gmail.com spam users with multiple dots in email username

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Scam Warning
User avatar
allingeneral.com
Registered User
Posts: 77
Joined: Wed Apr 11, 2007 12:16 pm
Contact:

gmail.com spam users with multiple dots in email username

Post by allingeneral.com »

First a little background, then a workaround that I want to share.

Gmail.com ignores dots/periods (.) in email usernames, so that the following email addresses are all equivalent:

[email protected]
[email protected]
[email protected]

Spammers use this technique to utilize the same actual email address to register multiple times on my forums. I can't block all of the offending IP addresses, nor can I block all possible permutations of email addresses.

So, after a considerable amount of searching, I have determined a way to prevent users from registering with multiple dots in their emails.

I don't care much about being "RFC Compliant" with regard to email address validation, and I don't care to discuss how this filter could result in real email addresses being denied access to my boards. I have made a couple of comments in the code which address these issues. What I am interested in is blocking gmail.com email addresses with more than three dots in them and allowing "normal" email addresses (as determined by me :)

I hope someone finds this useful.

in file includes/ucp/ucp_register.php

Find:

Code: Select all

                                if ($data['email'] != $data['email_confirm'])
                                {
                                        $error[] = $user->lang['NEW_EMAIL_ERROR'];
                                }
Add After:

Code: Select all

                                // Email address validation for gmail.com addresses
                                if( preg_match( '/@gmail\.com$/', $data['email'] ))
                                {
                                        $addrLen = strlen($data['email']);
                                        $dotCount = substr_count($data['email'],".");
                                        // Is the email address longer than 17 characters and contain more than 3 dots?
                                        // 17 is really just an arbitrary number - set it to whatever you think best
                                        // 3 dots includes all dots in the address
                                        // Setting to three dots would disallow the use of possible real emails such as [email protected]
                                        if ($addrLen>17 && $dotCount>3)
                                        {
                                                $error[] = 'This email address is not allowed';
                                        }
                                }
User avatar
KevC
Support Team Member
Support Team Member
Posts: 72339
Joined: Fri Jun 04, 2004 10:44 am
Location: Oxford, UK
Contact:

Re: gmail.com spam users with multiple dots in email usernam

Post by KevC »

As the address in your profile isn't working, what other antispam measures are running on your registration page?
-:|:- Support Request Template -:|:-
Image
"Step up to red alert. Sir, are you absolutely sure? It does mean changing the bulb"
User avatar
allingeneral.com
Registered User
Posts: 77
Joined: Wed Apr 11, 2007 12:16 pm
Contact:

Re: gmail.com spam users with multiple dots in email usernam

Post by allingeneral.com »

I'm using the built-in captcha and also a required custom profile field "Add the following numbers: 12 and seven"
User avatar
KevC
Support Team Member
Support Team Member
Posts: 72339
Joined: Fri Jun 04, 2004 10:44 am
Location: Oxford, UK
Contact:

Re: gmail.com spam users with multiple dots in email usernam

Post by KevC »

GD Captcha was beaten 2 years ago.

You need to use Q&A with something you can't search the answer for. Then you'll stop those accounts registering anyway and won't need an extra lump of code.
-:|:- Support Request Template -:|:-
Image
"Step up to red alert. Sir, are you absolutely sure? It does mean changing the bulb"
Pony99CA
Registered User
Posts: 4783
Joined: Thu Sep 30, 2004 3:13 pm
Location: Hollister, CA
Name: Steve
Contact:

Re: gmail.com spam users with multiple dots in email usernam

Post by Pony99CA »

Besides using Q&A, couldn't you just ban *.*.*.*.*@gmail.com? That wouldn't require a code change.

Steve
Last edited by Pony99CA on Fri Jan 04, 2013 9:41 pm, edited 1 time in total.
Silicon Valley Pocket PC (http://www.svpocketpc.com)
Creator of manage_bots and spoof_user (ask me)
Need hosting for a small forum with full cPanel & MySQL access? Contact me or PM me.
User avatar
allingeneral.com
Registered User
Posts: 77
Joined: Wed Apr 11, 2007 12:16 pm
Contact:

Re: gmail.com spam users with multiple dots in email usernam

Post by allingeneral.com »

Pony99CA wrote:Besides using Q&A, couldn't you just ban *.*.*.*@gmail.com? That wouldn't require a code change.

Steve
I thought about that, but I was afraid that *.*.* would equate to banning all gmail.com addresses, depending upon how phpbb handles dots in that frame of reference (didn't check the code in that area)
Pony99CA
Registered User
Posts: 4783
Joined: Thu Sep 30, 2004 3:13 pm
Location: Hollister, CA
Name: Steve
Contact:

Re: gmail.com spam users with multiple dots in email usernam

Post by Pony99CA »

allingeneral.com wrote:
Pony99CA wrote:Besides using Q&A, couldn't you just ban *.*.*.*.*@gmail.com? That wouldn't require a code change.
I thought about that, but I was afraid that *.*.* would equate to banning all gmail.com addresses, depending upon how phpbb handles dots in that frame of reference (didn't check the code in that area)
So it was easier to develop and test code than to set that ban up, get a GMail account (worst case if you didn't already have one) and try registering it with it with a few periods thrown in? :?

The only real difference that your code has from the ban (presuming the ban works) is that there's no minimum length on GMail address lengths. However, given that your code fails with E-mail addresses longer 18 characters or longer with at least four periods, that only requires four other characters, to trigger the ban. For example, your code would allow [email protected] but the ban wouldn't.

Steve
Silicon Valley Pocket PC (http://www.svpocketpc.com)
Creator of manage_bots and spoof_user (ask me)
Need hosting for a small forum with full cPanel & MySQL access? Contact me or PM me.
User avatar
allingeneral.com
Registered User
Posts: 77
Joined: Wed Apr 11, 2007 12:16 pm
Contact:

Re: gmail.com spam users with multiple dots in email usernam

Post by allingeneral.com »

Pony99CA wrote:
allingeneral.com wrote:
Pony99CA wrote:Besides using Q&A, couldn't you just ban *.*.*.*.*@gmail.com? That wouldn't require a code change.
I thought about that, but I was afraid that *.*.* would equate to banning all gmail.com addresses, depending upon how phpbb handles dots in that frame of reference (didn't check the code in that area)
So it was easier to develop and test code than to set that ban up, get a GMail account (worst case if you didn't already have one) and try registering it with it with a few periods thrown in? :?

The only real difference that your code has from the ban (presuming the ban works) is that there's no minimum length on GMail address lengths. However, given that your code fails with E-mail addresses longer 18 characters or longer with at least four periods, that only requires four other characters, to trigger the ban. For example, your code would allow [email protected] but the ban wouldn't.

Steve
You make a couple of good points. In my searches for a solution, I noticed that a lot of people were having the same gmail.com spam problem that I was, so I figured a bit of helpful code couldn't hurt.

I'll take a look at the effectiveness of banning *.*.*.*@gmail.com.
User avatar
allingeneral.com
Registered User
Posts: 77
Joined: Wed Apr 11, 2007 12:16 pm
Contact:

Re: gmail.com spam users with multiple dots in email usernam

Post by allingeneral.com »

hmmm... so it appears that a ban of *.*.*@gmail.com is effective. *shrug*
User avatar
Dog Cow
Registered User
Posts: 2507
Joined: Fri Jan 28, 2005 12:14 am
Contact:

Re: gmail.com spam users with multiple dots in email usernam

Post by Dog Cow »

allingeneral.com wrote:First a little background, then a workaround that I want to share.

Code: Select all

                                // Email address validation for gmail.com addresses
                                if( preg_match( '/@gmail\.com$/', $data['email'] ))
Avoid using preg_match (or any of the preg_ family functions) if you're not using a pattern. They use up more CPU time. Use stripos or strpos instead.
wGEric
Former Team Member
Posts: 8805
Joined: Sun Oct 13, 2002 3:01 am
Location: Friday
Name: Eric Faerber
Contact:

Re: gmail.com spam users with multiple dots in email usernam

Post by wGEric »

If you are going to write code then wouldn't it be better to strip all periods from the username portion of gmail addresses and then proceed with the registration process? That way it will fail the duplicate email check since none of the gmail addresses have periods and people will get an error message that actually provides information on how to correct the issue. Also it allows people to enter in multiple periods if that is what they like to do. Many people probably don't know that gmail ignores periods.
Eric
Pony99CA
Registered User
Posts: 4783
Joined: Thu Sep 30, 2004 3:13 pm
Location: Hollister, CA
Name: Steve
Contact:

Re: gmail.com spam users with multiple dots in email usernam

Post by Pony99CA »

wGEric wrote:If you are going to write code then wouldn't it be better to strip all periods from the username portion of gmail addresses and then proceed with the registration process? That way it will fail the duplicate email check since none of the gmail addresses have periods and people will get an error message that actually provides information on how to correct the issue. Also it allows people to enter in multiple periods if that is what they like to do.
That has some problems.

First, that only catches spam registrations after the first one.

Second, it only works if you keep the first spam account around (instead of deleting it).

Third, the admin may be running with the setting to allow duplicate E-mail addresses.
wGEric wrote:Many people probably don't know that gmail ignores periods.
I certainly didn't; I presumed the spammers registered new GMail accounts with periods thrown in randomly to avoid colliding with existing GMail accounts.

Is ignoring periods like that allowed by the E-mail standard?

Steve
Silicon Valley Pocket PC (http://www.svpocketpc.com)
Creator of manage_bots and spoof_user (ask me)
Need hosting for a small forum with full cPanel & MySQL access? Contact me or PM me.
User avatar
Ger
Registered User
Posts: 2108
Joined: Wed Jan 02, 2008 7:35 pm
Location: 192.168.1.100
Contact:

Re: gmail.com spam users with multiple dots in email usernam

Post by Ger »

Well, I use a gmail adress that has periods in it, simply because I find that easier to read (myname.project@gmail, others have theirname.project@gmail). It may be ignored by gmail, but this is what we communicate and therefore what we'd use while registering at a forum. Until reading this, I've never heard of gmail ignoring those periods...
My extensions:
Simple CMS, Feed post bot, Avatar Resize, Modbreak, Magic OGP, Live topic update, Modern Quote, Quoted Where (GDPR) and Autoresponder.
Newest: FAQ manager for 3.2

Like my work? Buy me a coffee to keep it coming. :ugeek:

-Don't PM me for support-
User avatar
Sajaki
Registered User
Posts: 1390
Joined: Mon Mar 02, 2009 1:41 pm
Location: Amsterdam
Contact:

Re: gmail.com spam users with multiple dots in email usernam

Post by Sajaki »

Pony99CA wrote:Is ignoring periods like that allowed by the E-mail standard?
Steve
RFC 5322 doesn't address that issue, it just says that the dot is allowed as part of the email address. But whether address with dot or without dot point to the same mail box is the responsibility of the email provider.
http://en.wikipedia.org/wiki/Email_address wrote:Local part

The local-part of the email address may use any of these ASCII characters RFC 5322 Section 3.2.3, RFC 6531 permits Unicode beyond the ASCII range:

Uppercase and lowercase English letters (a–z, A–Z) (ASCII: 65–90, 97–122)
Digits 0 to 9 (ASCII: 48–57)
Characters !#$%&'*+-/=?^_`{|}~ (ASCII: 33, 35–39, 42, 43, 45, 47, 61, 63, 94–96, 123–126)
Character . (dot, period, full stop) (ASCII: 46) provided that it is not the first or last character, and provided also that it does not appear two or more times consecutively (e.g. [email protected] is not allowed.).
Special characters are allowed with restrictions. They are:
Space and "(),:;<>@[\] (ASCII: 32, 34, 40, 41, 44, 58, 59, 60, 62, 64, 91–93)

The restrictions for special characters are that they must only be used when contained between quotation marks, and that 2 of them (the backslash \ and quotation mark " (ASCII: 32, 92, 34)) must also be preceded by a backslash \ (e.g. "\\\"").

Comments are allowed with parentheses at either end of the local part; e.g. "john.smith(comment)@example.com" and "(comment)[email protected]" are both equivalent to "[email protected]".
International characters above U+007F are permitted by RFC 6531, though mail systems may restrict which characters to use when assigning local parts.

A quoted string may exist as a dot separated entity within the local-part, or it may exist when the outermost quotes are the outermost characters of the local-part (e.g. abc."defghi".[email protected] or "abcdefghixyz"@example.com are allowed. Conversely, abc"defghi"[email protected] is not; neither is abc\"def\"[email protected]). Quoted strings and characters however, are not commonly used. RFC 5321 also warns that "a host that expects to receive mail SHOULD avoid defining mailboxes where the Local-part requires (or uses) the Quoted-string form".

The local-part "postmaster" is treated specially – it is case-insensitive, and should be forwarded to the server's administrator. Technically all other local-parts are case sensitive, therefore [email protected] and [email protected] specify different mailboxes; however, many organizations treat uppercase and lowercase letters as equivalent.

Most organizations do not allow use of the technically valid characters space, ? and ^. Organizations are free to restrict the forms of their own email addresses as desired, e.g., Windows Live Hotmail, for example, only allows creation of email addresses using alphanumerics, dot (.), underscore (_) and hyphen (-).[3]

Systems that send mail must be capable of handling outgoing mail for all valid addresses. Contrary to the relevant standards, some defective systems treat certain legitimate addresses as invalid and fail to handle mail to these addresses. Hotmail, for example, refuses to send mail to any address containing any of the following standards-permissible characters: !#$%*/?^`{|}~
Hayden Hill
Registered User
Posts: 49
Joined: Fri Aug 16, 2013 12:17 am
Contact:

Re: gmail.com spam users with multiple dots in email usernam

Post by Hayden Hill »

So, is it safe to ban the e-mail "*.*@gmail.com"? The ban reason could tell the user to simply remove the periods.
Post Reply

Return to “phpBB Discussion”