-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
My domain is considered disposable #13230
Comments
It may be just using a domain that isn't a known large email provider (assuming this is your personal domain) |
Yes, it is my personal domain. I even use it as my username on lichess and github :-) |
Sorry, I see that this is probably too much information. But I want to provide you a good context for the issue: Email setup
About SimpleLoginI know that SimpleLogin has a bad reputation for creating burner addresses, but that is not the use case for me at all.
Q&AQ: Why don't you use one of your secret proton addresses on Lichess? Lichess will after all never abuse this information!A: If Lichess has a security breach my secret email address would be exposed all out in the open, and I would then permanently lose all protection against spam. I also consider this a potential threat to my privacy. Q: Why don't you create an email address in proton that is only used for Lichess?A: Proton only allows 15 email addresses in their paid plan, and I have unfortunately used them all. Q: But you are using SimpleLogin, doesn't that mean that your email is disposable?A: No, torsteinws.no is deeply tied to my identity. I always use torsteinws as my username on online services (just look at my github and lichess profile), and the domain was very hard to get due to all the restrictions that are imposed on Norwegian TLDs. Q: Why are you so adamant on keeping your proton addresses secret?A: Using aliases to keep the addresses secret is the best protection I have against spam and online privacy abuse. I intend to have these addresses for the rest of my life, and I must therefore follow a zero trust policy. |
I have the exact same issue, i'm using my own personal domain which i purchased myself and is only used by myself. Yet i get the error: Please fix, and block only the Simplelogin disposable email domains, they are:
|
I'm facing the same registration issue using my own domain, I'm also using SimpleLogin to redirect my mail to my Proton Mail account. |
Exact same issue here. Lichess should not blacklist personal domains even if they're tied to Simplelogin which can do a lot more than disposable emails (for which a known list exists). |
100% agree my domain tied to protonmail works but the domain i use for simple login does not both are my own domains |
Not sure when the changes were made, but I registered almost three years ago with a custom domain. Tonight, trying to update my email address to a different custom domain, I ran into the dreaded "This email domain has a poor reputation and cannot be used" message, which seems a bit overzealous... |
Is I found your email address on your github profile. |
Nope, it's another domain that I use for signups. Pretty much never used for outbound email, only for receiving, which might be why it has "no" reputation. |
hey! I'm experiencing the same problem. My domains are hosted at Fastmail. Cannot use disposable email addresses (Blocklist). |
I just checked and lichess is telling me that airpost.net is ok? |
I have also similar problem with rnrbros.com domain. It's my personal domain hosted at fastmail.com. Now I have |
verifymail.io, our disposable email detection provider, recommends to block that domain: https://verifymail.io/domain/rnrbros.com |
All the people with domains of their own could indeed take it to them, on a case-by-case basis, but it seems that their "privacy/alias" detection seems like a very blunt instrument. I'd go so far as to say it's broken. I checked a handful of domains I own that are not "privacy/alias" domains — they're just Fastmail-hosted domains — and this site misclassifies all of them as "privacy/alias". It seems like they have their "detection" dialed all the way up so as to drop false negatives to basically zero, at the cost of absurdly frequent false positives. |
I agree that's a problem... Yet we need some sort of throwaway email detection for 2 reasons:
That's literally all we use emails for, but it's quite important. We get dozens of support requests every day from people who used a throwaway email address and have forgotten their password. I'll look into accepting email domains that verifymail.io classifies as "privacy/alias". |
Which is what I did, earlier today. I tried to sign-up, as a first time user, with a domain I'm 100% certain has never been used on this service before. They misclassified me. |
I deployed the changed above this morning. |
Thanks for doing that. I suspect this isn't going to make any difference to the people who've been active in this thread. Take, for example, https://verifymail.io/domain/rnrbros.com that you linked to above; that one is returning "Block: true", "Disposable: false", "Privacy: true". I checked all of my Fastmail-hosted domains, and they are all like that. I gather the "Block" recommendation is coming because they are "Privacy: true"? I am reasonably sure that in my case, the domains aren't being used for outbound abuse (Fastmail has SPF + DKIM set-up by default, lacking only DMARC). As far as I can tell, "Privacy: true" is going to lead all Fastmail hosted domains to have a "Block: true" recommendation, based on what I see in the verifymail.io FAQ:
|
I think your observation is correct, but your conclusion does not follow from the code for me. I looked at 38419c0, which gives me the impression only To add to your observation: verifymail got back to me and confirmed that Now, the website as currently deployed still rejects my domain in the registration flow, with error |
Looking a bit further (oh FOSS ❤️🔥), I think the relevant bits of code are: Possible error messages: lila/modules/security/src/main/EmailAddressValidator.scala Lines 92 to 105 in a5d134f
Blacklist checked first, then DNS, then verifymail: lila/modules/security/src/main/EmailAddressValidator.scala Lines 49 to 58 in a5d134f
verifymail API calls are cached lila/modules/security/src/main/VerifyMail.scala Lines 50 to 51 in 4ffd642
that blocklist is constructed at startup and refreshed every so often lila/modules/security/src/main/Env.scala Lines 134 to 140 in a5d134f
like this lila/modules/security/src/main/DisposableEmailDomain.scala Lines 20 to 28 in a5d134f
defined as lila/modules/security/src/main/Env.scala Lines 118 to 121 in a5d134f
using all cached domains that failed the verifymail API lila/modules/security/src/main/VerifyMail.scala Lines 33 to 46 in 4ffd642
So the good news is: worst case this bug solves itself in 100 days, going by the default expiration logic 😉 I did not play (li)chess tonight, but I still had some fun. Thank you for your work on this project, the passion shows. |
Changing the email address to an email with the domain torsteinws.no gives the following error:
Cannot use disposable email addresses (Blocklist).
I would not call Norwegian top level domains disposable because they are actually difficult to get. In fact, I would argue that email addresses with Norwegian TLDs are more linked to your identity than other email addresses. Here is why:
In order to get a Norwegian TLD you have to:
Furthermore, in order to get a BankID you have to physically meet up at a Norwegian bank to verify your identity. There you will have to show your passport and so forth.
The text was updated successfully, but these errors were encountered: