Registration Allows Disposable Email Addresses

[cyborgboy]

Although there was an prevention measusments taken still able to register an account with temporary email.

I am successfully able to register multiple fake accounts with the temporary mails available at temp-mail.org

[Nonononoki]

Unfortunately there is no list that's always update with all domains of disposable email providers, because their domains change very frequently. I just added the one you mentioned to the blacklist 313ef8aba21f5d14b933060f9af313be62b49e0c, but they will just change their domain or users can just use another. Leaving this issue open if someone has a better idea.

[mintedony]

Maybe it's extreme but what about a whitelist? General user emails like Protonmail, Tutanota, Google, Yahoo, Live.com. There's lots of them.

Then it becomes a problem for people that self-host or have vanity domains though... It is a hurdle to have to open a Github account to request your domain be whitelisted.

Maybe you could have a support email to contact to whitelist the address, but that's a lot of extra work for the service maintainer.

[Nonononoki]

@mintedony I don't think having a whitelist for email providers is a good idea. There are probably more legit domains out there then spam domains. This is just annoying for those users with legit email addresses that not in a whitelist and deter them from creating an account.

[fapdash]

I don't think disposable emails are the biggest problem. If someone can bot account creation here then there is a good chance that they can also bot email account creation somewhere, although it has been getting harder over the last couple of years.

I think community moderation is one part of the solution. OkCupid promotes power users to community moderators who vote on reports. This makes it easier to react to reports in a reasonable time. My assumption is that good moderation can deal with fake accounts created manually.

We might be able to build an auto-reporting system that uses tineye or google reverse image search to report profiles if they upload images that have a lot of matches. Auto-deletion is a recipe for disaster though, imo, so I think the ultimate decision if an account is a fake account and should be deleted should be done by a user.

Another part is making it harder to bot. Alovoa already uses a capture, which is great, but captures are often easily broken. There are https://friendlycaptcha.com/ and https://www.hcaptcha.com/ as privacy focused captcha providers. This could be an option if automated account creation ever gets out of hand.

Captchas can be combined with eg. a honeypot field that is invisible to the user, so only bots will fill it out. (have to hide it in a way that it's hard to detect that it's not visible, of course) Rejecting form submits that happen too fast is also an option. A real user will never fill out the registration form in less than a few seconds. Since this is an open source a bot creator can always look at the code and write a custom solution that evades our protection / we can't count on security by obscurity. :shrug:

[waweic]

Definitely do not, under any circumstance, send any of my images (or rather, any of my data) to any online service. If I trust you (which I do not, at the moment) that absolutely doesn't mean I trust anyone else with my data.

By the way, I am one of those users who uses a custom domain for their E-Mail-Addresses. Please don't exclude me. Also, please don't use hCAPTCHA, it sucks. Yes, it really does, almost as much as reCAPTCHA. I have to do about 8 of them, every time I want to log in somewhere and half of the time, it fails. Also, it's almost as slow as reCAPTCHA.

How do you think about invite codes / having to get "verified" by some other user? This could, in theory, even be gamified in some ways

[fapdash]

Definitely do not, under any circumstance, send any of my images (or rather, any of my data) to any online service. If I trust you (which I do not, at the moment) that absolutely doesn't mean I trust anyone else with my data.

This would not be (legally) possible without your consent. GDPR requires that such changes be reflected in the Privacy Policy. You would then have 30 days to decide if you want to keep using the service or delete your account and data.

But I think you are right. It would not be in line with the privacy focused nature of Alovoa to send pictures to commercial entities. I had hope that it would be possible to just send a perceptual hash to an API but it seems like this is not possible. If one would want to build an automated system then we could compare perceptual hashes against the existing pictures on the platform to detect bots that reused pictures but I don't know if that is really that helpful.

A good moderation system is probably way more helpful. Here is the documentation describing the system on OkCupid that I referenced earlier: https://help.okcupid.com/article/168-photo-voting Don't know if it makes sense to copy that formula but I think it's an interesting approach.

I did photo voting on OkCupid myself for a while and we would routinely check profile pictures with Google Image Search or TinEye to make decisions. Romance scams and sextortion are serious problems in online dating so it's a difficult trade-off between privacy and security sometimes. But we should always strive to protect users without violating their privacy, so thank you for the reminder. :)

By the way, I am one of those users who uses a custom domain for their E-Mail-Addresses. Please don't exclude me.

:+1:

Also, please don't use hCAPTCHA, it sucks. Yes, it really does, almost as much as reCAPTCHA. I have to do about 8 of them, every time I want to log in somewhere and half of the time, it fails. Also, it's almost as slow as reCAPTCHA.

Captchas are broken by design and are bad UX but it's also an easy fix to stop many of the basic attacks, so I'm torn on the issue. I'm sorry to hear that you had such bad experiences with hCaptcha. For me it works great and I never had to solve multiple hCaptcha captchas before. Maybe the sites where this happens have set the captchas to the highest difficulty? I often have to reload the current captcha system on Alovoa multiple times until I can solve one. :shrug: The current system is also not accessible for people with visual impairment.

How do you think about invite codes / having to get "verified" by some other user? This could, in theory, even be gamified in some ways

@waweic How would you stop people from just verifying anyone or giving out invites on reddit / forums to strangers? Ban them as well if an account that they verified gets banned? Or do you think this wouldn't be a problem?

[waweic]

I don't think giving out invite codes to strangers would be a problem, as long as they can only be used once. Maybe it would be possible to assign some level of "trust" to these invite codes, so you could only invite maybe one stranger per week, but as many friends, acquaintances and relatives whom you trust at least a bit not to be bots or invite bots, as you like? That way, the actions of total strangers wouldn't need to impact you, but the actions of people you mark as "trusted", could.

I think interaction with actual humans is often a lot too much effort for these low-effort bots.

An added benefit of these "invite codes" could be that they are actual invitations to the platform and promote organic growth.

Btw I absolutely agree with you that working system for moderation is incredibly important on a platform like this.

I don't believe analyzing the pictures for repetition or existence on other platforms will have any effect whatsoever (maybe, with some of the low-effort bots, it will, but in very short time, it will be incredibly easy to generate authentic profiles (pictures + text) using AI like https://thispersondoesnotexist.com and/or GPT-3).

[ip6li]

temp-mail.org has round about 30% false positives and most disposables email providers change their domains every few days. It should not be used to detect disposables email providers.