keratin
prevent use of throwaway email addresses
Hello @cainlevy! Thanks for a great project 👍
It is the real world problem when people use email temporarily services (e.g. getnada.com) for creating accounts.
I propose to add a new configuration option - EMAIL_USERNAME_DISPOSABLE_DOMAINS like EMAIL_USERNAME_DOMAINS option to prevent this behaviour.
Thanks for this idea! I need to consider this a bit more and decide whether this problem is a concern of the email address as a unique identifier (AuthN's problem), or a concern of the email address as a method of contact (host app's problem).
Meanwhile, my recommendation would be similar to the email verification guide:
- Create accounts and users as normal
- Compare a user's email against some list of disposable domains
- If the email appears disposable, automatically lock the user's account and sign them out
Could you say a bit more about how disposable accounts impact your application? What is the difference between someone signing up with a temporary email provider and someone signing up with sub-addressing?
You are right that sub-addressing accounts similar to temporarily email accounts. Also, that is a bottleneck in the application. I think that you need to add an option to disabling sub-addressing email accounts on the registration step.
About the impact. Spammers use temporary services for registering accounts in the application. The disposable option is the opportunity to prevent that case.
Okay, here's the goal:
Create one single new config variable. When enabled, AuthN will:
- forbid temporary email services (TBD: choose a quality list)
- disable sub-addressing (
[email protected]and[email protected]will be treated identically) - disable dot-addressing (
[email protected]and[email protected]will be treated identically)
This should allow the host application to implement and rely on email verification to ensure that user accounts are not throwaways.