Recently I ran into a very unusual problem with a new Joomla installation: New users who registered on the site were being automatically and immediately approved and activated after they had clicked the verification link in their “welcome” email. This, in spite of the fact that the system was set to require Administrator review and approval, and in spite of the fact that the process had been thoroughly tested and worked properly on the development server. For some reason it was automatically approving them on the live site.
The way the process is supposed to work in Joomla is the user gets an email with a link and token in it to verify his email address and intent, and when he clicks that it replaces the token and state in the user table, and sends out a new email to the system administrator(s) with a new token in it. Of particular interest here, these are one-click emails – when someone clicks that link the action happens in Joomla. The assumption is that only the targeted user is going to have that email with that link.
I did a lot of Googling to try and find out what was going on, and while there were lots of references to other people experiencing the same problem, there was never any fix described, and lots of “cannot reproduce the problem”. I even added a number of logging/debugging statements to the registration programs of the Joomla users component to try and figure out what was going on, only to discover that yes indeed, the process was being driven a second time, immediately after the user verified his/her email. Frustrating.
Finally I found a closed but recent problem report at the Joomla issue tracker that looked like it still had a little life, and started posting some of my log findings and other observations to that, in hopes that might jog something in someone’s mind. And lo and behold, it did! A kind poster from out of the blue made a comment that he had found it was his ISP’s spam filter checking that link and driving the process, and he had solved it by blocking the IP of the spam filter in his .htaccess. I altered my logging to catch IP addresses as well, and there was a 2nd IP address running that admin link, and it resolved back to the ISP. Then DENY’ed the IP in .htaccess and success! So there ya go.
I didn’t think this was really the correct way to address the issue long term, though, so consulted my ISP, who said this was a result of “Barracuda’s Multi-Level Intent filter. It’s going to his link to verify that it’s not redirecting to a spam website.” They ended up white-listing my site and I could remove those .htaccess DENY statements. The ISP also offered up the following blog link from MailChimp that indicates this is more widespread issue than just Joomla.
https://blog.mailchimp.com/spam-filters-automatically-unsubscribing-people/
And so, to bring a long story from a slow typist to a close, you can read the whole story yourself in more excruciating detail at the Joomla issue tracker site: