Page MenuHomePhabricator

fill email obligatory for users who are signing up by the same IP and browser (Possible Sock puppetry)
Open, Needs TriagePublic

Description

If a user signs up by the same IP and browser as another user it is possible they are Sock puppetry.
At signing up for users who have the same IP and Browser by another user which signed up at last week, it is much better to force the user to fill the email address. as we know filling repeated email is not accepted by MediaWiki so trolls who want to make Sock puppetry they are trapped on more steps and they should also make another email.

for example: If User:A wants to make User:B with the same IP and Browser for creating User:B MediaWiki force him to fill email address.

Event Timeline

Yamaha5 created this task.Aug 14 2017, 9:36 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 14 2017, 9:36 AM

This could/would cause privacy issues, Could use it to confirm other users email address when they aren't public via MediaWiki.

Yamaha5 updated the task description. (Show Details)Aug 14 2017, 9:49 AM
Yamaha5 added a comment.EditedAug 14 2017, 9:54 AM

I request to remove (optional) for mentioned new user's signup at here

@Peachey88 for solving privacy Issues: Mediawiki should warn this email is reserved without saying the username. Now MediaWiki warns repeated usernames. It can be the same as that.

Huji added a subscriber: Huji.Aug 14 2017, 1:31 PM

@Peachey88 for solving privacy Issues: Mediawiki should warn this email is reserved without saying the username. Now MediaWiki warns repeated usernames. It can be the same as that.

This would, however, force users to have to use different email address for different accounts. So if I have a main account and a bot account, and would like them both to be associated with an email address (in case I need to recover their password), I would be forced to use different email addresses. I am not sure if that is something we want or not. Preventing sock creation is important, but so is the convenience to good users.

it is only for new users not registered.

also, it can have an option when signup down with user is different from signup with IP

Huji added a comment.Aug 14 2017, 2:15 PM

Even if we make that field mandatory, the account can still be created and used. Currently, we do not require the email address to be validated before the user can edit.

Also, even if we make email verification mandatory, people can still use 10minutemail or similar services to bypass this. I cannot see a solid solution here, sorry.

I request to remove (optional) for mentioned new user's signup at here

On Wikimedia sites only? Or by default in the MediaWiki code base that anyone can use for setting up their wiki? This task is currently under MediaWiki, the latter.

If a user signs up by the same IP and browser as another user it is possible they are Sock puppetry.

Or a valid Editathon/Hackathon attendee at a university/library/etc...

also, it can have an option when signup down with user is different from signup with IP

I did not understand that sentence. Please rephrase.

I request to remove (optional) for mentioned new user's signup at here

On Wikimedia sites only? Or by default in the MediaWiki code base that anyone can use for setting up their wiki? This task is currently under MediaWiki, the latter.

on Wikimedia

If a user signs up by the same IP and browser as another user it is possible they are Sock puppetry.

Or a valid Editathon/Hackathon attendee at a university/library/etc...

At university, if their PCs exactly have the same IP and user agent it may cause a problem. I will explain new suggestion below.

also, it can have an option when signup down with user is different from signup with IP

I did not understand that sentence. Please rephrase.

when the user uses Special:CreateAccount it doesn't force to fill email but when common ip wants to signup force them to fill email.

If this suggestion's concept is ok I will open these tasks separately.

New suggestions:
1- when user:A wants to create User:B with common Ip and user agent. at the Signup User:B is forced to fill email because it's Ip and user agent in last 24 hour is the same as user:A
2- user:B ( The user who forced to fill email) should confirm his email for editing.
3-We should have a possibility to block users by their similar email If some users have similar email when we block one of them, the others also couldn't edit. (it doesn't need to see the email address by sysops)
4- Check users could find similar email users (it doesn't need to see the email address it can be done by hashed email)
5- For some temporary email sites like 10minutemail, we should have a similar page like MediaWiki:Spam-blacklist at local wiki to block these email services and prevent users to use them.

I see a lot of proposed complicated code to maintain for years, with no convincing gain or basis on any data ("find similar email users"? why?)?

I see a lot of proposed complicated code to maintain for years, with no convincing gain or basis on any data ("find similar email users"? why?)?

To find Sock puppetry and block them. Now check user only works by IP and user agent. In my opinion, if email becomes obligatory it will help to find users which uses the same email.

Jcross added a subscriber: Jcross.Mon, Feb 24, 7:47 PM

Hi @Yamaha5 ! Security is working on cleaning up our boards a bit and we would appreciate confirmation that this Privacy work is still needed. We were hoping you could take a look and let us know? If you would like to move forward we will ensure it is triaged and assigned accordingly.