PDA

View Full Version : Blocking Free Email Accounts




markgodley
May 31, 2009, 09:07 AM
Hey,

I know some sites only allow ISP emails. How would i go about blocking free email accounts from my website. Im getting alot of fraud and they are all coming from hotmail, yahoo, googlemail etc



Darth.Titan
May 31, 2009, 12:05 PM
If you're talking about a registration form, can't you just throw a validation condition in the form processing script?

Cabbit
May 31, 2009, 05:29 PM
So your going to cut out half of your users or more that use hotmail, yahoo, or similar and expect them to have or use there isp email.
Sounds like a pretty poor plan to me, thats like a store saying we only accept bank notes that are brand new and we don't give you change.

Darth.Titan
May 31, 2009, 08:56 PM
So your going to cut out half of your users or more that use hotmail, yahoo, or similar and expect them to have or use there isp email.
Sounds like a pretty poor plan to me, thats like a store saying we only accept bank notes that are brand new and we don't give you change.

That is an excellent point. You should do more checking on posts/form submissions to prevent spam. Don't put off potential visitors.

SelfMadeCelo
May 31, 2009, 09:16 PM
Just to throw this out there, I have an email from my ISP (Comcast) but I don't use it for anything. I stick with Gmail for mostly everything and Yahoo Mail for crap sites. Mostly because I like the Gmail interface but also what happens if I decide to get rid of Comcast in the future?

arogge
May 31, 2009, 11:06 PM
Your plan can backfire. How do you determine what is a "free" account? There are many e-mail providers that offer both paid and unpaid accounts, and I am a paying customer of one of those services. If your Website told me that I wasn't allowed to use a "free" account, I would call you crazy and buy from somebody else.

I don't have an e-mail account from an Internet Service Provider. My e-mail is separate from my Internet access, for good reason. I pay for e-mail because I rely on it, and I can't risk losing it because my ISP decided to disappear. I don't like being told that I can't send files larger than an arbitrary size or that I am receiving or sending too much mail. I don't like being forced to use spam filtering that blocks messages and doesn't bother to mention that my messages were deleted. I also don't like to be told that I can't send e-mail except when logged into the ISP, or that my return address must match my ISP login address. A commercial account fixes these potential problems that I did have when I used a bundled e-mail account from an ISP.

If you're being defrauded, you need some better verification of your payment methods. Anybody can input a bad e-mail address, but e-mail is irrelevant to the payment.

mlts22
May 31, 2009, 11:54 PM
There are three main issues with blocking "free" E-mail providers:

1: There are sites where they offer limited free E-mail, but their main use is by paying subscribers. Everyone, even the people who pay their bills there are locked out.

2: One would have to do extensive research in making a comphensive list of what is considered free and what isn't.

3: The die hard spammers will just use a compromised zombie machine and a bogus registration to get around domain name blocks.

I know that blocking the major free E-mail providers does reduce the volumes of incoming spam by a great amount. However, there should be some mechanism for people who only have E-mail access from those sites to be able to obtain accounts on your Web service. Perhaps have requests from the large sites that have a lot of spam be shunted to a moderator for approval.

Another trick is to have some type of curve ball that automated web bots won't pick up: You can do a message telling users to fill in zero details (such as name, URL, chat IDs) on the enrollment forms except their username and password, saving that info for a later time. Then when processing a form, sent an acknowledgment that the form went through, and then roundfile it, perhaps blocking subsequent requests from that IP address for a period of time like 3-5 minutes with a 502 error.

One forum program named Beehive had an interesting feature called "worm mode" which fooled spammers. It would allow them to create accounts and post, but only they could see the posts that they made... the rest of the world didn't see it. So, a spammer could have a field day until caught and banned, but they wouldn't be able to affect anyone else on the board.

If the Web board is private and members only, you can have functionality where an existing member creates a registration seed code and communicates it to the new member. This does two things. Without explicit communication, people won't register, and you can track who gave access to a spammer.

Finally, if the Web board is very private, you can always force client certificates. Spammers would not go to the trouble of obtaining a client certificate, and the user would only need one while creating a userID.