Block password reset requests from blocked IP addresses
Closed, ResolvedPublic
Actions

Assigned To

None

Authored By

	• bzimport
	Jun 24 2006, 6:32 PM

Description

Author: freakofnurture

Description:
A user whose IP address is blocked from editing (either directly by number or
range, or due to an autoblock from a blocked account attempting to edit) should
also be denied the ability to initiate bloody fuck obnoxious "password reset"
requests, (usually delivered in bulk to the sysop that blocked him the IP).

Anyway I have filtered incoming e-mail from wiki@wikimedia.org directly to
"Trash can". I hope nothing important originates from that address. If it does,
it should be separated accordingly.

Version: unspecified
Severity: enhancement
URL: http://editthis.info/freak/crapflood

Details

Reference: bz6427

Related Objects

Mentioned In: T151966: Password recovery blocked from the WMF office

Event Timeline

• bzimport raised the priority of this task from to Low.Nov 21 2014, 9:17 PM

• bzimport added a project: MediaWiki-User-login-and-signup.

• bzimport set Reference to bz6427.

• bzimport added a subscriber: Unknown Object (MLST).

• bzimport created this task.Jun 24 2006, 6:32 PM

But if the ip is blocked, and *do* have a Wikpedia account, may want a password
reset to get his password, login and edit his user talk.

freakofnurture wrote:

If an innocent user experiences both collateral damage and amnesia at the same
time, he could move to another computer to make that request, provided he
doesn't get struck by lightning and eaten by a shark along the way.

robchur wrote:

Another option might be to throw up a captcha...

freakofnurture wrote:

or a throttle limit...

freakofnurture wrote:

or both...

dwen92 wrote:

We shoulnd't block _all_ blocked IPs from requesting pass's, but there should be someway the dev's can block certain
IP's.
Not all IPs abuse the Password Reset.. Only some like en:69.50.208.4, also see
http://en.wikipedia.org/wiki/WP:AN/I#Email

windyaso-wp wrote:

It's as simple as limiting password requests to five an hour or
something...this would certainly cut down on the worst of the abuse.

freakofnurture wrote:

(In reply to comment #6)

We shoulnd't block _all_ blocked IPs from requesting pass's, but there should be

someway the dev's can block certain

IP's.
Not all IPs abuse the Password Reset.. Only some like en:69.50.208.4, also see
http://en.wikipedia.org/wiki/WP:AN/I#Email

Perhaps this would be best as an extra checkbox on the [[Special:Blockip]] form,
then. --user:freakofnurture

dwen92 wrote:

(In reply to comment #8)

We shoulnd't block _all_ blocked IPs from requesting pass's, but there should be

someway the dev's can block certain

IP's.
Not all IPs abuse the Password Reset.. Only some like en:69.50.208.4, also see
http://en.wikipedia.org/wiki/WP:AN/I#Email

Perhaps this would be best as an extra checkbox on the [[Special:Blockip]] form,
then. --user:freakofnurture

Definetly.
-D
[[User:Deon555]]

aranda1cards wrote:

well I lost my password for good after placing the request password email to my
autodelete spam filter after getting over 500 of those in one day, almost 1,000
for the week by en:69.50.208.4 this bug should be fixed and fast before it
happens to anyone else

jorge,

en:Jaranda

klofstrom wrote:

Same IP mailbombed me. Please fix this. -- Zora

psychonaut wrote:

See also Bug 7078, which proposes a throttle on password requests. This would
be easiest to implement as the code is already there; the throttle value just
needs to be set for Wikipedia.

Bug 7639 has been marked as a duplicate of this bug. ***

Fixed in r17147.

Anomie mentioned this in T151966: Password recovery blocked from the WMF office.Nov 29 2016, 11:56 PM

Block password reset requests from blocked IP addressesClosed, ResolvedPublicActions

Description

Details

Related Objects

Event Timeline

Block password reset requests from blocked IP addresses
Closed, ResolvedPublic
Actions