Ban registering with fake 10 minutes email

[sbabashahi]

We need some feature to reject or ban registering with emails that are fake for example: qwxjlsaeyhulqtbohf@twzhhq.online.

We are open to any good suggestions from you. But an example suggestion is here: Create a model with known emails, then use it as a white list when user want to register. Any domain that is not in the list can email admins. Admins can add a valid email domain to this white list.

This feature can help us to reduce spam reviews.

[ghost]

Something like this?

BANNED_CHAR = ['+']
VALID_DOMAINS = ['gmail.com', 'outlook.com', 'inbox.com', 'icloud.com', 'mail.com', 'yahoo.com', 'hotmail.com', 'aol.com', 'hotmail.co.uk', 'hotmail.fr', 'msn.com', 'yahoo.fr', 'wanadoo.fr', 'comcast.net', 'yahoo.co.uk', 'yahoo.com.br', 'yahoo.co.in', 'live.com', 'rediffmail.com', 'free.fr', 'outlook.com']
SPECIAL_DOMAINS = ['edu', 'gov']

def email_check(email) -> bool:
    email_split = email.split('@')
    if email_split[0] not in BANNED_CHAR and email_split[1].lower() in VALID_DOMAINS:
        return True
    else:
        if email_split[1].split('.')[1] in SPECIAL_DOMAINS:
            return True
        else:
            return False

Banned chars because gmail lets you create infinite emails by doing + and then some string, not sure if other domains do it might be something to look into.

I took the top 20 or so domain names and put them in as valid domains.

If the domain name ends in .edu or .gov that generally means the email is valid as they don't just hand those out I'm sure there are a few more of those I just can't think of but those are the primary two at least for the US.

If you needed to change these on the fly you could do it from a database or just read / write a file.

You could also probably do this a little bit faster with regex.

[sbabashahi]

@JadonZufall Good work.

Admins need to add domains to valid domains. So we need to have a model in database containing valid domains creted by admins.Also we need django admin parts too.

We can check VALID_DOMAINS first then query db for more valid domains, or maybe a cache mechanism for performance that work with create or update events of valid domain model.

Also I think email_split[0] not in BANNED_CHAR does not return the required result. because you have more than one char in email_split[0]. I porpose using some piece of code like all([char not in email_split[0] for char in BANNED_CHAR])

[ghost]

@sbabashahi ahh shoot you're right about the email_split[0] not in BANNED_CHAR in my head I was thinking '+' in email_split[0] but I thought I would add it to a list in case there were other domains that also did something similar to gmail. But you seemed to have figured it out so don't think that should be a problem.

[AMIN0ACID]

@sbabashahi What about put off sending authorization email? Like 24 hours? Most of the temporary email services would expire in less than 24 hours.

[AmirHosseinKarimi]

About the + character it may used for identify email sender. Personally I use it like myemail+domain@gmail.com, By this simple trick I can identify where my email exposed for advertisement and which website sell email address. I think its not good idea to block this character in email address.

About temporary email provider there is some services which can identify email address & phone and provide some information about them, Like as is there temporary or not and more. Some providers:

• https://www.apivoid.com/api/email-verify/
• https://debounce.io/free-disposable-check-api/ (free)

Out of the context, I like SSO and think its most useful and efficient way to identify users and prevent spam. Also it have good user experience which users can sign-up/sign-in with just one click select their favorite SSO provider.

---

Oh, I just seen we have SSO by Google already. I think we can add more SSO provider like Apple, Github, Gitlab, Twitter & etc and then, get rid of signup with email.