From 0da2bda2f65ac00d46cf49a63f939c31ddcd67a8 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu, 8 May 2025 09:31:34 +0000
Subject: [PATCH] auth: Deny registration with spammy email addresses

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 src/backend/accounts.py | 14 ++++++++++++++
 src/web/auth.py         |  4 ++++
 2 files changed, 18 insertions(+)

diff --git a/src/backend/accounts.py b/src/backend/accounts.py
index 5ffc66a5..21181e22 100644
--- a/src/backend/accounts.py
+++ b/src/backend/accounts.py
@@ -385,6 +385,20 @@ class Accounts(Object):
 		# Looks like a valid email address
 		return True
 
+	def mail_is_spam(self, mail):
+		"""
+			Checks whether the email follows a specific format that spammers are using.
+		"""
+		username, _, domain = mail.partition("@")
+
+		# Fight against "<ho.l.m.ess.t.eph06@gmail.com>"
+		if domain == "gmail.com":
+			if username.count(".") >= 5:
+				return True
+
+		# Not spam
+		return False
+
 	def mail_is_blacklisted(self, mail):
 		username, delim, domain = mail.partition("@")
 
diff --git a/src/web/auth.py b/src/web/auth.py
index d430e18d..b178af15 100644
--- a/src/web/auth.py
+++ b/src/web/auth.py
@@ -101,6 +101,10 @@ class JoinHandler(base.AnalyticsMixin, base.BaseHandler):
 		if first_name == last_name:
 			raise tornado.web.HTTPError(503)
 
+		# Fail if the email address isn't valid
+		if self.backend.accounts.mail_is_spam(email):
+			raise tornado.web.HTTPError(503, "Email address looks spammy")
+
 		# Register account
 		try:
 			with self.db.transaction():
-- 
2.47.2