Last modified: 2012-10-29 16:39:58 UTC
Users are unable to edit using a blocked IP, but they still can send email that way — the check in SpecialEmailuser.php doesn’t take it into consideration. According to a Russian Wikipedia checkuser, this breach is being heavily abused (spam et al), so this is somewhat urgent.
We should allow IP blocks to block e-mail as well, if they affect registered users. Currently you can only block accounts from sending e-mail, not IPs.
Done in r50871.
*** Bug 18942 has been marked as a duplicate of this bug. ***
https://bugzilla.wikimedia.org/show_bug.cgi?id=19246 reports that this functionality has broken
*** Bug 19246 has been marked as a duplicate of this bug. ***
I can't reproduce that, either on my test wiki, or enwiki.
(In reply to comment #6) > I can't reproduce that, either on my test wiki, or enwiki. > Would it possibly be an issue with the rangeblock rather than a single IP block?
(In reply to comment #7) > (In reply to comment #6) > > I can't reproduce that, either on my test wiki, or enwiki. > > > > Would it possibly be an issue with the rangeblock rather than a single IP > block? > I don't think so. Although the case I highlighted in https://bugzilla.wikimedia.org/show_bug.cgi?id=19246 deals with a rangeblock, I've also encountered the same issues with individual IPs that were previously blocked with e-mail blocked as open proxies.
Were the emails sent before or after the user accounts had email disabled? I notice that if a user is affected by a rangeblock with e-mail disabled, and their username is banned without email disabled, they can still send email.
No, the user accounts were not blocked at the time. Only the underlying IP was blocked with account creation blocked and e-mail blocked.
I specifically tested it using a rangeblock. I used a /24 on enwiki and a /16 on my test wiki. I checked in each case that the block_email field was getting set in the database (it did) then tried to send an email from a non-admin account. In each case I received the standard block screen. I tested trying to send an email via the API as well. Looking on the Toolserver, there are currently at least 78 active blocks in the 88.191.0.0/16 range, most of which are not anon only and only a few of which block email. Its possible that those blocks are taking precedence when MediaWiki tries to determine the block settings. http://p.defau.lt/?9hXXkCU__7ingCaSLu8xVQ
Yes, blocks are not cumulative. The most specific block is what will apply to the user.
That doesn't appear to be the issue. 88.191.253.150 was covered by the 88.191.0.0/16 rangeblock on May 28, yet a banned user was still able to send an e-mail from an account on June 13.
(In reply to comment #10) > No, the user accounts were not blocked at the time. Only the underlying IP was > blocked with account creation blocked and e-mail blocked. > http://en.wikipedia.org/w/index.php?title=Special:Log&type=block&page=User:Drill%20you%20like%20an%20ocean http://en.wikipedia.org/w/index.php?title=Special%3ALog&type=block&user=&page=User%3AYAHOO!Hooligan Both of these users were blocked without email disabled prior to June 13.
(In reply to comment #14) > (In reply to comment #10) > > No, the user accounts were not blocked at the time. Only the underlying IP was > > blocked with account creation blocked and e-mail blocked. > > > > http://en.wikipedia.org/w/index.php?title=Special:Log&type=block&page=User:Drill%20you%20like%20an%20ocean > http://en.wikipedia.org/w/index.php?title=Special%3ALog&type=block&user=&page=User%3AYAHOO!Hooligan > > Both of these users were blocked without email disabled prior to June 13. > Oh, my mistake. The accounts were indeed blocked, BUT this was before the "prevent e-mail" option was added to the block interface. So, technically, they could still send e-mails.
Is this still an issue?
email block now addresses this issue
*** Bug 17787 has been marked as a duplicate of this bug. ***