Suggestion: Wildcard Block Email Address

Would be good if there was a way to add wildcard blocked email addresses. E.g. When a spammer uses the gmail dot trick.

E.g.

example@gmail.com
example+random12345@gmail.com
ex.a.mple+random12345@gmail.com
e.xamp.le@gmail.com

Are all the same email address, spammers can use one gmail address to make unlimited accounts easily.

Blocking an address with wildcards like below I believe would be a good solution:
e*x*a*m*p*l*e*@gmail.com

I don’t necessarily think that all registrations using these gmail address variations should be blocked, just that it would be useful that if a gmail address is blocked, all variations are blocked too or that we can manually add a wildcard gmail to the email blacklist.

Are you seeing an actual specific problem or is this just a theory? If it is a specific problem can you share the specific spammer emails?

3 Likes

Yes it’s an actual problem I’m experiencing, I have spammers regularly making tens of thousands of accounts per single gmail account with the dot method and a sufficient pool of IPs.

I’m only seeing the dot trick being used, not 100% sure about if the + method works also. Last I checked it was possible to register using email addresses with + characters, so that trick should work too.

For example, this email (not a real email):
constantinehamilton1337x@gmail.com

Can make 16,777,216 unique email addresses using the dot method only and essentially unlimited using the + method. Makes it super efficient for spammers. Domain blacklist isn’t viable seeing it’s gmail.

You can see a generator here (gets laggy over 8k combinations): Gmail Dot Trick Generator

If this was actually implemented with a wildcard-like approach (instead of being handled automatically by Discourse), you’d probably want to be much more specific than e*x*a*m*p*l*e*@gmail.com. Doing it that way could result in blocking innocent people, especially if the spammer’s email address is relatively short. Looking specifically for . and + would probably be much safer.

1 Like

What is your levenshtein_distance_spammer_emails setting at, the default 2 or the max 3 ?

1 Like

Thanks for the heads up about this setting levenshtein_distance_spammer_emails. I’ve never seen or modified it before - it’s at the default of 2.

3 Likes

I don’t understand your math. You can add only a single dot between characters, so each N-character address is good for only 2*n addresses. You could probably have a plugin that saved or compared against the dot-removed address and disallowed +addresses.

1 Like

@pfaffman - I was just going off the figures given from Gmail Dot Trick Generator which is for every additional character above 2 the amount of addresses is doubled (it freezes at about 8k though).

I think 2*n, if I understand what you mean by this (as in a 26 character address would have 52 combinations?) would be too low. As they can add multiple dots throughout the address.
E.g:
constantinehamilton1337x@gmail.com
con.stantinehamilton1337.x@gmail.com
co.nst.antineh.amilton1.3.37x@gmail.com
constantineh.a.m.ilto.n13.37x@gmail.com
c.o.nsta.ntinehamil.ton1337x@gmail.com

Anyhow, whatever the exact figure is, it’s a lot. Yeah, your suggested solution would make sense!

Yeah. I wasn’t doing the math right. I was allowing just one dot. I once almost knew that math, but didn’t this morning. :wink:

But a plugin that saved a shot and plus free version of the address as an additional address would do what you want and wouldn’t be that hard.

2 Likes