1w ago

Detecting throwaway email addresses during registration

Spammers, trolls, and ban evaders often use temporary email addresses. PieFed now checks a list of known temporary email providers and displays a warning icon next to registrations that use such services.

If registration mode is set to "Open" (no approval needed) then the site admin(s) receive a notification instead.

A throwaway email address isn't always a bad thing but it's one factor that admins might want to take into account.

46 comments

I have to chime in and say this feels a bit underthought feature. I use a throwaway email for everything possible, and I would imagine a large portion of Fediverse users do that too.
I also get the motivation behind the feature. I didn't feel like throwaway addresses are worth it before I started using them. They may seem like an obvious spammer flag. But I'd say it's 50/50, just like with any free email provider like gmail or Proton mail.
- Throwaway emails seem kind of necessary on small, underdeveloped, easily hacked websites.
- We'll see. If it turns out to be useless noise, I'll remove it from the signal.
  
  I think it's good that it's a simple flag and not an outright block.
  It's just a way for admins to see "maybe take a closer look at this registration."
  I'm sure there are a lot of legitimate users that use these types of emails, though.
- You say it's 50/50 based on your own experience/anecdotal evidence. Admins will probably be able to make that determination with a much greater deal of accuracy based on what they see happening on their instance. So it makes sense to leave the choice to them/enable them to make that choice, right?
  
  True, I failed to mention that I think there could be a setting to enable the feature, or dismiss the warning per-account. @rimu@piefed.social maybe consider this?

Hello! Representing a real human with a throwaway registration 👍
- Yeah but we all know you're a troll @RumorsOfLove@lemmy.dbzer0.com
  
  What? Looking at your comment history, I see you as a sincere participant. So what is it in my profile that bothers you?

Also a real human with a throwaway registration address!
- Same!

Does this include people that use email aliases to keep the connections between accounts harder to make? I pay for this service so it's genuinely not a throw away account. Just a way to maintain some privacy.
- I don't know which service you use or whether it is on the list. But if it's a paid service then it's probably not on the list. Things on the list are like https://10minutemail.com/ or https://www.guerrillamail.com/
  You're free to maintain your privacy and admins are free to weigh the potential risk of accepting an application with a warning icon on it. I'm sure there will be plenty who ignore it.
  
  I appreciate the straightforward answer of you're not sure answer (no sarcasm) . I just want to make sure paranoid people like me can still participate and I keep their level of privacy

I have to say that's extremely unfortunate that you would add such a feature. We use aliases to maintain our privacy and this is come corpo surveillance shit. Not cool.
- Aliases are different and not flagged by this feature. It just looks at domain names.
  Multiple big Lemmy instances have been using the exact same blocklist for a long time (although it's not a core feature, they've patched it in somehow). I got the idea by lurking in the Lemmy matrix rooms and seeing their discussion.
  
  Aliases are different and not flagged by this feature.
  How are they meaningfully different? I just checked the list you posted above and several of the alias domains I use are on that list.
  I got the idea by lurking in the Lemmy matrix rooms and seeing their discussion.
  Did you think about it before implementing it?
- @Ulrich @rimu
  Ok, but that's not the only use case for it. It's also used by spammers and abusers to make everyone else's lives worse and it's admins who have to bear the brunt of that.
  So I think it's fair to give them the option to weigh the costs and benefits of allowing it and then either do or not do something about it.
  
  This is just lazy discrimination and a deep disrespect for the privacy of your users. If you can't be bothered to actually admin a community properly then don't create a community.

I don't really understand the hostility to this. Do users understand why emails are part of account registration in the first place instead of letting you sign up without an email?
- I literally do not.
- Because people forget passwords and demand a password reset mechanism. Also a place to send terms and conditions and changes to those.
- To be fair Lemmy does allow you to sign up without any email at all (or at least used to, dunno if they changed it), so it's not surprising that this goes against many peoples expectations.
  
  Pretty much every Lemmy instance requires email. The only ones that do not require it are small enough that spammers haven't found them yet.

Seems like an overreach. Most spam I see is from gmail.com not alias services.

i don't have a dog in this race but i must say that this is quite the spectacular manner by which to throw the babies out with the bathwater!
- literally 1984!

- It's just a warning, you can still register using it I'm pretty sure
  
  Yeah. Just off to the right of the screenshot is the approve button which didn't seem relevant at the time.

Nice, Another powerful feature admins can use if they want.

The more important demographic to use temporary email addresses are people who think their identity is not your concern.
Ah, OK, that's mentioned.
IMHO something like WoT in Freenet would be better. Having many cryptographic identities, but to start using one you have to spend effort confirming it's real. Solving captchas or whatever. Of course it's an obsolete solution, captchas are now solved by bots easier than by humans. But you get my idea.
- their identity is not your concern
  There are competing concerns. The instance admin is concerned with avoiding de-federation by keeping the amount of spam and abuse coming from their instance to an acceptable level, without burning out. Some people signing up are concerned about their privacy. (Although this doesn't actually diminish their privacy or stop them from using a throwaway email address. It does suggest that their application needs extra care, tho.)
  There's a balance to be struck.
  In this case I'm leaning towards the side who pays the bills and the one who decides which software to install on their server. Without getting those people on board there won't be a place to apply for an account with and then act all distrustful about.
  Someday when I make my super awesome instance-finder, maybe "Email address is optional" will be one of the filters. Along with "Bans for criticism of China".
  
  Although this doesn't actually diminish their privacy or stop them from using a throwaway email address
  That's exactly what it does.
  Without getting those people on board there won't be a place to apply for an account
  What does it matter if there's a place to apply for an account if I can't use it? Better not to exist at all.

46 comments