| Author |
 Topic  |
|
@tomic
Senior Member
USA
1790 Posts |
 Posted - 06 December 2002 : 14:15:11
|
Wouldn't it be more secure to have admins hard coded on config.asp or inc_header.asp?
@tomic |
SportsBettingAcumen.com |
 |
|
|
GauravBhabu
Advanced Member
4288 Posts |
Posted - 06 December 2002 : 14:22:03
|
| <edited**Going OffTopic**> Use the email feature to send an email to admins when M_LEVEL of the registering person or the profile being edited changes to 2 or 3. |
Edited by - GauravBhabu on 06 December 2002 14:28:48 |
|
|
|
Classicmotorcycling
Development Team Leader
Australia
2084 Posts |
Posted - 06 December 2002 : 15:30:23
|
HuwR & Richard (Plus the other Snitz Dev's),
I would like to get a copy of this code:quote:
Originally posted by HuwR
we are now being informed if anyone changes there m_level to admin status, I have created a trigger which will email me the username changed.
Is it going to be a bug fix?
I would also like to do this:quote:
Originally posted by RichardKinser
Most likely we are going to implement a filter to not allow e-mail addresses from places such as yahoo.com or hotmail.com etc. I personally have never wanted to do this, but it looks like we are going to have to.
I would like this filter to be able to be turned on or off via the admin console. 
I believe that if they can get on the web, then they must have a normal e-mail address as supplied by the ISP they connect through, and do not need to supply a free service e-mail address. If the person only has connection via work, then they would have a work e-mail address, so there is no need to have a free address to register from there either. 
I figure this will start something, but I hate getting users that register with a hotmail account (as an example), and post abuse and then when you e-mail them to say hang on, you can't do that, and the e-mail comes back saying the account is closed. Then they do it again with another e-mail from hotmail and again it is closed. At least with the normal e-mail address they will have a bit of grief, and it is easier to trace.  
|
Cheers,
David Greening |
|
|
|
@tomic
Senior Member
USA
1790 Posts |
Posted - 06 December 2002 : 15:55:05
|
There are people that share accounts or change accounts often and use the free email services so there is some continuity. There are sites that urge people to use the free services to deflect spam and for security purposes. Basically, there are legitimate reasons to use the free mail services and I think it might be a huge mistake to block them because some sliver of the population pie uses them for hacking.
@tomic |
SportsBettingAcumen.com |
|
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 06 December 2002 : 17:38:54
|
| it is a SQL trigger. |
|
|
|
edw
Starting Member
9 Posts |
Posted - 07 December 2002 : 06:53:08
|
I think the Admin change monitor for plain simple SQL / Access, ii, the option of restrict certain domains, and iii, block IP addresses list would be great new features for the future.
As @tomic says, I think there are legitimate reasons for using HOTMAIL and it's more fun making troublesome users struggle with locked accounts and re-register than block all "open" email domains.
Perhaps another wish for feature would be this. DNS trace-route of new users stored in the members profile. The Forum Administrator could then observe the ISP and IP details of each registration and IF an ISP pattern of trouble was spotted, then a IP souce block could be put in place for specified blocks of IP addresses. People throw away Hotmail accounts BUT changing ISP settings is far more hassle.
|
|
|
|
Webbo
Average Member
United Kingdom
982 Posts |
Posted - 07 December 2002 : 10:12:52
|
There is another issue to free email accounts that would also need addressing if you are to go down that path and that is 'email aliasing'.
There are equally as many sites that offer aliases that redirect to another email address. Who's to say that a user wouldn't use an alias to a hotmail or other free account which would then effectively render it nigh on impossible to block 'free accounts'
Regards,
Dave |
|
|
|
Reinsnitz
Snitz Forums Admin
USA
3545 Posts |
Posted - 07 December 2002 : 11:38:14
|
| this is right up with blocking IP's in my opinion :) |
Reinsnitz (Mike) |
|
|
|
RichardKinser
Snitz Forums Admin
USA
16655 Posts |
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
|
|
BWJM
Junior Member
Canada
193 Posts |
Posted - 08 December 2002 : 00:37:09
|
First of all, I would just like to echo the comments of numerous others and express my appreciation to Richard, HuwR and the rest of the people that make this place go. Each and every one of you are an integral part of the team and your efforts do not go unnoticed.
Based on the suggestions given thus far, here is what I would like to see come of this incident:
- Admin console page with a list of pre-defined domains which the Admin can check off as being dis-allowed. Option for Admin to add their own custom domains to the list.
- M_LEVEL change trigger for as many types of databases as possible with a priority placed on SQL Server and Access databases. Doing this in pop_profile.asp is not good enough since any ASP page including a custom page can theoretically modify the database.
- Option for Admin to block email addresses with a plus symbol in them. Some POP servers are set to ignore the plus symbol and any characters between it and the at symbol. Thus, to an enabled server, user@server.com and user+qazwsx@server.com would mean the same thing.
- Block/ban IP addresses/ranges should be built into the base code. This should include an effective reporting tool as well to tip off Admins to visits from banned ranges. (I'm not familiar with any related mods out there since I use a tool that I created on my own)
- Investigate the suggestion of hard-coding Admins into config.asp similar to how the SuperAdmin is defined. This will likely make negligible the threat of users being able to elevate their own privledges without proper authorization. This may make it more of a hassle for Admins to promote users, but in most cases, the only Admins with the authority to promote someone else to Admin rank would usually have access to the source files. "Jr. Admins" do not have such access in most cases.
These people have challenged the Snitz community. Let's rise to the challenge and figure out exactly what happened here and then let's make sure it can't happen again. |
 |
|
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 08 December 2002 : 07:43:26
|
quote:
Originally posted by RichardKinser
this person tried to register again now that we have registration open:
http://forum.snitz.com/forum/topic.asp?TOPIC_ID=39177#200663
It may not actually be the same person, the IP is obvioulsy an ISP in vietnam, so, it may have been a legitimate registration, we have no way of knowing. |
|
|
|
davemaxwell
Access 2000 Support Moderator
USA
3020 Posts |
Posted - 08 December 2002 : 08:49:58
|
quote:
Originally posted by HuwR
quote:
Originally posted by RichardKinser
this person tried to register again now that we have registration open:
http://forum.snitz.com/forum/topic.asp?TOPIC_ID=39177#200663
It may not actually be the same person, the IP is obvioulsy an ISP in vietnam, so, it may have been a legitimate registration, we have no way of knowing.
If you look at the email address he provided, it's just the last three letters of the previous email address.... |
Dave Maxwell
Barbershop Harmony Freak |
|
|
|
cocu
Starting Member
8 Posts |
|
|
David K
Junior Member
494 Posts |
Posted - 08 December 2002 : 17:51:18
|
I don't think that blocking free emails is the problem, everyone can get their own server nowadays and use dynamic dns to use it.
I think IP blocking is better, and how the heck did they get to the registration? why didn't you block their IP, it seems to be the same! |
|
|
|
Topic |
|
Topic Locked
