Open jimjoh opened 3 years ago
I don't know about domain blocklists being "popular" but they are extremely valuable and important for keeping spammers under control. Disposable domains do have a purpose and I personally use them regularly (multiple times per week). That being said, the reason that I use this list is because spammers create dozens of disposable emails per day to comment on my site. Without this list the only alternative is to turn off comments entirely which is obviously not ideal.
...the reason that I use this list is because spammers create dozens of disposable emails per day to comment on my site. Without this list the only alternative is to turn off comments entirely which is obviously not ideal.
Thanks for the reply @Paxamime. This ended being discussed more in https://github.com/ivolo/disposable-email-domains/issues/846 I understand the desire to reduce comment spam, but wouldn't comment moderation be a more appropriate tool for the job?
Our site receives close to 10,000 spam messages per month from authenticated users. There is no way to moderate that without a significant amount of cost.
It's completely about how the list is used. I am greatly opposed to people deciding to blanket block swathes of domains on some public, free-for-all service, but even in terms of email management (spam prevention) a list like this one would be extremely useful for, say, a SpamAssassin rule that gives these addresses a small score bump as they're less trustworthy.
With that being said I believe there should be different lists for temporary address providers, forwarding services, etc.; with a domain appearing in multiple lists if they do more than just one of those things.
And ideally there would also be a huge disclaimer at the top of the README warning people of using these lists and to consider the consequences that might not be obvious to them. The reality is that the best we can do is educate; if people wouldn't be using this list, someone else would create another one.
When you send email out to users that signed up to your service you want those mails to reach their destination, because if they end up bouncing most SMTP providers will get very mad with you for "abusing" their service for spam. It's notoriously difficult to maintain good graces for a mailserver and not be put on blacklists these days with all the spam that goes around. When the user then elects to use a dead email or something that causes it to bounce it makes it ever more frustrating to deal with and ultimately creates losses in time = money. Especially if they specifically select they want newsletters or information on their accounts or even basic things like resetting ones password via email, if that ends up being the only identifier and then get support requests asking to change the email up without having any way to verify it is really them. The surprise that is quoting the same privacy laws back to them in regards to not changing personally identifiable information like an email address on an account without being able to verify leaving the account dead in the water would be funny if it didn't constitute a potential loss on either end.
As platform provider making sure the users signing up are doing so with a proper email they have access to and will read is vital when communication or support requires there to be form of contact that is inherently tied to a human being. The extend of this issue is that the list I have now has nearly 200.000 email domains on it that are either known to bounce, are disposable providers or notorious for even just not working right 90% of the time. With gTLD ever growing I expect that number to explode massively and with ever more "privacy conscious" users out there mistrusting platforms(even though for some reason buying an Alexa or other home device that constantly listens in on things is perfectly fine for them) it will eventually have to flip to a whitelist type system of email providers known to be proper.
I had to switch my entire mailing system, spend extra money each month to handle things because of all the bounces that still happen from full inboxes and the like outside of all the disposable stuff, which easily puts you over any quota for how much you can bounce before being considered a spammer even if your intend is the opposite. It just ends up too much of a hassle to deal with "privacy conscious" users without a clue as to what problems they create for themselves down the line with this stuff. Never mind that I find it rather tasteless to pretend platforms by default don't adhere to privacy laws when they don't otherwise care for their data being spread all over the internet by the larger corporations that truly don't care because they can eat the fines without skipping a beat. Placed in the same boat as Amazon, Google, Equifax etc. as if there was anything even worth collecting and selling in terms of the data they provide otherwise. The critical mass required for that to be worth it nowadays that big data is everywhere and cheap means only large platforms can afford to do that on the risk of fines so no business under a couple hundred thousand users even considers it.
If you consciously sign up for a platform and agree to their terms including the portion that clearly states to not use disposable emails because they serve as point of contact for account operations and you do that anyways then coming around complaining about shooting yourself in the foot hurts is something no support department wants to deal with, because they can't help anymore at that point and the users just get angry. The better question would be, why isn't every public platform under the sun using a system like this in these times?
When you send email out to users that signed up to your service you want those mails to reach their destination, because if they end up bouncing most SMTP providers will get very mad with you for "abusing" their service for spam. It's notoriously difficult to maintain good graces for a mailserver and not be put on blacklists these days with all the spam that goes around. When the user then elects to use a dead email or something that causes it to bounce it makes it ever more frustrating to deal with and ultimately creates losses in time = money. Especially if they specifically select they want newsletters or information on their accounts or even basic things like resetting ones password via email, if that ends up being the only identifier and then get support requests asking to change the email up without having any way to verify it is really them. The surprise that is quoting the same privacy laws back to them in regards to not changing personally identifiable information like an email address on an account without being able to verify leaving the account dead in the water would be funny if it didn't constitute a potential loss on either end.' ...
Your concerns appear to be solely related to the use of "disposable-email-domains". The problem is email-forwarding domains have been lumped in with the disposable domains on this list (see my original post for more details on these related, but different types of domains). The irony is when I can't use my email forwarding domain (which I do receive and read) I'm forced to sign up with a junk gmail address I don't check.
Anyway either point is moot as the maintainers (@tompec @danhstevens) have been completely ignoring this discussion.
That's not surprising though. I suspect this ticket is more meant as an open forum for discussion and they may not want to be part of this type of discussion for various reasons.
Maybe we'll have a Christmas miracle and the maintainers (@tompec @danhstevens) will check this discussion today. :) It'd be nice if there could be two lists, a disposable list and forwarding list. That would give users of these lists a little more granularity in how they use the lists.
Merry Christmas everyone.
When you send email out to users that signed up to your service you want those mails to reach their destination, because if they end up bouncing most SMTP providers will get very mad with you for "abusing" their service for spam. It's notoriously difficult to maintain good graces for a mailserver and not be put on blacklists these days with all the spam that goes around. When the user then elects to use a dead email or something that causes it to bounce it makes it ever more frustrating to deal with and ultimately creates losses in time = money. Especially if they specifically select they want newsletters or information on their accounts or even basic things like resetting ones password via email, if that ends up being the only identifier and then get support requests asking to change the email up without having any way to verify it is really them. The surprise that is quoting the same privacy laws back to them in regards to not changing personally identifiable information like an email address on an account without being able to verify leaving the account dead in the water would be funny if it didn't constitute a potential loss on either end.
As platform provider making sure the users signing up are doing so with a proper email they have access to and will read is vital when communication or support requires there to be form of contact that is inherently tied to a human being. The extend of this issue is that the list I have now has nearly 200.000 email domains on it that are either known to bounce, are disposable providers or notorious for even just not working right 90% of the time. With gTLD ever growing I expect that number to explode massively and with ever more "privacy conscious" users out there mistrusting platforms(even though for some reason buying an Alexa or other home device that constantly listens in on things is perfectly fine for them) it will eventually have to flip to a whitelist type system of email providers known to be proper.
I had to switch my entire mailing system, spend extra money each month to handle things because of all the bounces that still happen from full inboxes and the like outside of all the disposable stuff, which easily puts you over any quota for how much you can bounce before being considered a spammer even if your intend is the opposite. It just ends up too much of a hassle to deal with "privacy conscious" users without a clue as to what problems they create for themselves down the line with this stuff. Never mind that I find it rather tasteless to pretend platforms by default don't adhere to privacy laws when they don't otherwise care for their data being spread all over the internet by the larger corporations that truly don't care because they can eat the fines without skipping a beat. Placed in the same boat as Amazon, Google, Equifax etc. as if there was anything even worth collecting and selling in terms of the data they provide otherwise. The critical mass required for that to be worth it nowadays that big data is everywhere and cheap means only large platforms can afford to do that on the risk of fines so no business under a couple hundred thousand users even considers it.
If you consciously sign up for a platform and agree to their terms including the portion that clearly states to not use disposable emails because they serve as point of contact for account operations and you do that anyways then coming around complaining about shooting yourself in the foot hurts is something no support department wants to deal with, because they can't help anymore at that point and the users just get angry. The better question would be, why isn't every public platform under the sun using a system like this in these times?
totally agree. Imagine using disposable provider and complain. Dont say for the relay tho.
I'm trying to understand the legitimate use cases for a list like this. It seems to me that the costs of using a list like this would far outweigh its benefits, but maybe I'm missing something? Below are the pros/cons I've thought of for using this list, based on the assumption that users of this list aren't evil spammers and email recipients are using a cloud based email service (I use gmail in my examples, but any cloud service like hotmail would work equally well and most of these arguments would also apply to traditional fat email clients).
Note this list is named "disposable-email-domains" but it actually contains more domains than that. In addition to domains are used for temporary (disposable) email addresses it also contains email forwarding domains. A temporary/disposable domain contains email addresses that exist only for a short period of time. A disposable domain allows their users to easily/quickly create email addresses that have a temporary lifespan (hours, days or # of emails forwarded). The user of this email address most likely has no-intention of checking this email address again after the initial sign-up.
An email-forwarding domain works similarly to some temporary domains in that it makes it easy for users to create multiple email addresses. Unlike a disposable email address, these users generally intend on using their forwarded email address forever. The reason the forwarded email service is used to allow the user to turn off email addresses if they fall into the hand of spammers (or the service they signed up with doesn't honor their later opt-out request). Another overlapping reason is that many users of these email forwarding services care strongly about their privacy and want to remain private by not using a single email address with multiple services. Unlike many disposable email addresses providers, most email forwarding services are paid services.
So with my definitions of email forwarding services out of the way I can finally get to the reasons I've thought of to use this list:
The first reason seems like the most legitimate to me, however I suspect this doesn't occur often. While this does make it more difficult for a single person to create more than one account it's certainly not foolproof (I'm not aware of any limit of the number of gmail addresses I can create an use for example). So for this reason to make sense you must be running a service that is both big enough to care about users creating a lot of accounts and also small enough that they don't care about more sophisticated users/attackers that could use other (non-disposable email address) methods of creating multiple accounts. For example, I know Facebook doesn't depend on blocking disposable email addresses as a way of blocking account creation. Are there really a lot of business/services that fall into this category?
At the first glance reason 2 may seem legitimate for a business like an email newsletter that makes its money based off advertising/traffic from people reading/receiving its newsletter. However users have other ways to stop receiving your email like:
IMHO reason 3 is an invalid reason to use a disposable email address list. As illustrated with my reason 2 counter-arguments its impossible to ensure a user even receives your email, so reading is that much more difficult. To ensure someone reads your newsletter you must require some action from the users (click a link, reply with a code they read in your newsletter, etc.). This has nothing to do with blocking certain types of emails.
So I see a narrow use case for reason 1 with disposable/temporary email addresses, but why would anyone want to block a privacy focused email forwarding service like SimpleLogin?
There are also email forwarding services that blur the line between disposable email addresses and privacy focused email forwarding services. SpamGourmet for example is dedicated to avoiding spam and its email addresses are temporary (20 forwards) by default. However it also allows you to easily make a forwarded email address permanent by whitelisting email addresses and/or domains.
I would think that the risk of your emails not reaching legitimate users (that care about privacy and not getting spammed) would outweigh the risks of someone using a disposable email address for most companies/services. I know when I encounter a company or service that won't accept my email address I usually stop trying so use that service or sign up with a junk gmail account I never check.
So what am I missing? Why are these email domain blacklists so popular? And why do they contain email forwarding domains (and not just disposable email domains)?