I am after a username and email spam list. When a user tries to register I want to check if the username or email they entered is on the username/email spam list and if so mark the account as suspected spam and manually verify membership.
The backend behind it is not my problem, I am just wondering if anyone knows of such spam list(s) that I can import into a MySQL database so I can implement it into my signup script?
I know there is Askimet but believe this is more towards a comments form for example, plus I don't particularly want to send data to a third party to verify if something is potentially spam.
Your problem is not spam accounts. Spam email accounts which are used to send out spam are unlikely to be used to sign up for a service.
What you want to use is a Captcha service (such as reCAPTCHA - http://www.google.com/recaptcha/captcha) which will help reduce the chance a bot is attempting to sign up for your site. This is not fool proof, there are many alternative methods (such as hidden ID fields and custom headers) - but it is a start.
Then you want to use an email verification sign up system - which requires the user to actually check their email and click on a verification link, to confirm the email address is real. Otherwise you'll just have people sign up with "Fake#fake.com" and your system wont actually know they are fake...
Take a look at DNSBL. It's a service that does what you want. (not sure if you can download their database or you have to query them every time you want to know if it's an adress known for spamming).
Related
I'm creating a newsletter subscription app. I want to implement email verification to prevent spam/bot signups (well, at least so I can delete them afterwards). I've been struggling with confirmation key but though of a simpler solution:
User clicks submit -> is inputed into database (verified = 0)
User receives generic email ("Click me to verify") -> Verified page (verified = 1)
Would this work? Are there any potential issues which might come up?
If your problem is Spam Bots, you should use CAPTCHA: http://www.google.com/recaptcha
This will help you against most of them.
Your solution is good, if you want to prevent random user using the site, the problems that it solves is that user must put some effort in to it.
Also if you want to save some bandwidth, you can realy go in to email checking: http://www.serviceobjects.com/blog/hot-topics/email-validation-whitepaper/
Hope it helps
you keep captcha protection, it will reduce the bot attacks by many times. And the solution you choose is totally fine.
That seems like a fine solution. Then test to make sure the user is verified before sending.
Yes this is good email verification solution, but won't solve problem with spambots to signup.
Yours solution is good, but you will send email before validation. It's not always good. If I want to abuse your system I just can submit lots of nonexistent mails to yours registration form. And you will be blocked from main email services. To prevent it you can do email verification before sending email, at least you can check MX records existence or you can integrate with external email validation api. Anyway - you should check email address before sending to avoid bounces.
how do i validate Existing E-Mail Address.
in a Registration system, when a user enter a Email address it checks if the Email address is existing or not in Ymail/Gmail.
i already have a running domain(for Practice).
You have my regards.
Most registration systems validate an email address by sending an email to it with a uniquely encoded URL in it and requiring the user to go get that email and click on the link. When your server sees that the link has been clicked on the email address is know to be accessed by you.
Here's a basic flowchart for how it works:
User goes to your website
User commences registration and fills in their email address
Server checks to see if email address is in a legal and proper form and is not already registered
If the rest of the user's registration looks good and then email address looks legal, the server creates an account in your system and puts in the "unverified" state.
Then, a code is generated that corresponds to that specific user. That code is put onto an URL and that URL is put into an email which is sent to the email address the user entered.
The user receives the email with instructions to click on the enclosed link.
User retrieves email and clicks on the link.
Your server receives web request from that link. It parses out the code from the URL and checks to see if that code matches an account that is in the "unverified" state. If so, and the account has not expired from too much time elapsing since the email was sent, then the account is put into the "verified" state and is ready for use.
The basic idea of this system is that if you can retrieve an email sent to that email address then the email address must be a valid and working email address and you, the user, must be able to access that email address (it's not just some random email address you made up).
Back in the day, you could easily validate email addresses. Then the spammers came along. Now the only way you can confirm the existence of an email address is by trying to send something to it and checking for bounces. And even then, the lack of a bounce doesn't mean it exists - it could simply have been silently deleted, ignored, spam filtered into oblivion, etc...
Basically, what you want is not possible - any such system would simply help spammers hammer your box with more russian brides popping penis pills while wearing fake rolexes.
SMTP provides VRFY and EXPN verbs to check if an account or mailing list exists. However, most server admins disable these verbs from their mail configuration to prevent hackers from exploiting user lists. Gmail and Yahoo are said to have VRFY disabled.
Another option you can try for these servers is emailing the user with a link to confirm their email address. Granted, it is not as sexy as realtime email verification, but it is more secure for all parties.
It is practically not possible to validate email address with growing number of spams.
These days people send a mail to the email address entered by user to complete the registration or activate the account. You can probably do that and is a much safer way to do. You can find a number of resources online to implement this functionality.
I'm not sure if this is exactly possible, but figured I'd throw it out there.
I have a client that is getting some hate-mail from somebody he knows via a contact form on a website that I developed for him. Currently I do the normal checks for a validly-formatted email address, along with a Captcha, but the client has requested that a user enter his/her own email address in the form.
Now I realize that something like this could be easily spoofed by setting up a fake Yahoo account, etc, but the client's thinking is that this person is not quite that computer-literate.
Is there any possibility for checking if an email address is valid and in-use?
The only other things I can think of is turning his contact form into a mailto: link.
The only way to confirm an email address is in use is to send an email to it with a unique token, and have them pass the token back to you (usually by clicking a link). This is typically how mailing list signups work.
There are theoretical ways to tell in the SMTP protocol, but many (or maybe even most) servers don't respect those due to problems with spammers abusing them.
Although it may not work, I find Akismet ( http://akismet.com/ ) fairly good at blocking spam and unwanted emails in forms and comments.
If that fails and the problem is only one individual you can blacklist by IP, or even by browser fingerprint ( http://www.h-online.com/security/news/item/EFF-demonstrates-a-browser-s-finger-print-918786.html ) Ultimately it is impossible to stop someone though if they are dedicated.
Why not just not send this email if message contains some commonly used abuse word or abusers IP address?
is there any way to check if an email is active without sending it an email? (meaning that it does not get returned)
if i have 20,000 emails in my email list, and i do decide to send all of them an email, how can automatically cross out the email address that got returned?
Sending an email and requesting the user click some sort of activation link is the best way to determine if the email address is valid, and being used by someone. If you just want to see if the email is valid whether or not its registerd or active, use a Regex.
As for crossing them out, where are the emails stored? If its in a database, just set an activation key and a flag saying whether the link has been visited or not.
No.
Depends on how you are sending them. (Please provide more details)
There used to be a way to query a mail server if an email address is valid. However, since spammers used that facility for ill purposes, almost no mail servers will support that method anymore.
All you can hope to do is a DNS lookup on the email domain to see if the domain is valid.
These days, you can't know if the email address is valid. The domain is about as far as you'll get and you can do a reverse lookup on that to see if that is valid. But it won't tell you about the user.
What you need is something to process the bounces from your mail out and write some sort of script to perhaps update the list. There are many tools under Linux for this type of purpose such as procmail. Theres a port of that for windows I think.
No
You need mailing list management software. Lyris Listmanager is a paid one that has automatic bounce handling and removes users from your list. There are several free ones that doe the same thing: ezmlm, mailman, majordomo and many others. You probably don't want to just send all those emails without a piece of MLM software to manage it. you will probalby get blacklisted fromservers. You need things like unsubscribe handling or you won't be sending emails for long.
Heh. if you could find out a way, the answer would be worth billions to spammers.
The best answer here is: No.
I need to build a little webapp but I'm not sure what is the best thing to do.
A person that subscribe the petition is signing an email sent to X. This will be also saved to a db in order to show online who subscribed.
The idea is to have a standard text message, the user submit his name and that name goes into the message as signature.
I could make php send the email with the address of the real sender, or let the user copy and paste the text and let him send the email on his own.
I'm not sure of what is the best way to implement it. What will be more "effective", I mean as number of subscribers the solution where the app send the email is easier, but what about the authenticity of the emails? They could be considered not valid if sent all from the same place?
Regardless of the whole thing being a "good" idea or not, you want to keep yourself safe. If you spoof the from field, chances are most of your email (especially for domains with SPF records) will not make it through the first level of spam filtering.
A SPF (Sender Policy Framework) record lists the only IPs that are allowed to send mails for a domain. If a domain has a SPF record and you poll it, you're supposed to treat anything that didn't originate from a listed server as hazardous waste.
Depending on where you're sending these emails, you'll probably end up with your mail server on one or multiple blacklists. That means any email, SPF or not just won't get accepted.
So in short:
Get people to send their own email. Provide templates.
Consider utilizing the full specs for <a href="mailto:... -- you can put the subject and body in the link, allowing templates to be a one-click affair.
You could use Javascript on your site to personalise the message (and therefore mailto: link) while still on your site.
Let me get this straight - so you want to add to the flood of armchair activism email that is already saturating the world to no good purpose, and you're asking how best to do it? I would read the following before going any further with this:
http://www.breakthechain.org/armchair.html