Page MenuHomePhabricator

Should require a login
Open, MediumPublic


Someone sent a message to the Stewards using pretending to be another user. The legitimate party was surprised to get an emailed reply about the fake submission.

The reporting person's (the legitimate user's) suggestion is that should require the submitter to be logged in, or the message to the Stewards should indicate that it wasn't sent by a logged in user.

Does anything need to be done with this?

Event Timeline

Locked users can't use the form if we require a login...

Its interesting that the legitimate party got the response - do we set reply-to to the user-provided email?
Even as a logged in user I appear to be able to go to that form and set a different email address. Maybe it should be made clear that the email provided is unverified.

Locked users can't use the form if we require a login...

Our OTRS queue address is public and advertised via Stewards requests pages and other places anyway.

I can see a spike (for last few days to weeks) with someone pretending to be WMF department, employee, contractor, etc etc using the form to spam our queue and (to distribute automated reply to them).

It seems that George Reeves Person entered Jimbo Wales' Wikimedia email address multiple times creating a bunch of tickets. Please see #2019072010004768, #2019072010004741, and 16 others.

{T167219} is also somewhat related to this.

chasemp triaged this task as Medium priority.Dec 9 2019, 4:08 PM

Very closely related (but not the same, IMO) as {T244511} - proposed solution here is different

This is likely a duplicate of T167219.

Aklapper added a parent task: Restricted Task.May 22 2020, 1:13 PM

Is a large point of Special:Contact that it doesn't need a user? Just like with direct email to a mailing list/otrs pilot address, the recipients should never assume that the from/reply-to address is authenticated.