additional validation via passed refferer or curl/ping on the domain

Created on 18 December 2023, over 1 year ago
Updated 22 March 2024, about 1 year ago

Problem/Motivation

This module is really great and really blocks a lot of SPAM registrations, but the spammers have now found a new way. Primarily in my example it is the service https://temp-mail.org/, which is blocked in the settings of the module, but the service generates valid e-mail addresses. The MX check is also displayed as true and therefore registration is enabled. I am currently seeing a lot of spam registrations from india and unfortunately this cannot really be blocked effectively.

Blocking domains is useless because the service always "generates" a new domain in the email. the only thing I have been able to determine for each registration is the referrer, which is always output as https://temp-mail.org/. it would be nice if we had an additional field where referrers could be specified so that a registration could be successfully blocked.

alternatively, perhaps as an additional idea, extract the domain from the email. then execute a curl/ping on the domain, if no status code 200 is delivered, then block the registration. with this variant, however, a configuration field would still have to be inserted for white card domains. large corporations, for example, use a different domain for the emails than the site itself. the domain in the email cannot be reached from the outside either, here you should be able to explicitly allow registration to be permitted.

the state interface should be used at this point for the new field, because the collection of referrers could grow quickly. however, if the values are always saved as a configuration, a special deployment must always be executed here, which is quite cumbersome.

Steps to reproduce

  1. generate a new email with the service https://temp-mail.org/
  2. alternatively test this generated email wewome7539@beeplush.com
  3. register with the newly generated email

Proposed resolution

additional custom field for refferer, solved with the drupal StateInterface api

Remaining tasks

User interface changes

API changes

Data model changes

Feature request
Status

Closed: works as designed

Version

1.0

Component

Code

Created by

🇩🇪Germany zcht

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @zcht
  • 🇦🇺Australia darvanen Sydney, Australia

    @zcht this is probably due to a recent issue where the blocklist our third-party library uses disappeared:

    https://github.com/stymiee/email-validator/pull/4

    The email domains used by temp-mail.org do show up on blocklists, so we just need to help the library find a new one to use, or do so ourselves. There are several paid API endpoints, we could offer a plugin system for connecting to and using those lists.

    I would prefer that approach since it takes the admin work of spotting referrers away from site admins who have less technical capability than you or I. I also don't wish to get into the kind of complexity that comes with pinging email domains for a response, you're very welcome to write a sister module that does either of your requested approaches if you want, I'm very happy to introduce events to support that which you could subscribe to in said module.

  • Status changed to Closed: works as designed about 1 year ago
  • 🇦🇺Australia darvanen Sydney, Australia

    Three months with no further activity. I'm going to close this but if anyone wants to reopen to continue the conversation please feel free.

Production build 0.71.5 2024