auth: Deny registration with spammy email addresses

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/src/backend/accounts.py b/src/backend/accounts.py
index 5ffc66a56a2cc024b4c8466131ecb9116d9d1573..21181e2256abecea68a48427b6da39704a93a3b5 100644 (file)
--- a/src/backend/accounts.py
+++ b/src/backend/accounts.py
@@ -385,6 +385,20 @@ class Accounts(Object):
                # Looks like a valid email address
                return True
 
+       def mail_is_spam(self, mail):
+               """
+                       Checks whether the email follows a specific format that spammers are using.
+               """
+               username, _, domain = mail.partition("@")
+
+               # Fight against "<ho.l.m.ess.t.eph06@gmail.com>"
+               if domain == "gmail.com":
+                       if username.count(".") >= 5:
+                               return True
+
+               # Not spam
+               return False
+
        def mail_is_blacklisted(self, mail):
                username, delim, domain = mail.partition("@")
 

diff --git a/src/web/auth.py b/src/web/auth.py
index d430e18d6f6f7b7ea8ef43aed825a0083b6d7d20..b178af1525255005e8169f55a19eaa291e703fa0 100644 (file)
--- a/src/web/auth.py
+++ b/src/web/auth.py
@@ -101,6 +101,10 @@ class JoinHandler(base.AnalyticsMixin, base.BaseHandler):
                if first_name == last_name:
                        raise tornado.web.HTTPError(503)
 
+               # Fail if the email address isn't valid
+               if self.backend.accounts.mail_is_spam(email):
+                       raise tornado.web.HTTPError(503, "Email address looks spammy")
+
                # Register account
                try:
                        with self.db.transaction():