We discovered a critical issue in our production CS2008 some weeks ago. Several users report that they've regularly received emails with a new password but they haven't requested a new password. It seems to happen randomly, approx. once a week.
I see that another user has reported something similar to this, but I get 'access denied' when I try to read the post.
What could it be? How can this annoyance be turned off?
Regards,
Fredrik
Depending on how you've got CS set up, anyone could reset a user's password as long as they know the user's email address. All they need to do is go to the forgot password page, and enter the user's email address.
One way around this is to change the Password Reset to send out a link where the user can reset his / her password, as opposed to generating a temporary one. To do this, goto Control Panel > System Administration > Membership Administration > Configuration > Account Settings. On the registration tab, find the Password Recovery option, and change it to Link.
Community Server Documentation please rate articles you read
Nintendo Wiikly | My Blog
Thanks for the quick reply!
There's of course a slight possibility that some lunatic is spending the night resetting the passwords of our users, but I wonder how it's possible to get so many email addresses out of the system - they're supposed to be private.
I can see from the event logs that the mail queue has sent an email at the time of the incident, but I need to implement deeper logging to find out more I guess.
Would have been useful to know if anyone else had the same problem.
Is it happening for random users once or twice, or is it happening to a small subset of users repeatedly?
Based on the feedback I've got so far, it happens for at least 15 users, some of them only get the mail once or twice, others have received up to 8 mails since june 15. Many of the mails I've seen are sent between 3 and 5 AM.
Have a look at your server logs and have a look at page requests made to the Reset Password page. if one particular IP seems to be making an unnessescarry number of requests, you may wish to try IP blocking him.
N.B. to get IPBanning working, you first need to uncomment the IPBanning CSModule from CommunityServer.config, which should look like
<add name = "IPBanning" type = "CommunityServer.IPBanning.Components.IPBanningModule, CommunityServer.IPBanning" />
Thanks, I appreciate your efforts, afscrome!
I eventually found the issue...
To make a long story short: The reset password functionallity was called from an external website, and they obviously cached all the content, which was then picked up by the googlebot crawler, complete with email address and everything. So it was googlebot that triggered the password request. Spooky... I haven't recontructed the whole event chain yet, but it is above suspicion that CS had anything to do with that.
Copyright© 2008 Telligent Systems Inc. All rights reserved CommunityServer.com • Telligent.com