From 72123acd4dcf80301ac46b3fd817d21ecc4c212f Mon Sep 17 00:00:00 2001
From: "Rob Swindell (on Debian Linux)" <rob@synchro.net>
Date: Mon, 30 Jan 2023 15:41:59 -0800
Subject: [PATCH] Don't allow QWKnet accounts with login IDs that match the
 account password

Don't give QWKnet accounts the 'M' (email messages per day) exemption by
default as this has been abused by email spammers.

These are security/anti-spam improvements.
---
 exec/newuser.js | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/exec/newuser.js b/exec/newuser.js
index 646b04c112..a9e053ce65 100644
--- a/exec/newuser.js
+++ b/exec/newuser.js
@@ -1,11 +1,5 @@
-// newuser.js
-
 // New user login module
 
-// $Id: newuser.js,v 1.30 2019/04/28 23:25:44 rswindell Exp $
-
-// @format.tab-size 8, @format.use-tabs true
-
 load("sbbsdefs.js");
 
 const QWK_ID_PATTERN = /^[A-Z]\w{1,7}$/;
@@ -63,6 +57,9 @@ function chk_qwk_id(str)
 	if(system.trashcan(str))
 		return(false);
 
+	if(str.toLowerCase() == user.security.password.toLowerCase())
+		return(false);
+
 	return(true);
 }
 
@@ -76,7 +73,8 @@ if(qnet) {
 		printf("This is an invalid QWK ID. Your QWK ID MUST be ");
 		printf("between 2 and 8 characters in\r\n");
 		printf("length, must begin with a letter and contain only valid ");
-		printf("DOS filename characters.\r\n\r\n");
+		printf("DOS filename characters.\r\n");
+		printf("Your QWK ID cannot be the same as your password.\r\n\r\n");
 		printf("\1y\1hYour correct QWK ID (as configured in your ");
 		printf("BBS software) is: ");
 		alias=console.getstr(8,K_UPPER|K_LINE|K_NOEXASC);
@@ -88,7 +86,6 @@ if(qnet) {
 	user.security.exemptions|=UFLAG_L;
 	user.security.exemptions|=UFLAG_T;
 	user.security.exemptions|=UFLAG_D;
-	user.security.exemptions|=UFLAG_M;
 }
 
 if(options.ask_sysop 
-- 
GitLab