I'm creating a newsletter subscription app. I want to implement email verification to prevent spam/bot signups (well, at least so I can delete them afterwards). I've been struggling with confirmation key but though of a simpler solution:
User clicks submit -> is inputed into database (verified = 0)
User receives generic email ("Click me to verify") -> Verified page (verified = 1)
Would this work? Are there any potential issues which might come up?
If your problem is Spam Bots, you should use CAPTCHA: http://www.google.com/recaptcha
This will help you against most of them.
Your solution is good, if you want to prevent random user using the site, the problems that it solves is that user must put some effort in to it.
Also if you want to save some bandwidth, you can realy go in to email checking: http://www.serviceobjects.com/blog/hot-topics/email-validation-whitepaper/
Hope it helps
you keep captcha protection, it will reduce the bot attacks by many times. And the solution you choose is totally fine.
That seems like a fine solution. Then test to make sure the user is verified before sending.
Yes this is good email verification solution, but won't solve problem with spambots to signup.
Yours solution is good, but you will send email before validation. It's not always good. If I want to abuse your system I just can submit lots of nonexistent mails to yours registration form. And you will be blocked from main email services. To prevent it you can do email verification before sending email, at least you can check MX records existence or you can integrate with external email validation api. Anyway - you should check email address before sending to avoid bounces.
Related
I have a website where I send out surveys to people who want to take these surveys. They gave me their email address, so they do want to take the survey.
The problem is, our server had malicious code injected into a contact form and that resulted in a blacklisting problems. The blacklisting seems to be resolved, but now I'm trying to do everything I can to help make my emails look cleaner and not spammy. I'm using PHPMailer to send with SMTP authentication.
One important tip I've come across is to include an unsubscribe link. But these people aren't actually "subscribed." They will only be emailed to do a survey one time. So I was wondering if I put a link that leads them to a page explaining why they received the survey (basically remind them they game me their email) and just name it unsubscribe.php? Then I will name the link "click here to unsubscribe." Would that be sufficient?
You can't just send people random stuff because you got their email address. You need to have explicit consent to send them things for a specific purpose, and what's more, you need to be able to prove that they gave that consent. Such a record of consent effectively is a subscription, so an address obtained legitimately would never raise this question.
If they did give you their address willingly, but you have no record or evidence, it's legally indistinguishable from you having harvested it from a random web page.
To put it another way - if you don't have this provable consent, you can't legally send them anything.
I am after a username and email spam list. When a user tries to register I want to check if the username or email they entered is on the username/email spam list and if so mark the account as suspected spam and manually verify membership.
The backend behind it is not my problem, I am just wondering if anyone knows of such spam list(s) that I can import into a MySQL database so I can implement it into my signup script?
I know there is Askimet but believe this is more towards a comments form for example, plus I don't particularly want to send data to a third party to verify if something is potentially spam.
Your problem is not spam accounts. Spam email accounts which are used to send out spam are unlikely to be used to sign up for a service.
What you want to use is a Captcha service (such as reCAPTCHA - http://www.google.com/recaptcha/captcha) which will help reduce the chance a bot is attempting to sign up for your site. This is not fool proof, there are many alternative methods (such as hidden ID fields and custom headers) - but it is a start.
Then you want to use an email verification sign up system - which requires the user to actually check their email and click on a verification link, to confirm the email address is real. Otherwise you'll just have people sign up with "Fake#fake.com" and your system wont actually know they are fake...
Take a look at DNSBL. It's a service that does what you want. (not sure if you can download their database or you have to query them every time you want to know if it's an adress known for spamming).
I'm not sure if this is exactly possible, but figured I'd throw it out there.
I have a client that is getting some hate-mail from somebody he knows via a contact form on a website that I developed for him. Currently I do the normal checks for a validly-formatted email address, along with a Captcha, but the client has requested that a user enter his/her own email address in the form.
Now I realize that something like this could be easily spoofed by setting up a fake Yahoo account, etc, but the client's thinking is that this person is not quite that computer-literate.
Is there any possibility for checking if an email address is valid and in-use?
The only other things I can think of is turning his contact form into a mailto: link.
The only way to confirm an email address is in use is to send an email to it with a unique token, and have them pass the token back to you (usually by clicking a link). This is typically how mailing list signups work.
There are theoretical ways to tell in the SMTP protocol, but many (or maybe even most) servers don't respect those due to problems with spammers abusing them.
Although it may not work, I find Akismet ( http://akismet.com/ ) fairly good at blocking spam and unwanted emails in forms and comments.
If that fails and the problem is only one individual you can blacklist by IP, or even by browser fingerprint ( http://www.h-online.com/security/news/item/EFF-demonstrates-a-browser-s-finger-print-918786.html ) Ultimately it is impossible to stop someone though if they are dedicated.
Why not just not send this email if message contains some commonly used abuse word or abusers IP address?
I have a site where users register for an account. I have an internal communication system, that sends them an email when they get a private message. I dont force people to confirm their email, so naturally, many enter a fake address.
When they get a PM, it tries to send them an email, but obviously fails, so it keeps retrying and retrying. After a few weeks, the retry queue gets quite big, and it affects server performance (I also dont wanna get blacklisted for all these attempts).
What can I do to solve this issue (other than force people to confirm their email upon registration).
If you don't want to force people to confirm their email because if something goes wrong, they can't access their login straight away, why not do something like this:
If they haven't confirmed their E-Mail, don't send PMs, but show them when they are logged in instead. Remind them to confirm their E-Mail.
If they have confirmed their E-mail, send them out.
But anyway, your scenario sounds like a server misconfiguration. Why would a mail server keep re-sending mails that it got a "not deliverable" message for? As far as I know, re-sending mails only occurs when the receiving host was not reachable for technical reasons.
You really should just require confirmation.
Short of that, you can deactivate users whose emails have bounced a certain number of times, and require a new email at next login.
It will be hard without verifying, but you can at least verify the domain it's coming from:
Option 1: Use getmxrr to search for MX records on their hostname
Option 2: Use checkndsrr to check their DNS info
But all these really do is check the validity of the domain, and whether it's running a mailserver. To get real authenication a confirmation is the best way. You could also implement a tool to send out a test email, and see if it bounces back. But this method may not always work as expected, because of variations, some servers it's instant, others it can be a day later to return an undeliverable email.
I hope this helps.
consider having a checkbox so that people can opt-out of email notifications. if they do not enter a valid email address, it is surely because they do not want to receive emails in the first place, so let them tell you.
additionally, you may consider having an opt-in system, where people will not receive email notifications in the first place and have to enable it somewhere in their account settings, providing an email address at this moment. this way, the number of fake email addresses will be reduced to near zero.
is there any way to check if an email is active without sending it an email? (meaning that it does not get returned)
if i have 20,000 emails in my email list, and i do decide to send all of them an email, how can automatically cross out the email address that got returned?
Sending an email and requesting the user click some sort of activation link is the best way to determine if the email address is valid, and being used by someone. If you just want to see if the email is valid whether or not its registerd or active, use a Regex.
As for crossing them out, where are the emails stored? If its in a database, just set an activation key and a flag saying whether the link has been visited or not.
No.
Depends on how you are sending them. (Please provide more details)
There used to be a way to query a mail server if an email address is valid. However, since spammers used that facility for ill purposes, almost no mail servers will support that method anymore.
All you can hope to do is a DNS lookup on the email domain to see if the domain is valid.
These days, you can't know if the email address is valid. The domain is about as far as you'll get and you can do a reverse lookup on that to see if that is valid. But it won't tell you about the user.
What you need is something to process the bounces from your mail out and write some sort of script to perhaps update the list. There are many tools under Linux for this type of purpose such as procmail. Theres a port of that for windows I think.
No
You need mailing list management software. Lyris Listmanager is a paid one that has automatic bounce handling and removes users from your list. There are several free ones that doe the same thing: ezmlm, mailman, majordomo and many others. You probably don't want to just send all those emails without a piece of MLM software to manage it. you will probalby get blacklisted fromservers. You need things like unsubscribe handling or you won't be sending emails for long.
Heh. if you could find out a way, the answer would be worth billions to spammers.
The best answer here is: No.