The users can change the Email field in the invitation email.
So they can use Limesurvey to send anyone an email using any other email (friend@email.com) that they don't own, and the recipient will see an email from a "friend" email.
Anyone faced this problem?
Any solution?

ahmadaub wrote: The users can change the Email field in the invitation email.

The admin user ?

Because other user can't change email in token table.

the superadmin of course can.
But also the administrators of the surveys.

We use limesurvey in the University, accounts are created for students to do survey for research, they administrators on their surveys. But they can change the "From" in the email invitation to "mimic" any other email address they want.

PLease : put a Feature request. I don't think we block this but.

With any other online tools sending emails you can enter mostly any "from:" address so faking the sender is not a Limesurvey issue but can also be done with most email clients.

Usually spoofed emails like this will be marked as spam by the receiving mail server. However I agree that this might be a problem if used under a valid domain in your scenario.
A feature request is still a good idea. For now you might want to fix the email sender to the address of the related administrator (so a code change).

Hi,
Plugin event : beforeTokenEmail can easily be used for this, i think.

Denis