Consider manually blocking certain email domains in CF7 validation

[chrisblakley]

Seeing some domains come through from like mailinator.com. I'm thinking about manually invalidating some form submissions if this (or additional domains in the future) appear in the email field.

Here's how I'm thinking (untested code):

//Add custom validation for CF7 form fields
add_filter('wpcf7_validate_text', 'ignore_invalid_email_addresses', 10, 2);
add_filter('wpcf7_validate_text*', 'ignore_invalid_email_addresses', 10, 2);
function ignore_invalid_email_addresses($result, $tag){
    $type = $tag['type'];
    $name = $tag['name'];

    if ( str_contains($type, 'email') || str_contains($name, 'email') || str_contains($_POST[$name], '@') ){  //Any "email" field - note these conditions may be overkill. the $type contains email may be sufficient
        if ( preg_match('/@mailinator.com/i', $_POST[$name]) ){ //If it is from an invalid email address
            $result['valid'] = false;
            $result['reason'][$name] = 'Please enter a valid email address.';
        }
    }

    return $result;
}

[chrisblakley]

For reference, Hubspot does block this (and a bunch of other) domains from forms as well: https://knowledge.hubspot.com/forms/what-domains-are-blocked-when-using-the-forms-email-domains-to-block-feature

Could also incorporate the spam domain list txt file that Nebula already uses for security. That may be overkill for now, though.

[chrisblakley]

The Hubspot list has a .csv available here: https://f.hubspotusercontent40.net/hubfs/2832391/Marketing/Lead-Capture/free-domains-2.csv

Could either manually grab that in Nebula, or programmatically do it like the spam domain list...

[chrisblakley]

Started a get_bad_email_domains_list function in Security.php but need to complete and test it.