Stop the Use of Disposable Email Addresses in WordPress

    Collins Agbonghama
    Share

    Spammers are everywhere, they use automated software that crawls the web in search of websites (such WordPress sites) with the aim of submitting and registering hundreds and thousands of accounts and spam comments.

    On one of my WordPress powered sites, I discovered over 50 newly registered spam accounts, all created with disposable email addresses. To prevent a re-occurrence, I had to create a plugin that prevented the registration of accounts with disposable email addresses.

    Disposable Email Addresses WordPress

    In this tutorial, we’ll learn the meaning of disposable email addresses, how they work and finally, how they can be stopped in a PHP application – albeit with focus on WordPress.

    Introduction to Disposable Email Addresses

    DEA, an acronym for Disposable Email Address (sometimes referred to as throw-away, temporary email or self-destructive email), is a service that allows a registered user to receive email at a temporary address that expires after a certain time period lapses. Simply put, they are email accounts created to accomplish a short-term goal.

    Examples of disposable email providers include: mailinator.com, YOPmail.com, trashmail.com, and many more.

    The Good

    The original intent behind disposable email addresses is to protect oneself from untrusted websites, typically to avoid spam.

    The Bad and the Ugly

    Wikipedia has a great explanation why disposable emails are – should I say bad or ugly?

    Many forum and wiki administrators dislike DEAs because they obfuscate the identity of the members and make maintaining member control difficult. As an example, trolls, vandals and other users that may have been banned may use throwaway email addresses to get around the ban. Using a DEA provider only makes this easier; the same convenience with which a person may create a DEA to filter spam also applies to trolls. As a result, forum, wiki administrators, blog owners, and indeed any public site requiring user names may have a compelling reason to ban DEAs.

    Because spammers can use disposable emails to perpetrate their evil activities, we really need to give serious thought to how we can stop DEAs.

    Detecting Disposable Email Addresses

    There is no algorithm (to the best of my knowledge) for detecting if an email is disposable or not.

    To detect a disposable email address:
    – Firstly, you will have to create and maintain a list/database of disposable email domains.
    – Check if the domain part of the email (e.g. in “hi@trashmail.com”, “trashmail.com” is the domain part) is in the database.

    Below is a PHP function that accepts an email address as an argument and return true if it is disposable or false otherwise.

    <?php
    
    /**
     * Check if an email is disposable or not.
     * 
     * @param $email string email to check
     *
     * @return bool
     */
    function detect_disposable_email( $email ) {
    
    	$disposable_list = array(
    		'drdrb.net',
    		'upliftnow.com',
    		'uplipht.com',
    		'venompen.com',
    		'veryrealemail.com',
    		'viditag.com',
    		'viewcastmedia.com',
    		'viewcastmedia.net',
    		'viewcastmedia.org',
    		'gustr.com',
    		'webm4il.in',
    		'wegwerfadresse.de',
    		'wegwerfemail.de',
    		'wetrainbayarea.com',
    		'wetrainbayarea.org',
    		'wh4f.org',
    		'whyspam.me',
    		'willselfdestruct.com',
    		'winemaven.in',
    		'wronghead.com',
    		'wuzup.net',
    		'wuzupmail.net',
    		'www.e4ward.com',
    		'www.gishpuppy.com',
    		'www.mailinator.com',
    		'wwwnew.eu',
    		'xagloo.com',
    		'xemaps.com',
    		'xents.com',
    		'xmaily.com',
    		'xoxy.net',
    		'yep.it',
    		'yogamaven.com',
    		'yopmail.fr',
    		'yopmail.net',
    		'ypmail.webarnak.fr.eu.org',
    		'yuurok.com',
    		'zehnminutenmail.de',
    		'zippymail.in',
    		'zoaxe.com',
    		'zoemail.org',
    		'inboxalias.com',
    		'koszmail.pl',
    		'tagyourself.com',
    		'whatpaas.com',
    		'emeil.in',
    		'azmeil.tk',
    		'mailfa.tk',
    		'inbax.tk',
    		'emeil.ir',
    		'crazymailing.com',
    		'mailimate.com'
    	);
    
    //extract domain name from email
    	$domain = array_pop( explode( '@', $email ) );
    
    	if ( in_array( $domain, $disposable_list ) ) {
    		return true;
    	} 
    	
    	else {
    		return false;
    	}
    
    }
    
    //extract domain name from email
    	$domain = array_pop( explode( '@', $email ) );
    
    	if ( in_array( $domain, $disposable_list ) ) {
    		return true;
    	} 
    	
    	else {
    		return false;
    	}
    
    }

    The numbers of disposable email providers are increasing by the day, thus making it impossible to easily keep our list of DEAs updated.

    There exist a number of services that keep an updated list of disposable emails and also exposes an API for detecting them, such as NameAPI and block-disposable-email.com. We’ll be using the latter in coding a plugin that will block users trying to create an account with a disposable email in WordPress.

    Stopping Disposable Email Registration in WordPress

    As previously mentioned, we will use block-disposable-email.com. Before we delve into the plugin development, register an account at the site with a non-disposable email (of course) to grab a free API key.

    Note: the free account comes with a limitation of up to 200 requests per month. To increase the quota, see the pricing page.

    With that said, let’s begin the plugin development.

    First off, include the plugin header.

    <?php
    
    /*
    Plugin Name: Stop Disposable Email Sign-ups
    Plugin URI: https://www.sitepoint.com
    Description: Stop users from registering a WordPress account with disposable emails.
    Version: 1.0
    Author: Agbonghama Collins
    Author URI: http://w3guy.com
    License: GPL2
    */

    Create a PHP class with a properties that will store the API key.

    class Stop_Disposable_Email {
    
    	/** @type string API key */
    	static private $api_key = 'd619f9ad24052ad785d1edf65bbd33b4';

    The class constructor method will consist of a filter that hooks a method (stop_disposable_email_signup) to registration_errors to validate the email address and ensure it isn’t disposable.

    public function __construct() {
    		add_filter( 'registration_errors', array( $this, 'stop_disposable_email_signups' ), 10, 3 );
    	}

    Next we use a helper is_email_disposable() method that will send a GET request to the block-disposable-email.com API via wp_remote_get using the WordPress HTTP API to check the status of the email – that is, if it is disposable or not.

    /**
    	 * Check if an email is disposable or not.
    	 *
    	 * @param $email string email to check
    	 *
    	 * @return bool true if disposable or false otherwise.
    	 */
    	public static function is_email_disposable( $email ) {
    
    		// get the domain part of the email address
    		// e.g in hi@trashmail.com, "trashmail.com" is the domain part
    		$domain = array_pop( explode( '@', $email ) );
    
    		$endpoint = 'http://check.block-disposable-email.com/easyapi/json/' . self::$api_key . '/' . $domain;
    
    		$request = wp_remote_get( $endpoint );
    
    		$reponse_body = $body = wp_remote_retrieve_body( $request );
    
    		$response_in_object = json_decode( $reponse_body );
    
    		$domain_status = $response_in_object->domain_status;
    
    		if ( $response_in_object->request_status == 'success' ) {
    
    			if ( $domain_status == 'block' ) {
    				return true;
    			} elseif ( $domain_status == 'ok' ) {
    				return false;
    			}
    
    		}
    
    	}

    Here is the code for stop_disposable_email_signups() that will stop users of disposable email addresses from creating an account.

    /**
    	 * Stop disposable email from creating an account
    	 *
    	 * @param $errors WP_Error Registration generated error object
    	 * @param $sanitized_user_login string sign-up username
    	 * @param $user_email string sign-up email
    	 *
    	 * @return mixed
    	 */
    	public function stop_disposable_email_signups( $errors, $sanitized_user_login, $user_email ) {
    
    		if ( self::is_email_disposable( $user_email ) ) {
    
    			$errors->add( 'disposable_email', '<strong>ERROR</strong>: Email is disposable, please try another one.' );
    		}
    
    		return $errors;
    
    	}

    Finally, we close the plugin class.

    } // Stop_Disposable_Email

    Suggestions for Plugin Improvement

    I created a class property and manually added my block-disposable-email.com API key to it. Ideally, a settings page for the plugin should have been created with a form field that will save the key to the database for reuse by the plugin.

    Let’s make this an assignment for you. This is one way on how you might do this.

    • Create a settings page for the plugin with an input field that will save the key to the database, here is a great guide.
    • Retrieve the API key from the database with get_option function and use that instead.

    Summary

    In this article, we learned the meaning of DEAs, modus-operandi and the good, the bad and the ugly of disposable email address systems. We learned how DEAs can be stopped, and finally created a plugin for stopping users from registering an account with a disposable email address in a WordPress powered site.

    The plugin is available on GitHub in case you want to use it on your site or further extend it.

    If you have any questions or contributions, please let us know in the comments.