Right now my site is sending auto-generated emails with verification link to visitors that register on my website upon registration.
Because I am on a shared hosting, all those emails end up in a gmail's spam folder.
Is there any other method to verify user's email address besides automatically sending them a verification link?
This is not "How to make sure email is not marked as spam" type of question. I'm looking for alternative to sending emails for email verification (if there is any).
If you need to use email addresses as user-ids, there is no alternative.
SMTP still allows VRFY and EXPN commands, but few servers accept
them, and they're not reliable even then.
If the user has an email certificate, you can ask her to sign
something, so that you know she has the private key, and then accept the certified email address, but who has personal certificates nowadays?
If you can claim a symbolic payment using Paypal, you're gonna get
payers email address as a bonus, but can you afford to lose non-Paypal users?
Of course, you can use OpenId, but do you still need an email
address once the user is validated?
A related question is Why do you want to use email addresses if you cannot send email messages? A possibility is to mark a user as email-not-verified until a message can be sent properly, from a reputable domain, at a later time.
Another way would be to use code verification(shortcode) which can be sent to their phone(like the way Google) does it.
Note that it is just an optional way of verification.
Related
I'm working with a system which is setup to send all emails with PHPMailer through an info#company.com account. This is fine, and we use it to send emails from employees eg dave#company.com, mike#company.com etc. However I cannot use TLS with this. When I turn on TLS it rejects the email because the sending address is not the same as the account address, fair enough.
So I'm wondering the best way around this, best I can come up with so far is:
Make a mysql table of every employees username/password, use this to connect to the relevant employee account and send email through that. This would be a nightmare though, eg when users change their password I'd have to update this every time. No method I know of of retreiving passwords from Exchange through Powershell or anything.
Any better solutions? Thanks.
Whether your mail server allows this is up to the mail server, not you. You can work around it by using your own from address, but putting the target user's address as the reply-to address. That way your login will allow sending, you won't be forging from addresses, and replies will still go to them.
I am after a username and email spam list. When a user tries to register I want to check if the username or email they entered is on the username/email spam list and if so mark the account as suspected spam and manually verify membership.
The backend behind it is not my problem, I am just wondering if anyone knows of such spam list(s) that I can import into a MySQL database so I can implement it into my signup script?
I know there is Askimet but believe this is more towards a comments form for example, plus I don't particularly want to send data to a third party to verify if something is potentially spam.
Your problem is not spam accounts. Spam email accounts which are used to send out spam are unlikely to be used to sign up for a service.
What you want to use is a Captcha service (such as reCAPTCHA - http://www.google.com/recaptcha/captcha) which will help reduce the chance a bot is attempting to sign up for your site. This is not fool proof, there are many alternative methods (such as hidden ID fields and custom headers) - but it is a start.
Then you want to use an email verification sign up system - which requires the user to actually check their email and click on a verification link, to confirm the email address is real. Otherwise you'll just have people sign up with "Fake#fake.com" and your system wont actually know they are fake...
Take a look at DNSBL. It's a service that does what you want. (not sure if you can download their database or you have to query them every time you want to know if it's an adress known for spamming).
how do i validate Existing E-Mail Address.
in a Registration system, when a user enter a Email address it checks if the Email address is existing or not in Ymail/Gmail.
i already have a running domain(for Practice).
You have my regards.
Most registration systems validate an email address by sending an email to it with a uniquely encoded URL in it and requiring the user to go get that email and click on the link. When your server sees that the link has been clicked on the email address is know to be accessed by you.
Here's a basic flowchart for how it works:
User goes to your website
User commences registration and fills in their email address
Server checks to see if email address is in a legal and proper form and is not already registered
If the rest of the user's registration looks good and then email address looks legal, the server creates an account in your system and puts in the "unverified" state.
Then, a code is generated that corresponds to that specific user. That code is put onto an URL and that URL is put into an email which is sent to the email address the user entered.
The user receives the email with instructions to click on the enclosed link.
User retrieves email and clicks on the link.
Your server receives web request from that link. It parses out the code from the URL and checks to see if that code matches an account that is in the "unverified" state. If so, and the account has not expired from too much time elapsing since the email was sent, then the account is put into the "verified" state and is ready for use.
The basic idea of this system is that if you can retrieve an email sent to that email address then the email address must be a valid and working email address and you, the user, must be able to access that email address (it's not just some random email address you made up).
Back in the day, you could easily validate email addresses. Then the spammers came along. Now the only way you can confirm the existence of an email address is by trying to send something to it and checking for bounces. And even then, the lack of a bounce doesn't mean it exists - it could simply have been silently deleted, ignored, spam filtered into oblivion, etc...
Basically, what you want is not possible - any such system would simply help spammers hammer your box with more russian brides popping penis pills while wearing fake rolexes.
SMTP provides VRFY and EXPN verbs to check if an account or mailing list exists. However, most server admins disable these verbs from their mail configuration to prevent hackers from exploiting user lists. Gmail and Yahoo are said to have VRFY disabled.
Another option you can try for these servers is emailing the user with a link to confirm their email address. Granted, it is not as sexy as realtime email verification, but it is more secure for all parties.
It is practically not possible to validate email address with growing number of spams.
These days people send a mail to the email address entered by user to complete the registration or activate the account. You can probably do that and is a much safer way to do. You can find a number of resources online to implement this functionality.
It's widely known, that probably the best method to achieve that is the SMTP transaction with the MX server during which we're "emulating" sending the mail (HELO, MAIL FROM, RCPT TO - 250 response to rcpt to = e-mail is OK).
It works good, however many servers (e.g. Hotmail, MSN) are black-listing the hosts which are communicating like that (starting transaction without sending the e-mail).
Is there any better method to verify that e-mail exists - without user interaction and, if possible - without sending a message?
Unfortunately anything that helps legitimate apps determine if an email account is real and active are exploitable by spammers that are looking for live accounts.
Your best bet is (presuming a user is signing up on your site)... is to send them an email with a link (or code) that they click on (or type in) to "verify" this is a real account.
Note: Even doing this, only "guarantees" the account was active. It doesn't ensure that it wasn't a temporary service (e.g. mailinator or other disposable email address). ;-)
I'm not sure if this is exactly possible, but figured I'd throw it out there.
I have a client that is getting some hate-mail from somebody he knows via a contact form on a website that I developed for him. Currently I do the normal checks for a validly-formatted email address, along with a Captcha, but the client has requested that a user enter his/her own email address in the form.
Now I realize that something like this could be easily spoofed by setting up a fake Yahoo account, etc, but the client's thinking is that this person is not quite that computer-literate.
Is there any possibility for checking if an email address is valid and in-use?
The only other things I can think of is turning his contact form into a mailto: link.
The only way to confirm an email address is in use is to send an email to it with a unique token, and have them pass the token back to you (usually by clicking a link). This is typically how mailing list signups work.
There are theoretical ways to tell in the SMTP protocol, but many (or maybe even most) servers don't respect those due to problems with spammers abusing them.
Although it may not work, I find Akismet ( http://akismet.com/ ) fairly good at blocking spam and unwanted emails in forms and comments.
If that fails and the problem is only one individual you can blacklist by IP, or even by browser fingerprint ( http://www.h-online.com/security/news/item/EFF-demonstrates-a-browser-s-finger-print-918786.html ) Ultimately it is impossible to stop someone though if they are dedicated.
Why not just not send this email if message contains some commonly used abuse word or abusers IP address?