Users are unable to edit using a blocked IP, but they still can send email that way — the check in SpecialEmailuser.php doesn’t take it into consideration.
According to a Russian Wikipedia checkuser, this breach is being heavily abused (spam et al), so this is somewhat urgent.
Version: 1.16.x
Severity: major
URL: http://ru.wikipedia.org/wiki/User:Welcome_all
ayg wrote:
We should allow IP blocks to block e-mail as well, if they affect registered users. Currently you can only block accounts from sending e-mail, not IPs.
https://bugzilla.wikimedia.org/show_bug.cgi?id=19246 reports that this functionality has broken
(In reply to comment #6)
I can't reproduce that, either on my test wiki, or enwiki.
Would it possibly be an issue with the rangeblock rather than a single IP block?
Nishkid64 wrote:
(In reply to comment #7)
(In reply to comment #6)
I can't reproduce that, either on my test wiki, or enwiki.
Would it possibly be an issue with the rangeblock rather than a single IP
block?
I don't think so. Although the case I highlighted in https://bugzilla.wikimedia.org/show_bug.cgi?id=19246 deals with a rangeblock, I've also encountered the same issues with individual IPs that were previously blocked with e-mail blocked as open proxies.
overlordq wrote:
Were the emails sent before or after the user accounts had email disabled?
I notice that if a user is affected by a rangeblock with e-mail disabled, and their username is banned without email disabled, they can still send email.
Nishkid64 wrote:
No, the user accounts were not blocked at the time. Only the underlying IP was blocked with account creation blocked and e-mail blocked.
I specifically tested it using a rangeblock. I used a /24 on enwiki and a /16
on my test wiki.
I checked in each case that the block_email field was getting set in the
database (it did) then tried to send an email from a non-admin account. In each
case I received the standard block screen. I tested trying to send an email via
the API as well.
Looking on the Toolserver, there are currently at least 78 active blocks in the
88.191.0.0/16 range, most of which are not anon only and only a few of which
block email. Its possible that those blocks are taking precedence when
MediaWiki tries to determine the block settings.
http://p.defau.lt/?9hXXkCU__7ingCaSLu8xVQ
Yes, blocks are not cumulative. The most specific block is what will apply to the user.
Nishkid64 wrote:
That doesn't appear to be the issue. 88.191.253.150 was covered by the 88.191.0.0/16 rangeblock on May 28, yet a banned user was still able to send an e-mail from an account on June 13.
(In reply to comment #10)
No, the user accounts were not blocked at the time. Only the underlying IP was
blocked with account creation blocked and e-mail blocked.
http://en.wikipedia.org/w/index.php?title=Special:Log&type=block&page=User:Drill%20you%20like%20an%20ocean
http://en.wikipedia.org/w/index.php?title=Special%3ALog&type=block&user=&page=User%3AYAHOO!Hooligan
Both of these users were blocked without email disabled prior to June 13.
Nishkid64 wrote:
(In reply to comment #14)
(In reply to comment #10)
No, the user accounts were not blocked at the time. Only the underlying IP was
blocked with account creation blocked and e-mail blocked.http://en.wikipedia.org/w/index.php?title=Special:Log&type=block&page=User:Drill%20you%20like%20an%20ocean
http://en.wikipedia.org/w/index.php?title=Special%3ALog&type=block&user=&page=User%3AYAHOO!HooliganBoth of these users were blocked without email disabled prior to June 13.
Oh, my mistake. The accounts were indeed blocked, BUT this was before the "prevent e-mail" option was added to the block interface. So, technically, they could still send e-mails.