jxu
commented
1 year ago It may be just using a domain that isn't a known large email provider (assuming this is your personal domain)
Open Torsteinws opened 1 year ago
jxu
commented
1 year ago It may be just using a domain that isn't a known large email provider (assuming this is your personal domain)
Torsteinws
commented
1 year ago Yes, it is my personal domain. I even use it as my username on lichess and github :-)
Torsteinws
commented
1 year ago Sorry, I see that this is probably too much information. But I want to provide you a good context for the issue:
I know that SimpleLogin has a bad reputation for creating burner addresses, but that is not the use case for me at all. I use the service so that I can:
A: If Lichess has a security breach my secret email address would be exposed all out in the open, and I would then permanently lose all protection against spam. I also consider this a potential threat to my privacy.
A: Proton only allows 15 email addresses in their paid plan, and I have unfortunately used them all.
A: No, torsteinws.no is deeply tied to my identity. I always use torsteinws as my username on online services (just look at my github and lichess profile), and the domain was very hard to get due to all the restrictions that are imposed on Norwegian TLDs.
A: Using aliases to keep the addresses secret is the best protection I have against spam and online privacy abuse. I intend to have these addresses for the rest of my life, and I must therefore follow a zero trust policy.
notDavid
commented
6 months ago I have the exact same issue, i'm using my own personal domain which i purchased myself and is only used by myself. Yet i get the error: Cannot use disposable email addresses (Blocklist).
Please fix, and block only the Simplelogin disposable email domains, they are:
simplelogin.comaleeas.com8alias.comslmails.comsilomails.com8shield.netdralias.comslmail.mesimplelogin.fr
HexPandaa
commented
6 months ago I'm facing the same registration issue using my own domain, I'm also using SimpleLogin to redirect my mail to my Proton Mail account.
Adamatt
commented
5 months ago Exact same issue here. I want to leave chess.com and use lichess instead, but playing against anonymous players is frustrating and i can't create an account.
Lichess should not blacklist personal domains even if they're tied to Simplelogin which can do a lot more than disposable emails (for which a known list exists).
BourbonCrow
commented
5 months ago Exact same issue here. I want to leave chess.com and use lichess instead, but playing against anonymous players is frustrating and i can't create an account.
Lichess should not blacklist personal domains even if they're tied to Simplelogin which can do a lot more than disposable emails (for which a known list exists).
100% agree my domain tied to protonmail works but the domain i use for simple login does not both are my own domains
wincent
commented
5 months ago Not sure when the changes were made, but I registered almost three years ago with a custom domain. Tonight, trying to update my email address to a different custom domain, I ran into the dreaded "This email domain has a poor reputation and cannot be used" message, which seems a bit overzealous...
ornicar
commented
5 months ago Is hurrell.net the domain? Because lichess tells me it's fine.
I found your email address on your github profile.
wincent
commented
5 months ago Nope, it's another domain that I use for signups. Pretty much never used for outbound email, only for receiving, which might be why it has "no" reputation.
pmz
commented
4 months ago hey! I'm experiencing the same problem. My domains are hosted at Fastmail. Using Fastmail provided addresses (ex: airpost.net) has the same problem:
Cannot use disposable email addresses (Blocklist).
ornicar
commented
4 months ago I just checked and lichess is telling me that airpost.net is ok?
peszko1
commented
4 months ago I have also similar problem with rnrbros.com domain. It's my personal domain hosted at fastmail.com. Now I have Cannot use disposable email addresses (Blocklist). and at first try I had some message with email poor quality. So as a result I cannot register.
ornicar
commented
4 months ago verifymail.io, our disposable email detection provider, recommends to block that domain: https://verifymail.io/domain/rnrbros.com I reckon you should take it to them.
wincent
commented
4 months ago I reckon you should take it to them.
All the people with domains of their own could indeed take it to them, on a case-by-case basis, but it seems that their "privacy/alias" detection seems like a very blunt instrument. I'd go so far as to say it's broken. I checked a handful of domains I own that are not "privacy/alias" domains — they're just Fastmail-hosted domains — and this site misclassifies all of them as "privacy/alias". It seems like they have their "detection" dialed all the way up so as to drop false negatives to basically zero, at the cost of absurdly frequent false positives.
ornicar
commented
4 months ago I agree that's a problem... Yet we need some sort of throwaway email detection for 2 reasons:
That's literally all we use emails for, but it's quite important. We get dozens of support requests every day from people who used a throwaway email address and have forgotten their password.
I'll look into accepting email domains that verifymail.io classifies as "privacy/alias".
maertsen
commented
4 months ago I reckon you should take it to them.
All the people with domains of their own could indeed take it to them, on a case-by-case basis
Which is what I did, earlier today. I tried to sign-up, as a first time user, with a domain I'm 100% certain has never been used on this service before. They misclassified me. I understand the value of a service like this; just speaking up to make false-positives visible too. I hope they get back to me.
ornicar
commented
4 months ago I deployed the changed above this morning.
wincent
commented
4 months ago I deployed the changed above this morning.
Thanks for doing that.
I suspect this isn't going to make any difference to the people who've been active in this thread. Take, for example, https://verifymail.io/domain/rnrbros.com that you linked to above; that one is returning "Block: true", "Disposable: false", "Privacy: true". I checked all of my Fastmail-hosted domains, and they are all like that. I gather the "Block" recommendation is coming because they are "Privacy: true"? I am reasonably sure that in my case, the domains aren't being used for outbound abuse (Fastmail has SPF + DKIM set-up by default, lacking only DMARC).
As far as I can tell, "Privacy: true" is going to lead all Fastmail hosted domains to have a "Block: true" recommendation, based on what I see in the verifymail.io FAQ:
What are privacy email addresses? Many email providers are privacy-focused, which can include awesome features such as email forwarding or unlimited email alias. These features are great for their users, however can be a nightmare for administrators or moderators who can't distingish between a legitimate email address or a single-use email address. The "privacy" classification allows us to notify our clients when an email address is using an email provider with privacy features that could potentially be misused by malicious individuals. This classification does not mean that the email provider is "privacy-focused". Use this classification at your own discretion, since these types of emails can be used by both privacy-conscious visitors and bad actors.
maertsen
commented
4 months ago I suspect this isn't going to make any difference to the people who've been active in this thread. Take, for example, https://verifymail.io/domain/rnrbros.com that you linked to above; that one is returning "Block: true", "Disposable: false", "Privacy: true". I checked all of my Fastmail-hosted domains, and they are all like that.
I think your observation is correct, but your conclusion does not follow from the code for me.
I looked at 38419c0, which gives me the impression only Disposable is relevant after the change, Block and Privacy are logged too (two lines down), but no longer affect $ok.
To add to your observation: verifymail got back to me and confirmed that "Block: true", "Disposable: false", "Privacy: true" is the correct response for my personal domain in their view. The remainder of their e-mail is along the lines of the FAQ item you quoted.
Now, the website as currently deployed still rejects my domain in the registration flow, with error Cannot use disposable email addresses (Blocklist).. So either I misunderstand how this works (which would be unsurprising) or perhaps there's caching involved?
maertsen
commented
4 months ago Looking a bit further (oh FOSS ❤️🔥), I think the relevant bits of code are:
Possible error messages: https://github.com/lichess-org/lila/blob/a5d134f75dd8f706e211b940ae4cd332a577088f/modules/security/src/main/EmailAddressValidator.scala#L92-L105
Blacklist checked first, then DNS, then verifymail: https://github.com/lichess-org/lila/blob/a5d134f75dd8f706e211b940ae4cd332a577088f/modules/security/src/main/EmailAddressValidator.scala#L49-L58
verifymail API calls are cached https://github.com/lichess-org/lila/blob/4ffd642e89f9f1a0d20974d4513f8fe12b38522f/modules/security/src/main/VerifyMail.scala#L50-L51
that blocklist is constructed at startup and refreshed every so often https://github.com/lichess-org/lila/blob/a5d134f75dd8f706e211b940ae4cd332a577088f/modules/security/src/main/Env.scala#L134-L140
using all cached domains that failed the verifymail API https://github.com/lichess-org/lila/blob/4ffd642e89f9f1a0d20974d4513f8fe12b38522f/modules/security/src/main/VerifyMail.scala#L33-L46
So the good news is: worst case this bug solves itself in 100 days, going by the default expiration logic 😉
I did not play (li)chess tonight, but I still had some fun. Thank you for your work on this project, the passion shows.
BourbonCrow
commented
3 weeks ago So the good news is: worst case this bug solves itself in 100 days, going by the default expiration logic 😉
I did not play (li)chess tonight, but I still had some fun. Thank you for your work on this project, the passion shows.
@maertsen
(my coding knowledge is not good enough to understand the code posted above)
ok if i understand this correctly.. after 100 days of attempting it should be removed from the list right? but lets say you attempted on day 96 would that have started the counter over from 0? cause i feel like its been way more then 100 days but maybe it haven't and i just lost track of time. all i know is my domain is showing up as green on verifymail.io was a bit of a situation with their detection in start but after contacting them that is now solved and its been solved for quite a long time.
Changing the email address to an email with the domain torsteinws.no gives the following error:
Cannot use disposable email addresses (Blocklist).
I would not call Norwegian top level domains disposable because they are actually difficult to get. In fact, I would argue that email addresses with Norwegian TLDs are more linked to your identity than other email addresses. Here is why:
In order to get a Norwegian TLD you have to:
Furthermore, in order to get a BankID you have to physically meet up at a Norwegian bank to verify your identity. There you will have to show your passport and so forth.