8mo ago

For security reasons

Please use a personal email. My email is 'mail' @ 'my actual name'. It does not get more personal than that

But you can't use emails starting with mail@, admin@, support@, info@, main@, etc.

Instead they advised me (3 times) to create a personal email on a service like Yahoo, Outlook, Gmail, Orange, etc

124 comments

Security professional here. This is legit a good call on their part. It's because those types of addresses won't bounce emails but aren't necessarily in your control; it's very, very easy to spam those petition forms with mail@ for a million real domains without bouncing the emails, making them seem legit.
You own your domain, obviously, so it's really as simple as creating a forwarding/alias address of "changeorg@domain.tld". If creating a forwarding/alias address is that much of a problem for you I suggest that you likely shouldn't be hosting your own email in the first place.
Your laziness isn't a good reason to be upset with a company taking steps to reduce their security overhead significantly
- They do though mention "+" and "-" also banned in the username part, which is kinda annoying
  
  Yeah I agree that one seems silly on the surface but for their specific situation I understand why: services like Gmail allow using a + to create faux-labels. So for example foo@gmail, foo+bar@gmail, and foo+baz@gmail all get delivered to the same account. For change.org that's a problem because it allows a single email account to fill out the form many times.
  Ideally, they would simply truncate everything after and including those symbols but it's possible other services have different rules (maybe yahoo let's you prepend faux-tags instead of appending them, or something like that) so simply blocking their use altogether could be the more robust solution
  
  that's to stop people from spamming signatures with user+1@gmail, user+2@gmail, user+3@gmail, etc.
- Security professional here too. Agree that this is reasonable, and making a big deal about it is kinda meh.
  
  making a big deal about it
  Maybe I’m wrong but isn’t this sub for posting minor annoyances?
- They send a mail asking to confirm my email by clicking a link. I can't see how spam registering with those emails would work
  
  My understanding is that signing a petition and creating an account aren't necessarily linked, and it's up to the person who created the petition whether verification is required.
- Catchall - the new spam bin ;-) It's soooo good to have your own domain for mail...
  
  I have been using catchall on my domain since 2002. I have never told anyone any of my real accounts. When I have to send an email, I just add that account (change@ whatever), send the e-mail and delete the account afterwards, rebanishing the company to my catchall. I’ve had it scripted for ages.
  When I do get an unsolicited email from let’s say ShittyCompany Inc, I set up a rule to forward all incoming shittycompany@(mydomain) emails to info@ shittycompany. This way they just spam themselves. Takes 2 seconds to run the script and I never see emails from shittycompany again.
- Web developer here. The problem here is not with emails but with change.org's business model, which is reliant on lying to people that their petitions actually mean anything. But, anyone with half a brain cell can easily spot that they don't have any legal backing whatsoever nor do they do any kind of identity verification, therefore those petitions are completely worthless. They might as well not give a fuck and allow cheating. For all they care, it only boosts counters and makes them appear more popular than they actually are.
- Your laziness isn’t a good reason to be upset with a company taking steps to reduce their security overhead significantly
  Your laziness isn't a good reason to add an unnecessary barrier of entry for your users.
- Let’s talk about the security of using email to do anything in this day and age.
  
  You're not wrong, but this isn't really a security matter, it's an "apparent uniqueness" matter. Their goal, I assume, is to satisfy critics enough that a given petition's participants are sufficiently unique while keeping the barrier to filling out the form as low as possible. So they end up in a situation where neither of perfect, but they're both "good enough" for what the business needs.
  I dealt with this in the anti-cheat space: my goal was never to remove all cheating, because that's too expensive (insanely so). My goal was to make the public believe they weren't playing against cheaters too often. If the solution was forcing the cheaters to perform at a level that was just below the most skilled human players, that was actually a success, because if the players can't differentiate between cheaters and pro players, then they can't effectively determine how prevalent cheating actually is.
  Part of me hated that we had to treat it that way, but another part of me understood that if I pushed too hard on "eliminating cheating" my department would become more costly than it was worth and they'd pivot away from gameplay that needed anti-cheat at all

If you own the domain being used, I assume you also host your own email... You can't just make a new address for this and have them all forwarded to your actual email?
"This_is_not_generic" @ "your actual name"
Unless they block that too, I don't think they're trying to force those services on you; they're just popular options and this is an automated response sent by an automated process that only checks the first half of the email and not the domain.
- It's pretty common to own a domain but not actually host the email server; doing on-premises email is a security PITA and most providers simply blacklist large swathes of residential and leasable (e.g. VPS) IPs.
  Unfortunately, if you get someone else to host your email, they often charge by the account, not by the domain. Setting up a new mailbox is therefore irritatingly expensive.
  A catch-all email works well, though, and is free from most of the hosting providers. Downside is you get spam...
  Jane@JaneDoe certainly seems more common than mail@JaneDoe.
  
  Aliases also exist, that's what I use.
  My main e-mail Is name@surname.tld
  
  Check out PurelyMail - only charges by emails sent/received and storage. No limits on accounts or domains connected.

Create an alias and set forwarding
- "why should I change? He's the one who sucks!"
  
  Ah, the age old "right" vs "effective" argument.
- I've got a catch-all setup to go straight to my spam folder, OP could do something similar.

I haven't ever used it, never signed a petition, but isn't change.org only about petitions? I can kinda see their reasoning.. They may even have had their hand forced to do it.
Loads of people who want their way probably signed up with tons of accounts to skew the results. If it's going to work, I guess they need to be able to show that they're legit, out at least that change.org are doing their best to make it that they are.
It's easy to set up one gmail account for example and use it a million times with moving a dot throughout the name or putting a plus sign and anything after the username but before the @ symbol.
- They still require you to confirm the email by clicking a link sent to that email, although someone mentioned that this may be an option to the creator of the petition
  I do understand the requirement of not using . or + but blocking mail@ info@ seems too extreme to me.
  
  Automailers often have names like that i.e. noreplymail@companyname.com so it may be more about stopping spam or stopping people from using spam email accounts.
  
  Can be automated. Creating a new e-mail account is more annoying.

Ah, change.org. I remember when they said "you can sign a petition without an account, just a mail validation", immediately followed by "if you don't create an account, the validation link in the mail will not work, fuck you".
Guess they didn't really want people to engage.

That's quite a sensible rule, actually.

Please use a personal email. My email is ‘mail’ @ ‘my actual name’. It does not get more personal than that
It's a legit rule they're enforcing, IMO. Generic email addresses are usually unmonitored mailboxes that don't bounce. Easy to use if you're spamming contact forms and stuff like that.
Instead they advised me (3 times) to create a personal email on a service like Yahoo, Outlook, Gmail, Orange, etc
I think this is more a boilerplate suggestion, to lower the barrier to entry for people. Gotta remember, those of us that host our own email and/or use our own personal domains are definitely in the minority.

lol “security” in this case is probably more like expediency in trying to solve a spam problem
- Yes, so they don't become a spam proxy filling up RFC 2142 address names.
  
  Security ain’t free.

Here's the thing, you own the domain, set up what ever email alias you want and send it to your primary.
- Yeah, I just set up a catch-all and use individual emails for everything, like the gmail + trick but without sites rejecting + characters occasionally.
  Of course, I have several domains and one is a .rodeo that some older sites refuse to believe is a TLD so there's that problem...

Maybe we can start a change.org petition to get this resolved.
- We can, op can't
  
  This took me too long to figure out🤣

As a person who ages ago created and single letter (before the @) email address thinking myself clever and efficient... I'm amazed and distressed how many forms have insisted that my email address is invalid.
- Some developers prefer using half-baked regexes from stackoverflow, rather than reputable libraries for email address validation.
  
  Hmm. Why am I mildly surprised that I can't find anything non-regular about the syntax. There's nested comments but that's part of MIME quoting, not the actual address format, so it's reasonable to not accept those in an HTML entry field because HTML is many things, but not MIME.

fuckyouchangedororg@my.actual.name
- You really showed change.org, buddy.
- Unfortunately, I've run into plenty of sites that won't accept subdomain email addresses.
- OP needs to use this alias.

This is a feature, not a bug. The rest of us don’t want crap being sent to admin email addresses, so fix your damn email and try again.
Personally I use generated email addresses to most places, but my personal address is
<FIRST>
@
<LAST>
.us
- The email i was trying to use was mail@ my actual name and surname.
  It is very handy to share and easy for people to remember.
  I dont feel that it needs fixing when it is perfect for me and my needs but not for some company that needs to be overly careful
  
  Bro. You can't sign a petition on change.org.
  Just move on with your life.
  
  My friend uses me@
  <their name>
  , wonder if that would work better
  
  Would an alias solve this?
- I have all my admin/mail/webmaster/etc blacklisted a long time ago because those are the that get spam first when spammers parse lists of registered domains.
  I wonder if abuse@'s get any spam...

If your domain is your actual name, then it should be trivial to create an SMTP alias for mail@domain.com that is for yourname@domain.com.
Attach that to your email address and inbound email for either will get to you, but only your primary address will be used for outbound communication.
Another fun one...
Gmail ignores periods in addresses.
So firstnamelastname@gmail.com also gets email for:
firstname.lastname@gmail.com
first.name.last.name@gmail.com
Or any combination...
f.i.r.s.t.n.a.m.e.l.a.s.t.n.a.m.e@gmail.com

Then I guess for security reasons you won't be signing up.

Wouldn’t it make more sense to alias out each place you submit an email address to, so you can see who sells your contact details or otherwise gets hacked?
Eg: changeorg@yourna.me, netflix@yourna.me etc.?
- I just go with full domain names. Like change.org@yourna.me. Even combos where data is shared, like shop.com-bank.org@your.name or jitsi.corp-gravatar.com@your.name. But some places actually went out of their way to disallow their own domains anywhere in the field. I've encountered it maybe like 3 times across all of ~1000 logins I have in my password manager.
  And the amount of times I had to explain to people that yes, this is a legit email, yes it has your company's name and your personal name in it, it is exactly as intended, so don't send me spam because I will know it was you who sent it...
- This is exactly what I do. When I start getting a bunch of spam addressed to Walmart@[my domain] I can blanket filter that straight into spam because I know Walmart sold my info.
- Yeah i set up a catch all mail now. It just seems like a very defensive method to me.

Set all mails addressed to your domain but to the wrong email to be sent to your primary email. Then sign the petition with "
<service_you_are_signing_up_fo>
@yourname.com".
- Yeah. I didn't have a catch all mail and have set it up now. I was just surprised and 'mildly infuriated' that they would block this
  
  Catch all is better you can see who's selling your email lol
- I do this with my domain and it works great.
  Only negative I’ve had is that people with a similar name have ended up signing up for things and misspelling theirs with it ending up on mine.

Is it possible to create an alias like fuckchange@domain?

Had something similar happen with indiegala. Had an account with them for years, then one day, could not purchase some games randomly. Hit up their support and got the answer "Oh, the purchase was denied because your account's email address is detected as a temporary email address".... The email address I've been using on that account... for years.... Is temporary.

As others have said, I'd suggest either:
enabling a catchall address (which will redirect to anything@yourdomain.com --> spam@yourdomain.com)
creating an alias: something@yourdomain.com --> mail@yourdomain.com
Both are done on your server/hosting side.

From the end user standpoint...my interest in reading about much less signing this petition just plummeted

This continues to really piss me off. I have a domain with a .xyz top level, and i’ve encountered more than a handful of services, that either repeatedly tell me I’ve meant to enter something else, or straight up block me as a spammer

I create a new alias account on my email server for each new account. That way when I am done with them I can just delete it and never get their spam ever.

Yeah I also have a non-standard email address, and I occasionally run into systems that aren’t properly set up to handle odd domains. I’ve definitely seen the “Please enter a valid email address. Make sure it ends with @gmail/yahoo/outlook etc” messages before.
- Nonstandard email sounds so wrong! As long are it is valid, there should be no limits. Especially if they ask you to confirm by clicking on a link in a mail
  
  Oh I agree. But there are a lot of systems that don’t even recognize TLDs outside of .com, .org, and .net.

So which corpo monitored email address did you end up going with?

abuse@website-im-visiting.com probably wouldn’t work as well …

They're advising you to use a personal email that is tied more directly to your name or identity, like using Yahoo Mail, Outlook, or Gmail, which they view as more personalized.
If you'd like, you could try creating an email address with your actual name (or a variation) on one of the recommended services, like: yourname@gmail.com yourname@yahoo.com This should resolve the issue

they want the DMARC ><

But you can't use emails starting with mail@, admin@, support@, info@, main@, etc.
If it's exactly stuff like "mail@", many mail systems will redirect stuff with a plus suffix to your main mailbox, like "mail+changeorg@". That might be okay.
- The image says they also exclude + and -.

Stop using self hosted email. It's just not worth the hassle.
- I like that i have control of my mail, that it is not being used to track me or target ads and also that i dont need to work about storage
  For me its pretty good!
  
  Hey! Don't mean to butt in, but what's some pointers? I currently have resend set up for my personal site, but would like a fully fledged email server
- Its only a hassle because they want to read all your emails. Self hosting shouldn't be hard it should be an option for everyone always.
- Who said it's self hosted? For what we know he could be paying $200 a year to Microsoft for his personal mail@domain account under the most expensive office365 plan (sorry, did it change name? What's called now? Microsoft 365?)
  
  Frustratingly, those are actually two separate plans.

Could you not just make a second email account that you just use for things like this? Why is the only alternative to use your personal account? It takes like 2 minutes to make an alternate Gmail account lol

124 comments