Plugin to detect & reject disposable emails on signup

This is a Discourse plugin that checks if a user is using a so-called “disposable email” when signing up via email/password. It leverages the free API provided by https://open.kickbox.com/

If a disposable email is detected, the user is notified in the signup form and is being asked to use another email.

Kickbox provides a free, open API endpoint for checking a domain or email address against a frequently-updated list of disposable domains. CORS is enabled for all originating domains, so you can call the API directly from your client-side code.

Disposable email addresses are one-time use addresses. Sometimes they are forwarded to a real address to track sites that send other unsolicited mail.

This is my first plugin and I am completely new to Ruby. So any feedback and PR, if you see any errors or room for improvement is welcome.

Furthermore, it only checks the email on the signup form, not the one that is used to change your email once you’re an approved user in the preferences. This is beyond my knowledge of how to do this for now, but PR welcome.

In addition, you can change the URL to the API endpoint e.g. to one you control and developed on your own. As long as the endpoint responds with JSON {“disposable”: true | false} it should work.

We do it like that and double-check results from Kickbox via a paid service called Debounce. That being said Kickbox catches quite a lot of bogus email addresses out-of-the-box.

Anyways, this should help to make Discourse communities even more secure and spam free.

9 Likes

This feature of blacklisting certain email domains already exists in Discourse, but the bonus with this plugin is that you avoid maintaining (and entering) a list of thousands of free email domains.

The good news is that there are only really about 20-30 reliable, popular disposable email services … so it’s not that much trouble to use the site setting.

But if you want a complete block of hundreds, maybe thousands of potential free email sites, this is certainly a better alternative.

5 Likes

Cool deal. I’ll take advantage of this.

1 Like

Yes, that is correct, almost no need to manually add blocked domains anymore. Besides the standard disposable email providers (like Mailinator) Kickbox also catches a lot of the dynamically created disposable emails.

Of course, there are paid services like https://debounce.io/ and https://www.ipqualityscore.com/ which are even better, but I wanted to ship the plugin with a free service out of the box.

As mentioned in my OP, you could still use the plugin and relay the response from a paid service to one the plugin understands e.g. via Zapier & co.

1 Like