How to Block Disposable Email Addresses in Your Website's Registration Form

How to block Disposable Email Addresses in your website's registration form?

This is tough, because neither whitelisting nor blacklisting are an option.

By whitelisting certain domains, you disallow people with email domains that are unknown to you (but might be perfectly valid), while by blacklisting you have to update the list of blacklisted domains on a daily basis, since new "10 minute email" domains emerge every day.

Please note that temporary email addresses are invented for a way of saying: "Hey, I don't trust this website with my own email adrress", so you're most probably not going to trick users that are willing to hide their real address since they've got a valid reason to do so.

Can't you adopt and implement something like OpenID?

Detect if an email domain is a disposable one

I'd find a list of the most common disposable domains and validate based on that list. A good starting list can be found here:

https://gist.github.com/adamloving/4401361

Finding disposable email addresses

It looks like nodisposablemail.com provides this service. It's got a free account for up to 500 lookups, and pricing goes up from there.

EDIT
Thanks to @abrkn for pointing out that nodisposablemail.com is no longer active. Looks like there's an alternative at block-disposable-email.com, which is free for 200 queries (pricing info for beyond that).

How to avoid registering fake email address using gmail dot trick

You will not be able to uniquely identify if two arbitrary addresses belong to the same user.

The interpretation of the "local" part of an e-mail address (the bit before the "@" sign) is left to each mail server so while you can know the special treatment that Gmail does of dots you can not come up with a general approach for any e-mail address. Even without leaving Gmail for instance you have the "+" trick for different e-mails, let alone the semantics that every other mail server out there may be using. You may try to adapt as you detect abuse, however it will quickly become a resource-expensive game of cat and mouse.

Depending on the cost of the abuse you may decide to do nothing and live with it, implement some basic rules for the main providers or (if protecting abuse is valuable enough) request from the user something that is finite, unique to each individual and that has a high acquisition cost. For instance you could do document verification (driver's license, passport, id card, etc.) or use their mobile to do some SMS verification (obtaining mobile numbers is more expensive than e-mail addresses).

Is there a standard domain for testing throwaway email?

You can use example.com. According to the Wikipedia article:

example.com, example.net, and example.org are second-level domain names reserved by the Internet Engineering Task Force through RFC 2606, Section 3,1 for use in documentation and examples. They are not available for registration.

By implementing the reservation, the Internet Assigned Numbers Authority (IANA) made available domains to use in manuals and sample software configurations. Thus, documentation writers can be sure to select a domain name without creating naming conflicts if end-users try to use the sample configurations or examples verbatim.

When an address such as "yourusername@example.com" is used to demonstrate the sign-up process on a website, it indicates to the user they should fill in an actual e-mail address at which they receive mail. "example.com" is used in a generic and vendor-neutral manner.

These domain names resolve to a server managed by ICANN.

How to block bad users and spammers from inserting undesired data in forums?

I have found that a combination of the following works well:

• Moderation. You will likely never be lucky enough to prevent 100% of undesirable content
• Moderated account activation. Although this requires input from you or another moderator, it prevents opportunistic hackers from doing 'drive-by' defacements. You can also review their profile to see if they've included marketing links as their homepage/signature etc. I've caught a number of spammers attempting to register in this manner
• Replace built-in (vulnerable) captchas with recaptcha
• Disallow disposable email addresses. There are quite a few of these domains from companies like 10minutemail. If you're looking to attract repeat visitors, nobody should be using a disposable email account
• Ban IP addresses, not usernames. If you encounter a spammer, ban their IP address to prevent re-registration. There is support in phpBB and other popular forum software for this
• Use the keyword censoring facility of your forum if present. This is especially useful for preventing curse words if you're running a family-oriented forum. Again, I know phpBB has this feature either in-built or available via a mod
• Disallow posting of links until the user has posted x number of messages (usually 1-5). Most spammers are opportunistic and will move on to an easier target. Alternatively, enforce moderation for their first message (and don't tell them this beforehand!)
• Keep track of your active users. Deactivate old users who haven't contributed for, say, 12 months. You can always reactivate them if they request it

Note that none of the above really tackles the issue head-on, which never really works. I believe it's better to manage the users before they post rather than clearing up after them.

Best of luck with your solution. Moderating a forum can be very rewarding, even if undesirables can make your life hell at times!

---

Related Topics