Bypassing manual approval by changing email address before approval

[nocte]

When a user has a banned multiple account, then the "Moderated action" is performed. When the user then changes their email-address, they just have to verify their account and can bypass manual approval.

I could reproduce this on my live-board.

Setup: XF 2.1 and manual approval for all users.

 

[Xon]

Manual approval + email confirmation + spam detection is a buggy setup, that is frankly broken by design.

Duplicate - User approve queue can sometimes not require email confirmation

The XF registration flows from registering to valid/moderated are; register => spam checker says moderate => approval queue => user_state set to valid. No email confirmation. register ("Enable email confirmation" == true) => email confirm ("Enable manual approval" == true) => approval queue...

xenforo.com

The XF registration flows from registering to valid/moderated are;

• register => spam checker says moderate => approval queue => user_state set to valid. No email confirmation.
• register ("Enable email confirmation" == true) => email confirm ("Enable manual approval" == true) => approval queue.
• register ("Enable email confirmation" == true) => email confirm ("Enable manual approval" == false) => user_state set to valid
• register ("Enable email confirmation" == false) => user_state set to valid
• register ("Enable email confirmation" == false, "Enable manual approval" == true) => approval queue

If the spam checker pushes as user into the moderation queue, email confirmation hasn't been done and the "approve" option skips email confirmation.

This is rather unexpected behaviour and can cause 'Enable email confirmation' to be bypassed until a hard-bounce comes along and disables the account.

Click to shrink...

If you are using signup abuse blocking, I'ld recommend just throwing a manual moderate rule, and disable the "Enable manual approval" option and then ensure in the approval queue the "Require email confirmation (always notifies)" option with "approve" is used.

 

[nocte]

Thank you for clarification!

If you are using signup abuse blocking, I'ld recommend just throwing a manual moderate rule, and disable the "Enable manual approval" option and then ensure in the approval queue the "Require email confirmation (always notifies)" option with "approve" is used.

Click to shrink...

An alternative would be that your addon did not send any users to moderation, right? Could you implement an option, that makes that possible (at the moment it seems that users who have banned multiple accounts cannot be ignored)?

 

[Xon]

XenForo bug report; https://xenforo.com/community/threads/manual-approval-queue-bypass.200485/

An alternative would be that your addon did not send any users to moderation, right? Could you implement an option, that makes that possible (at the moment it seems that users who have banned multiple accounts cannot be ignored)?

Click to shrink...

The problem is any XF spam provider can trigger this buggy behaviour. The "Enable manual approval" flag is just frankly buggy.

 

[Xon]

at the moment it seems that users who have banned multiple accounts cannot be ignored)

Click to shrink...

Look for the "Multi-Account Registration Mode (general)" & "Registration Mode (for banned or specific groups)" options. This lets you configure what it does at signup when a multi-account is detected

 

[nocte]

Look for the "Multi-Account Registration Mode (general)" & "Registration Mode (for banned or specific groups)" options. This lets you configure what it does at signup when a multi-account is detected

Click to shrink...

both settings have only a "score" added. And the "Moderate registration score threshold" option is set to 0 (disabled). That's my setup at the moment.

 

[Xon]

both settings have only a "score" added. And the "Moderate registration score threshold" option is set to 0 (disabled). That's my setup at the moment.

Click to shrink...

Can you provide a screenshot of those options in a ticket?