Tracing through the code, there is something very suspicious.
EmailValidator seems to be only used when a user updates his/her email address (in EmailUpdater).
When a user is created, it only validates against proper email format but not whether the email domain is blacklisted.
Emphatically, it is not used to verify when a staged user is created via email in, because email/receiver.rb, in process_internal, it only checks against things:
Regexp.new(SiteSetting.ignore_by_title) =~ @mail.subject // Blacklisted TOPIC TITLE
raise BouncedEmailError if is_bounce? // Bounce mail
raise NoSenderDetectedError if @from_email.blank? // No From field
raise ScreenedEmailError if ScreenedEmail.should_block?(@from_email) // Screend Email address
After this, a new staged user is created via find_or_create_user.
Shouldn’t EmailValidator.validate_each be called on @from_email to make sure that the incoming email in is not from a blacklisted domain?
Or, better, check first if the user with that email address already exists. If so, let it pass. Otherwise, call EmailValidator.validate_each to check if it is blacklisted. DO NOT create a staged user if the email is blacklisted.