Ban registering with fake 10 minutes email about backend HOT 5 OPEN

@JadonZufall Good work.

Admins need to add domains to valid domains. So we need to have a model in database containing valid domains creted by admins.Also we need django admin parts too.

We can check VALID_DOMAINS first then query db for more valid domains, or maybe a cache mechanism for performance that work with create or update events of valid domain model.

Also I think email_split[0] not in BANNED_CHAR does not return the required result. because you have more than one char in email_split[0]. I porpose using some piece of code like all([char not in email_split[0] for char in BANNED_CHAR])

from backend.

@sbabashahi
ahh shoot you're right about the email_split[0] not in BANNED_CHAR in my head I was thinking '+' in email_split[0] but I thought I would add it to a list in case there were other domains that also did something similar to gmail. But you seemed to have figured it out so don't think that should be a problem.

from backend.

Something like this?

BANNED_CHAR = ['+']
VALID_DOMAINS = ['gmail.com', 'outlook.com', 'inbox.com', 'icloud.com', 'mail.com', 'yahoo.com', 'hotmail.com', 'aol.com', 'hotmail.co.uk', 'hotmail.fr', 'msn.com', 'yahoo.fr', 'wanadoo.fr', 'comcast.net', 'yahoo.co.uk', 'yahoo.com.br', 'yahoo.co.in', 'live.com', 'rediffmail.com', 'free.fr', 'outlook.com']
SPECIAL_DOMAINS = ['edu', 'gov']

def email_check(email) -> bool:
    email_split = email.split('@')
    if email_split[0] not in BANNED_CHAR and email_split[1].lower() in VALID_DOMAINS:
        return True
    else:
        if email_split[1].split('.')[1] in SPECIAL_DOMAINS:
            return True
        else:
            return False

Banned chars because gmail lets you create infinite emails by doing + and then some string, not sure if other domains do it might be something to look into.

I took the top 20 or so domain names and put them in as valid domains.

If the domain name ends in .edu or .gov that generally means the email is valid as they don't just hand those out I'm sure there are a few more of those I just can't think of but those are the primary two at least for the US.

If you needed to change these on the fly you could do it from a database or just read / write a file.

You could also probably do this a little bit faster with regex.

from backend.

@sbabashahi
What about put off sending authorization email? Like 24 hours? Most of the temporary email services would expire in less than 24 hours.

from backend.

About the + character it may used for identify email sender. Personally I use it like [email protected], By this simple trick I can identify where my email exposed for advertisement and which website sell email address. I think its not good idea to block this character in email address.

About temporary email provider there is some services which can identify email address & phone and provide some information about them, Like as is there temporary or not and more.
Some providers:

• https://www.apivoid.com/api/email-verify/
• https://debounce.io/free-disposable-check-api/ (free)

Out of the context, I like SSO and think its most useful and efficient way to identify users and prevent spam. Also it have good user experience which users can sign-up/sign-in with just one click select their favorite SSO provider.

Oh, I just seen we have SSO by Google already.
I think we can add more SSO provider like Apple, Github, Gitlab, Twitter & etc and then, get rid of signup with email.

from backend.