I know this isn't a bug as such, but It is possible for fools to sign up on our forums with someone elses e-mail address, not confirm it and then start to add themselves to all lots of forum subscriptions and thread subscriptions. Then we seemly start to spam users with advertisements and posts which they have no intrest for.

Is there anyway to address this issue, its very open to abuse...

There isn't a way to unsubscribe an e-mail address from all threads/forums either.. :eek:

That's why you use Confirm email addresses in your registration. Nothing prevents this abuse from happening if you dont do some type of moderation on sign ups.

Its just as if someone went around and just signed your email address up for 1000 mailing lists that dont do confirmed opt-in.

Edit: You can also "unsubscribe" someone from a thread if, you know the persons Id number and the thread number and run a query through mysql.

Or change the users pw, log in as them and unsub them, then issue them a new password.

Reread my post please :)

I have e-mail confirmation ON already, my point is that thread/forum/something subscriptions can still be made when someone is waiting to confirm there e-mail address. I let my users browse threads while they are waiting for their e-mail to be delivered. There is no option to enable/disable thread subscriptions for that usergroup from what I can see, but I would love to be proved wrong. :)

Originally posted by Martz
Reread my post please :)

I have e-mail confirmation ON already, my point is that thread/forum/something subscriptions can still be made when someone is waiting to confirm there e-mail address. I let my users browse threads while they are waiting for their e-mail to be delivered. There is no option to enable/disable thread subscriptions for that usergroup from what I can see, but I would love to be proved wrong. :)

Edit: Okay that didn't come out right, let's try again.....

Okay, trying it on my board:

signed up with a new id.
Didn't confirm registration
Went to a thread and clicked on "Subscribe to Thread"

Logged out.
Logged in as Admin
Posted to the thread I was subscribed to.
Logged out.
Checked email

Notification of registration and to activate email.
Read that, didn't confirm yet

Check email again.
Yup, got a notification that the thread was replied to by "Admin", yet I haven't confirmed my registration yet.

Something the developers need to look into. So Im just going to comment out the subscribe thread link until its worked out.

Sorry, I didn't see the "subscribe" thread in your post, but Sub Scribe to Forum (is only listed in the USER cp, no emails sent) and Email notifications to new replies to a thread works as they do.

Would it be possible to add a link to the conformation e-mail so that if the address receiving it, if they did not sign up, could have the username and all related subscriptions deleted from the database.
Kind of an opt out clause for victims of SPAM.

Originally posted by neocivitas
Would it be possible to add a link to the conformation e-mail so that if the address receiving it, if they did not sign up, could have the username and all related subscriptions deleted from the database.
Kind of an opt out clause for victims of SPAM.

I wouldn't even consider in putting that in. Why? Its spammer talk.
OPTing out of anytihng that you did not sign up for is spamming terminology

Just comment out the link until something can be resolved I guess.

I confirmed this on my test board. I'm going to move this to the Bugs forum so the Developers will be aware of it.

Has anyone tried playing with the permissions for the 'User Awaiting' group to see if it's tied to a specific permission?

To prevent this you need to turn off the "Can Modify Profile" permission for your Unconfirmed members.

It isn't a bug per se just a poorly documented feature.

OK, but if they enter an incorrect e-mail address using sign up they cannot modify it later to get the registration completed. For the moment I'll restrict access to the User CP and hope that the next version of vB might approach this issue.

Originally posted by wluke
To prevent this you need to turn off the "Can Modify Profile" permission for your Unconfirmed members.

It isn't a bug per se just a poorly documented feature.

Then there should be a separate permission setting that would only allow the e-mail address to be changed if the user has not confirmed the e-mail account. There should also be the option of removing an e-mail address from all contact via the forum through one link to comply with opt-in and opt-out privacy policies. I'm shocked to realize there isn't a simple way for a user to stop all e-mail from reaching them.

Paul