I would like to know of the possible ways to block disposable email addresses from registering in my website.
For simplicity, let's take the example where the registration form of the website is done with HTML and PHP.
Any ideas, solutions or suggestions would be greatly appreciated.
Most of the suggestions are about verifying emails and using CAPTCHAs which of course you should do, but keep in mind that none of these methods is completely bulletproof.
A bot can easily "click" on links in any email. Copying and pasting something would be slightly more annoying for the bot author but not much. Generally email verification is just that - email verification.
You verify if the email is likely to be controlled by whoever tries to register, but of course since email is usually sent in cleartext over untrusted TCP and relies on insecure DNS, then until we're all using DNSSEC and encrypt all traffic it will be easy to sniff emails and spoof servers and clients. The important thing to realize is that using email verification you get only a certain degree of confidence that whoever or whatever you are talking to is really a user of that email address.
Answering a question that only human should know the answer to would be still more annoying but considering that you probably wouldn't have an infinite number of questions, the bot author might redirect unknown question to a real human and use cached answers if any question repeats more than once. Answering a question like "what is 12+8" like I've seen in some websites lately as a Turing test is completely counterproductive since this question is actually easier for bots than for humans. Probably the most popular Turing test for that are CAPTCHAs but here you also have to realize that they can be fooled.
First of all people are showing methods of circumventing CAPTCHAs, for example see the Decoding reCAPTCHA talk from DEFCON 18. Many CAPTCHAs are much easier for robots to decipher since they are generated by algorithms that are trivial to reverse. The reCAPTCHA distortions are also pretty simple but the words that they use are real scanned words that was hard for OCRs so in principle it should be much harder for bots, but it is not always the case.
And there is also a possibility to display captchas that you want to guess on other websites and have people answer it for you. Also there is a black market of people actually solving captchas so if your bot author doesn't mind paying something like two cents for a dozen then no matter how hard it is for humans, actual humans will solve it anyway.
The bottom line is that using any of the bot-stopping techniques will always be a compromise of how much would a bot owner (a spammer or anyone else who wants to register a lot of users in your system) be willing to spend time, effort and money to do it, and how much inconvenience for your users are you going to tolerate, because ultimately you will never be able to do any automated test to tell humans and bots apart without actually annoying humans and alienating people with disabilities (has anyone ever tried to guess the audio version of reCAPTCHA?), and still your bots may actually be human-powered, so not really bots but cyborgs, so to speak.
It's an arms race for which your honest users are paying a price. Please keep all of that in mind.
You should pass your return path as "-f" parameter for mail() function:
mail(
$this->recipient,
$subj,
$this->body,
$this->compose_headers(),
'-f ' . Options::obj()->mail->return_path);
Also, for the best results, if the sending server has a public domain name example.com, the return path should be something@example.com.
Anyway, you should definitely check the logs (/var/log/mail*) to know exactly what's going on.
myEmailList=userInput.match(/[a-zA-z0-9_.]+@[a-zA-Z0-9_.]+.(com|org|whatever)/g);
myEmailListString=myEmailList.join(', ');
Or just do the first line if you're wanting an array of the email addresses.
As recommended by CommonsWare you should use conditional class loading to support both models. Anyway, a quick and dirty solution is:
private static final String CONTACT_METHODS_PROJECTION[] = new String[] {
Contacts.ContactMethods._ID,
Contacts.ContactMethods.DATA
};
private static final int ID_COLUMN_INDEX = 0;
@Override
protected Cursor getChildrenCursor(Cursor groupCursor) {
// Given the group, we return a cursor for all the children within that group
return managedQuery(Contacts.ContactMethods.CONTENT_URI, CONTACT_METHODS_PROJECTION,
ContactMethods.PERSON_ID + "= ? AND " + ContactMethods.KIND + " = " + Contacts.KIND_EMAIL,
new String[] { Long.toString(groupCursor.getLong(ID_COLUMN_INDEX)) },
null);
}
This is tough, because neither whitelisting nor blacklisting are an option.
By whitelisting certain domains, you disallow people with email domains that are unknown to you (but might be perfectly valid), while by blacklisting you have to update the list of blacklisted domains on a daily basis, since new "10 minute email" domains emerge every day.
Please note that temporary email addresses are invented for a way of saying: "Hey, I don't trust this website with my own email adrress", so you're most probably not going to trick users that are willing to hide their real address since they've got a valid reason to do so.
Can't you adopt and implement something like OpenID?