a theme level option like the ones you're referring to, it's an account level option and is stored elsewhere in the database.
Secondly, if you look back to SMF 1.1.x, the option isn't - in fact - 'Allow other users to email me', it is actually 'Hide my email address from others'. Yup, that's right, in 1.1.x the default is to show emails to the world. But the world was a nicer place in 2006. The internet was nicer back then. But it was changed in 2.0, of course.
Making it a preference in the manner you suggest is a surprising amount of fuss at a technical level, when I could just simply remove it from the registration screen. I don't know anyone that would legitimately enable it knowing what it actually meant and it is in their account settings if they want to enable it otherwise.
More interestingly, this raises a bigger question: do we actually need 'emailing other users' anyway? What's wrong with using PMs?
As I see it we could just ditch the ability to email other people, take out that option and users wouldn't have their email address mentioned in their profile at all except to senior site members. Then of course would be the inevitable 'but I can't see emails waaaaah' response. But that's a minority, I hope.
-
Themes and Layout Settings --> Member Options
OK, here's the bad news. That screen doesn't exist in Wedge. At all. It's not pining, it's passed on. This parrot is no more. It has ceased to be. It's expired and gone to meet its maker. It's a stiff, bereft of life, it rests in pieces. If you hadn't mentioned it, it'd be pushing up the daisies. It's rung down the curtain and joined the choir invisible. This is an ex-screen!
The good news is that I turned them all into a single, sane, screen inside the Admin > Members > Member Options screen.
To answer your actual question. There's several facets to it. Firstly, it's not a theme level option like the ones you're referring to, it's an account level option and is stored elsewhere in the database.
Secondly, if you look back to SMF 1.1.x, the option isn't - in fact - 'Allow other users to email me', it is actually 'Hide my email address from others'. Yup, that's right, in 1.1.x the default is to show emails to the world. But the world was a nicer place in 2006. The internet was nicer back then. But it was changed in 2.0, of course.
Making it a preference in the manner you suggest is a surprising amount of fuss at a technical level, when I could just simply remove it from the registration screen. I don't know anyone that would legitimately enable it knowing what it actually meant and it is in their account settings if they want to enable it otherwise.
More interestingly, this raises a bigger question: do we actually need 'emailing other users' anyway? What's wrong with using PMs?
As I see it we could just ditch the ability to email other people, take out that option and users wouldn't have their email address mentioned in their profile at all except to senior site members. Then of course would be the inevitable 'but I can't see emails waaaaah' response. But that's a minority, I hope.
-
I'd say ditch it as well or make it a profile field disabled by default if that makes any sense.
-
you do know that in 2.0 the email address is not actually visible unless the option is changed in the admin panel? so for smf this really is not that much of an issue, a user browsing the forum cant just collect everyones email addresses.
-
Since when?!
-
Really.
What Admin panel? I made damn sure I investigated this before posting this topic. I don't know of the panel he is referring to. :hmm:
-
admin -> security and moderation allow viewable email addresses which should stay UNCHECKED
-
admin -> security and moderation allow viewable email addresses which should stay UNCHECKED
Who the hell would do such a thing?
It doesn't prevent members from making their email addresses viewable on their own.
If t :unsure:his option is enabled instead of users email addresses being hidden to normal members and guests they will be publicly viewable on the forum. Enabling this will put your users at greater risk of being victims of spam as a result of email harvesters visiting your forum. Note this setting does not override the user setting for hiding their email address from users. Enabling this setting is not recommended.
-
even if their email is selected as viewable, no one can actually view it but the admin directly. in 2.0 there is a form to send the message. so the other users never see the email address of the other user they are sending the message to.
-
even if their email is selected as viewable, no one can actually view it but the admin directly. in 2.0 there is a form to send the message. so the other users never see the email address of the other user they are sending the message to.
First: If that option is checked then certainly email addresses can be gathered if members are allowing others to email them. If it got accidentally checked by a careless Admin then you might not notice it for a while. I don't think it's something that should be available for the Admin to muck around with (allow viewable email addresses).
Second: If you allow members to send you email then a person wanting to send spam can send it via email whether or not your email address is shown in the forum.
Third: People are naive and so there's still a way to get your email address. All a person has to do is send out email asking for help with a forum function to a user (not obvious spam).
Example:
Email harvester sends email through the forum -
"Hey can you tell me how to save my sent items in the PM system? I don't want to use it before I set that so I sent you an email."
Member emails back -
"OK do this ...?"
If the user gets the email and writes back thinking they are helping an innocent user then they have exposed their email address to a spammer that they thought was a legitimate member, and it can be forwarded to other spammers. Now I know what you're thinking "Oh xrunner, people aren't that stupid!"
My answer: "Oh yes they are."
So effectively a spammer can still use email to send spam and also gather email addresses from "email mining" as an innocent user seeking help. So I still say it doesn't belong in the activities of the forum and it's certainly not an option I would ask a new member to decide on right at registration. If anyone wants to exchange email address they can do it via PM.
-
As an aside before I answer the above, it's interesting that even Nao and I don't know the specifics of *every* nook and cranny of Wedge, especially in the SMF heritage.
I don't think it's something that should be available for the Admin to muck around with (allow viewable email addresses).
Second: If you allow members to send you email then a person wanting to send spam can send it via email whether or not your email address is shown in the forum.
Third: People are naive and so there's still a way to get your email address. All a person has to do is send out email asking for help with a forum function to a user (not obvious spam).
"Hey can you tell me how to use save my sent items in the PM system? I don't want to use it before I set that so I sent you an email."
My answer: "Oh yes they are."
For example, it happens probably once a week that someone asks on sm.org about how they fix their message list being 'newest first' and they want it 'oldest first'. You know, like it defaults to. They *must* have changed it and have no idea how they changed it or how to change it back >_<
-
Third: People are naive and so there's still a way to get your email address. All a person has to do is send out email asking for help with a forum function to a user (not obvious spam).
PM notifications do not use the sender's email address.
The scenario is that a spammer sees a member allowing members to send them emails. They want to trick them into sending back an email, so they use the forum email system to send an email asking for help. I just tried it and I got an email with the other member's email as the sender. So if they reply via email - the original sender has their email address. This is all going on outside the PM system."Hey can you tell me how to use save my sent items in the PM system? I don't want to use it before I set that so I sent you an email."
I'd be slightly worried if a member asked that... seeing how there's no option for it at all and it's done automatically ;)
I have this checked for all new members but some forums don't, so you have to go in and check it yourself or you won't have a record of anything you've sent, believe it or not it's not automatic in SMF it's an option, and I also think that's a stupid design. There should not be an option for this either. ::)
-
The scenario is that a spammer sees a member allowing members to send them emails. They want to trick them into sending back an email, so they use the forum email system to send an email asking for help. I just tried it and I got an email with the other member's email as the sender. So if they reply via email - the original sender has their email address. This is all going on outside the PM system.
Modify Profile --> Personal Messaging --> Save a copy of each personal message in my sent items by default.
There should not be an option for this either.
-
Really? Go to your profile on this site. I'll wait.
It's kinda complicated talking about the way two different forums actually work and should work both at the same time. :wow:
-
Yeah, I know exactly what you mean ;)
The codebases are quite a bit divergent, and getting further apart in both terms of behaviour as well as appearance - like the member options screen is gone, moved elsewhere and given a sane makeover.
But stuff like this largely hasn't changed and needs to be.
-
The scenario is that a spammer sees a member allowing members to send them emails. They want to trick them into sending back an email, so they use the forum email system to send an email asking for help. I just tried it and I got an email with the other member's email as the sender. So if they reply via email - the original sender has their email address. This is all going on outside the PM system.
we cant protect our users from being dumb and stupid all the time.
-
Sure you can just dont allow users to email each other unless they give the email address voluntarily.