When you have the option turned on to verify a users email address before they can post. This feature is working properly. But we have found that spammers are now creating the accounts. Verifying them. Then they go and change their email address in their profile. It does not reverify the email address. The result is that they can put anything in there and it will take it. They then go on to create more new accounts using the original email address they just used previously.

I'm pretty sure the spammers have scripted this as we are getting 20 or so of these per day where they create an account then change the email address afterwards.

My suggestion would be a reverification of an email address to complete an email change. That will stop this exploit from happening. It also might be good to log what then original email address was that setup the account.

hmm... I thought we did that. Maybe it was .classic

I remember from "way back" it was done.

A change of main e-mail address always resulted in a new password, so you had to put in something valid, or it was a no-go.

That was in classic that made you verify again at each email change, threads just lets you change it after verified the first time.

i think we should put this in 7.3.2, since it should be coming out soon..

i'm gonna change my board software for this (due to your report), because it shouldn't be allowed.. imho..

I had this as a feature request somewhere some time ago; I figured it got added in :shrug:...

nope.. you didn't do enough leg humping before release date

<snicker> Rickypooh is a busy guy, probably overlooked it :x...

I can get this in, but my only thought is how to handle a fat-fingered email address. If you change your email, but make a typo, then you're not going to be able to validate the new email address since you won't get it and thus be locked out of your account.

I guess it just becomes a matter of contacting the admin at that point, but was looking for a more elegant solution.

I believe that's how we handled it before.