29 Apr, 2009, Grimble wrote in the 1st comment:
Votes: 0
I'm thinking of adding in email-based account verification to my server.
That is, a valid email address is required to which an auto-generated
password is sent when creating a new account. The user can change the
account password after login. Resetting a forgotten password would use
the same mechanism.

I assume there are other servers that have done this, and I'm curious as
to the solution used. In the very brief time I spent looking into
generating emails from an applciation, the two best/simplest options seem
to be piping to ssmtp (a very lightweight MTA) or building the equivalent
SMTP capability right into the server. Have I missed any alternatives?
29 Apr, 2009, David Haley wrote in the 2nd comment:
Votes: 0
We have this on my MUD and I would recommend against it. It's caused more trouble than worth. You can't use it to track people because they can create new accounts. In the meantime, you annoy people who just want to quickly try out your game. I've been meaning to remove it for a while now and only haven't due to procrastination.

But, to answer your question, we do it by piping to sendmail. I don't think it's a terribly good idea to build SMTP into the server. For starters, you'll have to handle all kinds of things like greylisting, or any other temporary failure in sending the email, and so forth. Using the system's mailer will get around that with nothing more complicated than a straight pipe.
29 Apr, 2009, Grimble wrote in the 3rd comment:
Votes: 0
Yes, I was wondering about the effectiveness of the anti-griefing side to doing this (I'm equally interested in the password reset/recovery side of it). Do people really bother setting up new email accounts just to be a PITA? Evidently yes.

What if one were required to play through an introductory area or two, and to then provide a valid email before proceeding further? Basically the account is initially quarantined, and requires some investment of time and effort before joining the general population.
29 Apr, 2009, David Haley wrote in the 4th comment:
Votes: 0
If the goal is password reset/recovery (which I agree is pretty important), one can associate an email address with a character, rather than characters with an email address. So people are prompted to enter an address for their character, with the note that if they don't, they can't easily reset/recover passwords.

I'm not sure how effective any kind of quarantine is, really, because again if somebody's just trying to get a feel for the game, they can't really do that if they're not actually playing it.

I think that if somebody is trying to create lots of characters and be a PITA, you could just ban that IP.

Basically I'm gravitating towards accepting the cost of dealing with trouble makers, but getting the gain of convenience for people I actually want to come and stay.
In practice I've very rarely had to worry about somebody really messing with making lots of characters, so the account system hasn't been at all useful. And in those rare instances where it was a problem – when the person really was motivated to cause trouble – they would just create a throwaway hotmail/etc. email and get around the account system anyhow.
29 Apr, 2009, elanthis wrote in the 5th comment:
Votes: 0
Only way you're even going to come close to uniquely identifying a person for the purpose of banning griefers is to require pay-to-play with a credit card and ban the CC info (which you should under no ****ing circumstance be storing – let the payment service deal with that kind of secure data – you need to rely on things like the last 4 digits, zip code, etc., or a unique token generated by your payment service). Users can have multiple cards, but they won't have many, and it's significantly harder to get a new CC than it is to get a new email address.

Of course, good freaking luck getting anybody to pay for a MUD, especially new users, even if it's a fantastic one. Even with a free trial period, you're going to drive off far more good users with such a system than you ever will bad ones.
29 Apr, 2009, quixadhal wrote in the 6th comment:
Votes: 0
One way you could handle this would be to require ssh keypairs. Sure, it's not that hard for the user to generate another pair and apply for another account, but it's a step harder than using a throw-away email account to "register". It would allow you to not need passwords, and you could disable accounts by just flipping off that key on the server end.

While I would love to be able to just "ssh foomud" and be logged in, I'm sure many would whine about tinyfugue/tintin/zmud/shinyhappymudclient not working too.
29 Apr, 2009, David Haley wrote in the 7th comment:
Votes: 0
ssh keypairs sounds like a huge impediment to letting people easily log on… far worse than an email account system. It'll make normal people very unhappy and not really make too much of a difference for people really determined to annoy you.
29 Apr, 2009, quixadhal wrote in the 8th comment:
Votes: 0
Yep, all it really does is make it easier to manage multiple characters per account. It won't *prevent* cheating. I'm afraid even the credit card solution won't do that (as evidenced by people doing it in MMO's).

If you wanted ease of login, you could take a tip from other MMO's and have a newbie area which is open via telnet, but require your more elaborate registration/ssh/etc for the main part of the game… again, nothing will stop cheaters except the admin watching for them.
29 Apr, 2009, David Haley wrote in the 9th comment:
Votes: 0
Well, I think the point with credit cards is that it's far harder to cheat with credit cards (you have to actually apply for the card and all that) than it is to make a new email address or generate a new key, if you're determined to do so. If anything, you have to wait longer for the new card than for the address or key.

Still, as Elanthis said, credit cards are basically out of the question for MUDs.
29 Apr, 2009, Scandum wrote in the 10th comment:
Votes: 0
I wrote a snippet for emailing backups a while ago that may be of interest.

http://www.mudbytes.net/index.php?a=file...
30 Apr, 2009, elanthis wrote in the 11th comment:
Votes: 0
quixadhal said:
Sure, it's not that hard for the user to generate another pair and apply for another account, but it's a step harder than using a throw-away email account to "register".


The idea that it's harder to generate an SSH key than a hotmail account is pretty absurd, assuming we're talking about someone who can figure out how to make keys at all… and those who can't are mostly going to be the players you want anyway.

Quote
I'm afraid even the credit card solution won't do that (as evidenced by people doing it in MMO's.


MMOs don't ban the credit cards. They just wipe the account. The idea is that that teaches the cheater to stop cheating while still allowing the (hopefully) ex-cheater to throw more money at the company.

David Haley said:
If anything, you have to wait longer for the new card than for the address or key.


Yeah, basically. You can't make it impossible, just "harder than it's worth." The advantage of a credit card is that just about everyone has one these days, so you're not really locking out a ton of valid users. Teens and kids, mostly, and personally I don't care to have them around anyway. (And actually, I had a Mastercard-backed debit card through my checking account when I was 16, and I'd imagine that's even more common a decade later.)

Scandum said:
I wrote a snippet for emailing backups a while ago that may be of interest.


I'm pretty sure he wants to be able to send emails generated by the server itself, not just schedule scripts to send external data files. I think it was mentioned above: you really just need to use popen() to execute "/usr/sbin/sendmail -ti" (make it configurable; some systems use /usr/bin/sendmail or /usr/libexec/sendmail) and then fprintf() out a valid RFC2822 message. Email reminders/retrieval and verification doesn't require MIME or files at all so it's really easy. The hardest part will literally be generating the Date header, and only because the C API for that kind of stuff requires a few too many steps (locale setting being the biggest pita).

Simple example (no error checking) off the top of my head:

/* open sendmail for writing */
FILE *mh = popen("/usr/sbin/sendmail -ti", "w");

/* generate RFC2822 date string; assumes C locale or compatible in use */
char date_string[32];
time_t t = time(NULL);
strftime(date_string, sizeof(date_string), "%a, %d %b %Y %H:%M:%S %z", gmtime(&t));

/* generate basic/required RFC2822 headers;
* note extra newline on last header */
fprintf(mh, "From: noreply@mymud.com\r\n");
fprintf(mh, "To: %s\r\n", user_email);
fprintf(mh, "Date: %s\r\n", date_string);
fprintf(mh, "Subject: [mymud] password retrieval\r\n\r\n");

/* email body; note that the forum is adding [ url ] tag to the line in the middle, sorry */
fprintf(mh, "This mail is being sent to you because you or someone else has requested password\r\n");
fprintf(mh, "retrieval for the account %s. If you requested your password to be reset, please\r\n", user_account);
fprintf(mh, "click on the following link (or copy it into your browser's address bar):\r\n\r\n");
fprintf(mh, " http://mymud.com/resetpassword.cgi?key=%...", reset_key);
fprintf(mh, "If you did not request for your password to be reset, please ignore this email.\r\n\r\n");
fprintf(mh, "Thank you,\r\n");
fprintf(mh, "– My MUD Team\r\n");

/* clean up */
fclose(mh);
30 Apr, 2009, KaVir wrote in the 12th comment:
Votes: 0
elanthis said:
The advantage of a credit card is that just about everyone has one these days, so you're not really locking out a ton of valid users. Teens and kids, mostly, and personally I don't care to have them around anyway.

What about international players? Credit cards aren't so popular in all countries.

Here in Germany, you have to pay a monthly fee to own a credit card, and any transactions made with them are immediately paid off from your bank account. Add to that the fact that many shops and restaurants don't actually accept credit cards, and it's hardly surprising that a lot of Germans don't own them. I remember one time when my parents were visiting, and my dad tried to buy something for his camera from one of the big electronics retail stores - then realised that they didn't accept credit cards.

I kept my UK credit cards when I moved here, but I only use them for online transactions, or when I'm back home in the UK. I wouldn't bother playing a mud which required my credit card details though.
30 Apr, 2009, Grimble wrote in the 13th comment:
Votes: 0
I can't explain it, but whenever I see Kavir's icon above I'm reminded of this.
30 Apr, 2009, Sandi wrote in the 14th comment:
Votes: 0
KaVir said:
Here in Germany, you have to pay a monthly fee to own a credit card, and any transactions made with them are immediately paid off from your bank account.


Here in the US, we call that a 'debit' card.
30 Apr, 2009, David Haley wrote in the 15th comment:
Votes: 0
KaVir said:
I wouldn't bother playing a mud which required my credit card details though.

Of course, it's a good thing nobody actually suggested that, and in fact people said it would be a terrible idea. :tongue: It was brought up merely as an effective way of identifying people (as opposed to email) and something that's hard to replace.

KaVir said:
I remember one time when my parents were visiting, and my dad tried to buy something for his camera from one of the big electronics retail stores - then realised that they didn't accept credit cards.

I would be shocked if a big electronics retail store didn't accept any form of plastic. There's no way I would wander around with enough cash to buy electronics. How long ago was this? Cards are also less omnipresent in France than in the US, and many places won't accept them for small transactions (they have $15 minimums for example) but all stores that actually sold stuff esp. in large quantities or with large prices took cards.

I use the word 'card' intentionally above to mean credit or debit. I suspect that the card you described was in fact a debit card, as by definition a credit card is not paid off immediately. In France, very few people have actual credit cards; most people have debit cards. In fact, as in most of Europe I believe, credit in general is far less ubiquitous than in the US.
30 Apr, 2009, KaVir wrote in the 16th comment:
Votes: 0
David Haley said:
I would be shocked if a big electronics retail store didn't accept any form of plastic. There's no way I would wander around with enough cash to buy electronics. How long ago was this?

It was around 4 or 5 years ago. They accepted EC cards, which pretty much everyone in Germany has, but not credit cards. I'm not sure if that's still the case, as I never use my credit cards here, but I'll keep an eye out next time I'm in one of their stores.

David Haley said:
I use the word 'card' intentionally above to mean credit or debit. I suspect that the card you described was in fact a debit card, as by definition a credit card is not paid off immediately.

It could be (although it was a VISA card and Mastercard, not an actual bank account). I spoke to a colleague earlier, and he said he doesn't have to pay off his credit cards until the end of each month. Interestingly enough, he said he only got the credit cards for his vacation to the US ;)
30 Apr, 2009, David Haley wrote in the 17th comment:
Votes: 0
Yes, credit cards are paid off at the end of the month, whereas purchases made with debit and other debit-like cards are directly, well, debited from your account. Note that cards like Visa etc. can be either debit or credit cards, and are often tied straight into a bank account (especially in the US).

In the US, you also have cards that can act like credit cards when you make purchases but are still directly debited. However when you use it in debit mode, the sum is immediately deducted; when used in credit mode the sum is deducted later (I'm assuming it takes more time to process??) even though you're still not paying it off at the end of the month.

One of the more surprising things for EU visitors to the US is that you almost never use a PIN to authorize transactions but instead sign a little receipt. And conversely, US visitors to the EU are often surprised that they're ill equipped to deal with cards that require signatures.
30 Apr, 2009, Scandum wrote in the 18th comment:
Votes: 0
PIN transactions with debit cards have been widely available in Europe since the early nineties, and I remember my Dutch debit card working on American ATMs when I was in the USA back in 1999, so there's no real need for a credit card when visiting the US, though it's advisable to withdraw large sums of cash at once because of fees.

An interesting thing to note is that American debit cards often work like credit cards, so the bank will pay if you overdraft your account, but will charge you a fee for their 'service' which is generally around 30$ or so. For a West European it's hard to imagine how littering is good for a 1000$ fine and butt cheeks are censored on TV, but banks scamming their customers is somehow acceptable.
30 Apr, 2009, David Haley wrote in the 19th comment:
Votes: 0
Scandum said:
so there's no real need for a credit card when visiting the US, though it's advisable to withdraw large sums of cash at once because of fees.

Many vendors here are not equipped to deal with debit cards that require PINs, so yes, while it's possible to just get a lot of cash and carry it around, if you'd rather not wander around with hundreds of dollars, you do need a card that works with the signature system. (You don't need an actual line of credit type of card, just one that acts like a credit card w.r.t. signatures.)

Scandum said:
An interesting thing to note is that American debit cards often work like credit cards, so the bank will pay if you overdraft your account, but will charge you a fee for their 'service' which is generally around 30$ or so. For a West European it's hard to imagine how littering is good for a 1000$ fine and butt cheeks are censored on TV, but banks scamming their customers is somehow acceptable.

I'm not sure how this is scamming the customer. If they don't have a line of credit, they're not supposed to overdraft, plain and simple. Many banks allow you to set this as an option: simply block overdraft charges, or let them go through and pay the overdraft fee.
30 Apr, 2009, elanthis wrote in the 20th comment:
Votes: 0
KaVir said:
It was around 4 or 5 years ago. They accepted EC cards, which pretty much everyone in Germany has, but not credit cards. I'm not sure if that's still the case, as I never use my credit cards here, but I'll keep an eye out next time I'm in one of their stores.


Five years ago I still needed cash at some restaurants. I remember the embarrassment of taking out a lovely young woman and her end up having to pay because only after the meal did I find out they didn't take any kind of card. Sucked. Today, any restaurant that doesn't take cards would go out of business. Even the fast food places all take cards.

Heck, even the ren faires and stuff all take cards now – portable battery-powered radio-transmitter card readers. (Which, incidentally, kind of sucks, because now prices have raised quite a bit at those things because they don't have to worry about their customers carrying only small amounts of cash around.)

David Haley said:
I'm not sure how this is scamming the customer. If they don't have a line of credit, they're not supposed to overdraft, plain and simple. Many banks allow you to set this as an option: simply block overdraft charges, or let them go through and pay the overdraft fee.


I agree with Scandum. The overdraft thing is disgusting. If the bank has options to protect the customer, those should be in effect _by default_, and not an opt-in thing you have to explicitly ask for… if your bank actually has them. Mine only has a line of credit option which I have, but a lot of Americans (especially these days) won't qualify for a line of credit.
0.0/29