Email blacklist default list of temporary domains as option?

I just found this gist of common temp email address providers and it crashed chrome when I pasted it into the textarea, probably as it was tokenized. It is a bit overkill to add them all in the UI so I wondered if it would be better to have it as an option.

As in true/false - “blacklist common temporary email domains” - and link to the list.

I can’t comment about the performance of this but as this is only for sign-up it should be pretty low overhead?

I’ve attached the list of domains (pipe delimited) for your reference.

domains.txt (6.8 KB)

4 Likes

That list was copied to this github, which does appear to be continually updated.

https://github.com/ivolo/disposable-email-domains

Does anyone have a documented problem with people using temporary domains? Discourse has features in place that may make such a list superfluous (i.e., level 0 users can’t do much harm).

1 Like

The idea of a disposable address is that you can get the verification email to authorise your account, then the box is deleted, so in that sense it allows people to make multiple accounts with no way to trace them except for their IP. Mailinator.com is already in the box so I assume that is what email blacklists are for but, yes, no evidence per se but I am currently setting up a secure instance of Discourse so I need to make sure only real email addresses are used. In a way this is an improvement to an existing feature rather than a new one!

Perhaps you should use must approve users instead? Check the email of every new signup, research fishy domains, add them to the blacklist if they’re on this list, but not before that.

I do that already. I started this thread in the ‘feature’ category as I’m not reporting a bug but rather suggesting a possible enhancement to an already existing feature, which comes with mailinator.com already blacklisted, so I’m a little surprised the questioning is around whether temp email accounts are an issue. My own set-up isn’t really important but it may be helpful to consider this in the case of a high volume public set-up :slight_smile:

I’m wondering if the Screened-Emails feature isn’t working for you, if maybe tweaking the levenshtein distance spammer emails setting would help.

The default 2 seems like a good choice, but maybe 3 would work better for you?

Hey, @Einstein & @Shriyansh_Agrawal. It’s not entirely clear to me whether this is a problem that needs to be solved, but it might be, and it could be a plugin to work on to get up to speed with discourse internals.

1 Like

okay , so there’s a need of plugin , only
controllable by admin to filter emails,disposable-email-domains

Right ??

Well, if there’s no issue actually being encountered, this is all just imagineering. If the Discourse developers make a feature that nobody wants or uses, their time has been wasted…

I just don’t think one needs to have a weird list of every single possible free email service, to the point of absurdity.

3 Likes

So @pfaffman , do we still need to implement the feature??

1 Like

If you a looking for a small practice project to learn the internals of discourse a bit better, maybe. At least one person thinks they want it, and it might be a way to contribute code that someone actually uses.

If you want to contribute code that is likely to become part of core, absolutely not.

I imported that list due to a non mitigatable troll comming back constantly.
(we tried to aviod “Team-Confirmations” or read-only-Level0-Users)

But it turns out that the admin-settingspage becomes hardly usable, since the settings are so big even a Chrome running 8C/32G on a 400MBit/s connection (i do not know where the bottleneck is) runs into timeouts.

In other words: A plugin for this “disposable check” would be rather handy.

1 Like

Not sure what we can do in this case @joffreyjaffeux?

We are talking of almost 19k entries here, clearly this UI is not thought for this volume. Even if it wasn’t crashing it wouldn’t be usable.

3 Likes

You might try filtering this list to the top 100 most commonly used temporary email services, instead. It’s unlikely you need 19k entries to accomplish your goal.

1 Like

That’s going to be a difficult game of whack a mole however you play it. Maybe you can block the user’s ip addresses?

this one is clever. he uses ipv6 and ipv6 are not in the discourse logs.

Then you need to fix your configuration so that the correct ip is recorded.

nevertheless i see “on IPv4” from him TOR-Exits… there there a plugin (setting?) blocking TOR-Exits at least for new-user-registration?

3 Likes