The only way I can see to block this is to stop usernames and names from including a full stop/period. Not sure of the implications of that - probably ok if we only apply the restriction to new accounts

Not acceptable. On joomla.org properties a lot of our accounts are <first_name>.<last_name> standard, this restriction would prevent my use of michael.babker as a username, or in cases where email addresses are in use my michael.babker@joomla.org email address as a username.

To be honest, any sort of "dodgy email" filter is going to be very arbitrary and I'm not sure what measures core should actually take about this, if any at all, because it is going to result in an arbitrary decision to disallow some kind of username syntax for reasons that equate to nothing more than "if someone gets emailed with a username in that email content it will look like spam to the human eye".

This is a valid issue. We have an open issue on the tracker regarding this already. However just preventing links doesn't go far enough for me and its only a partial solution. All you really need to do is to have a more realistic limit on the max number of characters in a name/username

I didn't spot this 'issue' myself - I came in to work yesterday to find 900+ new user registrations all sending out this type of email. So it is a real issue that could at the very least affect the email server reputation of a Joomla site. In my case I didn't have captcha enabled on user registration for this particular site which is why the number got so big.

Limiting the length of username and name would help but the limit would need to be pretty short when URL shorteners are introduced into the equation. I suppose blocking back slashes could help to limit the use of most URL shorteners.

I see the issue with banning the "period" for usernames - and I suspect there are real "names" with periods in them.

So it is a real issue that could at the very least affect the email server reputation of a Joomla site.

I get it's real and annoying. I just don't know how you do a spam rule in front of a username that doesn't either come across as a "we're trying to manually filter spam" type thing (which becomes a high maintenance burden because such a rule would have to commonly updated or you'd need to ensure registration triggers plugin events before saving so that the username could be pushed through a spam detection/filtering service the same way comment or forum post messages are and registration blocked based on that) or impose restrictions on legitimate use cases.

Personally I think the name is more important to deal with than the username since it is used right at the start of the email.

UsersModelRegistration::getData trigger onContentPrepareData with a suitable context set (com_users.registration) so a solution could be implemented as a plugin. But I wonder if there is a 'responsibility' on the core code to make this type of exploitation of mail server of a Joomla site less likely - even if it can't be blocked completely??

p.s. As a wild, out there, idea we could replace the period with a 'one dot leader' in the text of the email (http://www.fileformat.info/info/unicode/char/2024/index.htm) which would make any embedded domains unclickable - but that probably opens up a whole can of worms

But I wonder if there is a 'responsibility' on the core code to make this type of exploitation of mail server of a Joomla site less likely - even if it can't be blocked completely??

I still don't know. Any filter/validation rule on a username or display/real name is arbitrary at best, doing it in direct defense against potential spam attacks makes it harder to build/maintain in any way short of "outsource to plugins that can hook to spam filter to address this".

Having a username filter is easy (usernames can match regex). A display/real name filter isn't.

Simply use \b (word boundary) #\bhttps?\b#i

unfortunately this still doesn't block names/usernames containing valid URLs which many email packages will still render as clickable links

Use similar detection

1. detect // regardless of having protocol (and yes just block this too: "george//aaaaa" )
2. detect www. since this --commonly-- detected as URL

And yes it will block names / usernames containing word starting with www.
but that is really more than acceptable, so my suggestion is this

#(\b\/\/b|\swww.|^www.)#i

Related to #19438 and #14275

I have updated the regex to this

#(:\/\/|\bwww.|\bftp.)#i

since

\b\/\/b

wasn't matching http:// etc.

The primary focus of this PR was not to reduce Joomla being used to generate spam - it was to reduce the risk of it being used for phishing or distribution of malware site links

Changed made as requested.

Since I created this PR at least half the client sites I have looked at have been used by Russian scammers taking advantage of this 'loop hole' in Joomla - with thousands of potential victims hit.

I know this isn't a perfect and final solution but it is an essential first step in my opinion

any modification in lib.joomla.ini has to be done both in admin and site files

@infograf768 backend language file modified to replicate frontend change.

Is it something that should not be arbitrary and have a possible control in User Manager options (Disable in name and / or disable in username). And possibly have a control on regex to define it yourself?

Otherwise there is a bunch of extensions that allows this, for example https://extensions.joomla.org/extension/restrict-usernames/

Other option is simply to restrict by max characters as already mentioned.

@laoneo Adding security by extension? Wow, TBH this is new concept for me. Ive always thought, and been taught, that security should be in the core of product, not addable by installing extension.

Also senteces like:

Thanks for your help making Joomla better.

are nothing more than empty marketing slogans.