WordPress
Article

Stop the Use of Disposable Email Addresses in WordPress

By Agbonghama Collins

Spammers are everywhere, they use automated software that crawls the web in search of websites (such WordPress sites) with the aim of submitting and registering hundreds and thousands of accounts and spam comments.

On one of my WordPress powered sites, I discovered over 50 newly registered spam accounts, all created with disposable email addresses. To prevent a re-occurrence, I had to create a plugin that prevented the registration of accounts with disposable email addresses.

Disposable Email Addresses WordPress

In this tutorial, we’ll learn the meaning of disposable email addresses, how they work and finally, how they can be stopped in a PHP application – albeit with focus on WordPress.

Introduction to Disposable Email Addresses

DEA, an acronym for Disposable Email Address (sometimes referred to as throw-away, temporary email or self-destructive email), is a service that allows a registered user to receive email at a temporary address that expires after a certain time period lapses. Simply put, they are email accounts created to accomplish a short-term goal.

Examples of disposable email providers include: mailinator.com, YOPmail.com, trashmail.com, and many more.

The Good

The original intent behind disposable email addresses is to protect oneself from untrusted websites, typically to avoid spam.

The Bad and the Ugly

Wikipedia has a great explanation why disposable emails are – should I say bad or ugly?

Many forum and wiki administrators dislike DEAs because they obfuscate the identity of the members and make maintaining member control difficult. As an example, trolls, vandals and other users that may have been banned may use throwaway email addresses to get around the ban. Using a DEA provider only makes this easier; the same convenience with which a person may create a DEA to filter spam also applies to trolls. As a result, forum, wiki administrators, blog owners, and indeed any public site requiring user names may have a compelling reason to ban DEAs.

Because spammers can use disposable emails to perpetrate their evil activities, we really need to give serious thought to how we can stop DEAs.

Detecting Disposable Email Addresses

There is no algorithm (to the best of my knowledge) for detecting if an email is disposable or not.

To detect a disposable email address:
– Firstly, you will have to create and maintain a list/database of disposable email domains.
– Check if the domain part of the email (e.g. in “hi@trashmail.com”, “trashmail.com” is the domain part) is in the database.

Below is a PHP function that accepts an email address as an argument and return true if it is disposable or false otherwise.

<?php

/**
 * Check if an email is disposable or not.
 * 
 * @param $email string email to check
 *
 * @return bool
 */
function detect_disposable_email( $email ) {

	$disposable_list = array(
		'drdrb.net',
		'upliftnow.com',
		'uplipht.com',
		'venompen.com',
		'veryrealemail.com',
		'viditag.com',
		'viewcastmedia.com',
		'viewcastmedia.net',
		'viewcastmedia.org',
		'gustr.com',
		'webm4il.in',
		'wegwerfadresse.de',
		'wegwerfemail.de',
		'wetrainbayarea.com',
		'wetrainbayarea.org',
		'wh4f.org',
		'whyspam.me',
		'willselfdestruct.com',
		'winemaven.in',
		'wronghead.com',
		'wuzup.net',
		'wuzupmail.net',
		'www.e4ward.com',
		'www.gishpuppy.com',
		'www.mailinator.com',
		'wwwnew.eu',
		'xagloo.com',
		'xemaps.com',
		'xents.com',
		'xmaily.com',
		'xoxy.net',
		'yep.it',
		'yogamaven.com',
		'yopmail.fr',
		'yopmail.net',
		'ypmail.webarnak.fr.eu.org',
		'yuurok.com',
		'zehnminutenmail.de',
		'zippymail.in',
		'zoaxe.com',
		'zoemail.org',
		'inboxalias.com',
		'koszmail.pl',
		'tagyourself.com',
		'whatpaas.com',
		'emeil.in',
		'azmeil.tk',
		'mailfa.tk',
		'inbax.tk',
		'emeil.ir',
		'crazymailing.com',
		'mailimate.com'
	);

//extract domain name from email
	$domain = array_pop( explode( '@', $email ) );

	if ( in_array( $domain, $disposable_list ) ) {
		return true;
	} 
	
	else {
		return false;
	}

}

//extract domain name from email
	$domain = array_pop( explode( '@', $email ) );

	if ( in_array( $domain, $disposable_list ) ) {
		return true;
	} 
	
	else {
		return false;
	}

}

The numbers of disposable email providers are increasing by the day, thus making it impossible to easily keep our list of DEAs updated.

There exist a number of services that keep an updated list of disposable emails and also exposes an API for detecting them, such as NameAPI and block-disposable-email.com. We’ll be using the latter in coding a plugin that will block users trying to create an account with a disposable email in WordPress.

Stopping Disposable Email Registration in WordPress

As previously mentioned, we will use block-disposable-email.com. Before we delve into the plugin development, register an account at the site with a non-disposable email (of course) to grab a free API key.

Note: the free account comes with a limitation of up to 200 requests per month. To increase the quota, see the pricing page.

With that said, let’s begin the plugin development.

First off, include the plugin header.

<?php

/*
Plugin Name: Stop Disposable Email Sign-ups
Plugin URI: http://sitepoint.com
Description: Stop users from registering a WordPress account with disposable emails.
Version: 1.0
Author: Agbonghama Collins
Author URI: http://w3guy.com
License: GPL2
*/

Create a PHP class with a properties that will store the API key.

class Stop_Disposable_Email {

	/** @type string API key */
	static private $api_key = 'd619f9ad24052ad785d1edf65bbd33b4';

The class constructor method will consist of a filter that hooks a method (stop_disposable_email_signup) to registration_errors to validate the email address and ensure it isn’t disposable.

public function __construct() {
		add_filter( 'registration_errors', array( $this, 'stop_disposable_email_signups' ), 10, 3 );
	}

Next we use a helper is_email_disposable() method that will send a GET request to the block-disposable-email.com API via wp_remote_get using the WordPress HTTP API to check the status of the email – that is, if it is disposable or not.

/**
	 * Check if an email is disposable or not.
	 *
	 * @param $email string email to check
	 *
	 * @return bool true if disposable or false otherwise.
	 */
	public static function is_email_disposable( $email ) {

		// get the domain part of the email address
		// e.g in hi@trashmail.com, "trashmail.com" is the domain part
		$domain = array_pop( explode( '@', $email ) );

		$endpoint = 'http://check.block-disposable-email.com/easyapi/json/' . self::$api_key . '/' . $domain;

		$request = wp_remote_get( $endpoint );

		$reponse_body = $body = wp_remote_retrieve_body( $request );

		$response_in_object = json_decode( $reponse_body );

		$domain_status = $response_in_object->domain_status;

		if ( $response_in_object->request_status == 'success' ) {

			if ( $domain_status == 'block' ) {
				return true;
			} elseif ( $domain_status == 'ok' ) {
				return false;
			}

		}

	}

Here is the code for stop_disposable_email_signups() that will stop users of disposable email addresses from creating an account.

/**
	 * Stop disposable email from creating an account
	 *
	 * @param $errors WP_Error Registration generated error object
	 * @param $sanitized_user_login string sign-up username
	 * @param $user_email string sign-up email
	 *
	 * @return mixed
	 */
	public function stop_disposable_email_signups( $errors, $sanitized_user_login, $user_email ) {

		if ( self::is_email_disposable( $user_email ) ) {

			$errors->add( 'disposable_email', '<strong>ERROR</strong>: Email is disposable, please try another one.' );
		}

		return $errors;

	}

Finally, we close the plugin class.

} // Stop_Disposable_Email

Suggestions for Plugin Improvement

I created a class property and manually added my block-disposable-email.com API key to it. Ideally, a settings page for the plugin should have been created with a form field that will save the key to the database for reuse by the plugin.

Let’s make this an assignment for you. This is one way on how you might do this.

  • Create a settings page for the plugin with an input field that will save the key to the database, here is a great guide.
  • Retrieve the API key from the database with get_option function and use that instead.

Summary

In this article, we learned the meaning of DEAs, modus-operandi and the good, the bad and the ugly of disposable email address systems. We learned how DEAs can be stopped, and finally created a plugin for stopping users from registering an account with a disposable email address in a WordPress powered site.

The plugin is available on GitHub in case you want to use it on your site or further extend it.

If you have any questions or contributions, please let us know in the comments.

Comments
Tatsh

This solution is okay. The only problem is the size of that array of bad domains could grow quickly. So of course searching that array is O(n), generally. Not a big deal now at its current size.

There is also SpamHaus which you can use directly as a DNS server to check records of the offending domain.

Another option might be to block based on TLD, for example if you do not trust any .biz domains (most people do not).

I have also used Mollom for a very long time to stop spammers posting. https://mollom.com/

collizo4sky

It is for the same "array size problem" I decided to use a third-party service.

Mollom seems to be a great spam catcher. I'll check it out later.

Thanks for your contribution.

weareknights

I use disposable e-mail addresses for the same reason: spammers. Most of the time websites demanding an account sign-up or e-mail before you can proceed don't actually need it for any reason other than adding you to an e-mail list (without your permission) or selling your personal information to a 3rd-party (again, without you permission.)

Personally, I don't see much value for the user from articles like this. There are other solutions for preventing spammers without putting yourself against the user. I'd also encourage you to consider whether you really need that e-mail at all. E-mail addresses you collect from your users without demand have much more value anyway.

Stomme_poes

I used to use BugMeNot regularly, and keep a few "throwaway" email addresses for the reason mentioned by weareknights.

I also use throwaways for testing other people's systems. I'm going to shortly be testing a ticketing service and a story-uploader-- no way am I going to use my real info for some site's accessibility testing.

However, I think the majority of throwaway emails encountered by WP admins are spammers rather than spam-avoiders. I can see this being useful as one tool among the arsenal they should be using.

Tatsh

Since about maybe 4 years ago, I have never had a problem with spam and I register for a lot of websites now that I use a password management tool which auto-generates a password and auto-fills the forms (although Chrome is quite good at this too now). Every e-mail I get that I do not like has almost consistently had an Unsubscribe button, even a recent one from Brewster I got today (had no idea what Brewster was).

Beyond that, with the amount of email I receive in multiple accounts, Gmail's spam filter is still the best and even occasionally gets some false positives (which is unfortunate if you are using an IMAP client like on iPhone).

In the worst case, a site has 'spam' email and you cannot unsubscribe (sometimes the only way to unsubscribe is to delete your account from that site). I sometimes bother with Gmail's filters for these.

Sometimes, I use my other email account, the 'spam' one. This has become less and less so.

Recommended

Learn Coding Online
Learn Web Development

Start learning web development and design for free with SitePoint Premium!

Instant Website Review

Use Woorank to analyze and optimize your website to improve your website to improve your ranking!

Run a review to see how your site can improve across 70+ metrics!

Get the latest in WordPress, once a week, for free.