Please use a personal email. My email is 'mail' @ 'my actual name'. It does not get more personal than that
But you can't use emails starting with mail@, admin@, support@, info@, main@, etc.
Instead they advised me (3 times) to create a personal email on a service like Yahoo, Outlook, Gmail, Orange, etc
Security professional here. This is legit a good call on their part. It's because those types of addresses won't bounce emails but aren't necessarily in your control; it's very, very easy to spam those petition forms with mail@ for a million real domains without bouncing the emails, making them seem legit.
You own your domain, obviously, so it's really as simple as creating a forwarding/alias address of "changeorg@domain.tld". If creating a forwarding/alias address is that much of a problem for you I suggest that you likely shouldn't be hosting your own email in the first place.
Your laziness isn't a good reason to be upset with a company taking steps to reduce their security overhead significantly
They do though mention "+" and "-" also banned in the username part, which is kinda annoying
Yeah I agree that one seems silly on the surface but for their specific situation I understand why: services like Gmail allow using a + to create faux-labels. So for example foo@gmail, foo+bar@gmail, and foo+baz@gmail all get delivered to the same account. For change.org that's a problem because it allows a single email account to fill out the form many times.
Ideally, they would simply truncate everything after and including those symbols but it's possible other services have different rules (maybe yahoo let's you prepend faux-tags instead of appending them, or something like that) so simply blocking their use altogether could be the more robust solution
Eh, honestly I think blocking plus addressing as a workaround to block people from using multiple identities on the site is very weak argument and ignores completely the reason plus addeesses are being used in the first place, tagging.
And the addition of "-" just tells they don't really know what they're doing, considering it's not only valid but also very common symbol in email addresses
I don't think the reason they're being used is relevant to their problem though. "Think like an attacker" wins the day here: as an attacker, I don't care what it's meant for, only how I can use it to my advantage. If it's something they observed as a problem, I understand why they would want to stop it.
As for "-", yeah, I don't have a particularly good explanation for that one except the assumption that it's something similar to + addressing on a different service.
"-" is the default delimiter in qmail. I administer a system, where both + and - are valid recipient delimiters for historic reasons and we can't really get rid of it.
Believe me, it has caused all kinds of problems, where we have to go deep into the finer differences between aliases and virtual aliases and transport maps in postfix to route mails correctly. Especially since we have a lot of Mailinglists with - as a valid character in them.
So to summarize: the assumption by changeorg is valid, however the execution seems rather flawed.
Good info! Sounds like a nightmare :x
Yeah, I can't say their solution is the most elegant but it certainly makes a kind of sense when their criteria for success is "maximize participation while satisfying 'uniqueness' critics"
The local parts of email addresses are standardized, and there is an RFC handling subadressing as well, see RFC 5233 - it's not like Gmail invented this behavior.
Also, RFC 5321 clearly states (2.3.11) that the local part of an email must only be interpreted by the receiving server, so that part should not be parsed, modified or mangled in any form - the assumptions poor web forms or validation libraries make these days are incredibly annoying and simply not compliant.
So no, non of your suggestions are good, let alone ideal. Ideally, people would simply implement the specs and stop making lazy and false assumptions. In the case you cited, it turns out email validation is simply not the proper tool to limit how often the form can be submitted. Similar websites use e. g. text messages.
Requiring SMS validation is a massive barrier to entry and not a viable option for a service like Change.org that relies on a certain level of participation.
There's literally another comment made at almost the same time as yours complaining blocking the use of + and such is too high a barrier to entry and just the devs being lazy. Meanwhile your suggestion is raise the barrier to entry even higher if you care about uniqueness of submissions
It's a no-win situation for Change.org so they went with something that meets their business needs. Can't really expect much else from them tbh
Security professional here too. Agree that this is reasonable, and making a big deal about it is kinda meh.
Catchall - the new spam bin ;-) It's soooo good to have your own domain for mail...
I have been using catchall on my domain since 2002. I have never told anyone any of my real accounts. When I have to send an email, I just add that account (change@ whatever), send the e-mail and delete the account afterwards, rebanishing the company to my catchall. I’ve had it scripted for ages.
When I do get an unsolicited email from let’s say ShittyCompany Inc, I set up a rule to forward all incoming shittycompany@(mydomain) emails to info@ shittycompany. This way they just spam themselves. Takes 2 seconds to run the script and I never see emails from shittycompany again.
They send a mail asking to confirm my email by clicking a link. I can't see how spam registering with those emails would work
If you own the domain being used, I assume you also host your own email... You can't just make a new address for this and have them all forwarded to your actual email?
"This_is_not_generic" @ "your actual name"
Unless they block that too, I don't think they're trying to force those services on you; they're just popular options and this is an automated response sent by an automated process that only checks the first half of the email and not the domain.
It's pretty common to own a domain but not actually host the email server; doing on-premises email is a security PITA and most providers simply blacklist large swathes of residential and leasable (e.g. VPS) IPs.
Unfortunately, if you get someone else to host your email, they often charge by the account, not by the domain. Setting up a new mailbox is therefore irritatingly expensive.
A catch-all email works well, though, and is free from most of the hosting providers. Downside is you get spam...
Jane@JaneDoe certainly seems more common than mail@JaneDoe.
Create an alias and set forwarding
"why should I change? He's the one who sucks!"
I haven't ever used it, never signed a petition, but isn't change.org only about petitions? I can kinda see their reasoning.. They may even have had their hand forced to do it.
Loads of people who want their way probably signed up with tons of accounts to skew the results. If it's going to work, I guess they need to be able to show that they're legit, out at least that change.org are doing their best to make it that they are.
It's easy to set up one gmail account for example and use it a million times with moving a dot throughout the name or putting a plus sign and anything after the username but before the @ symbol.
They still require you to confirm the email by clicking a link sent to that email, although someone mentioned that this may be an option to the creator of the petition
I do understand the requirement of not using . or + but blocking mail@ info@ seems too extreme to me.
Automailers often have names like that i.e. noreplymail@companyname.com so it may be more about stopping spam or stopping people from using spam email accounts.
Ah, change.org. I remember when they said "you can sign a petition without an account, just a mail validation", immediately followed by "if you don't create an account, the validation link in the mail will not work, fuck you".
Guess they didn't really want people to engage.
That's quite a sensible rule, actually.
Please use a personal email. My email is ‘mail’ @ ‘my actual name’. It does not get more personal than that
It's a legit rule they're enforcing, IMO. Generic email addresses are usually unmonitored mailboxes that don't bounce. Easy to use if you're spamming contact forms and stuff like that.
Instead they advised me (3 times) to create a personal email on a service like Yahoo, Outlook, Gmail, Orange, etc
I think this is more a boilerplate suggestion, to lower the barrier to entry for people. Gotta remember, those of us that host our own email and/or use our own personal domains are definitely in the minority.
lol “security” in this case is probably more like expediency in trying to solve a spam problem
Yes, so they don't become a spam proxy filling up RFC 2142 address names.
Here's the thing, you own the domain, set up what ever email alias you want and send it to your primary.
Maybe we can start a change.org petition to get this resolved.
You really showed change.org, buddy.
As a person who ages ago created and single letter (before the @) email address thinking myself clever and efficient... I'm amazed and distressed how many forms have insisted that my email address is invalid.
This is a feature, not a bug. The rest of us don’t want crap being sent to admin email addresses, so fix your damn email and try again.
Personally I use generated email addresses to most places, but my personal address is @.us
The email i was trying to use was mail@ my actual name and surname.
It is very handy to share and easy for people to remember.
I dont feel that it needs fixing when it is perfect for me and my needs but not for some company that needs to be overly careful
Bro. You can't sign a petition on change.org.
Just move on with your life.
Then I guess for security reasons you won't be signing up.
If your domain is your actual name, then it should be trivial to create an SMTP alias for mail@domain.com that is for yourname@domain.com.
Attach that to your email address and inbound email for either will get to you, but only your primary address will be used for outbound communication.
Another fun one...
Gmail ignores periods in addresses.
So firstnamelastname@gmail.com also gets email for:
firstname.lastname@gmail.com
first.name.last.name@gmail.com
Or any combination...
Wouldn’t it make more sense to alias out each place you submit an email address to, so you can see who sells your contact details or otherwise gets hacked?
Eg: changeorg@yourna.me, netflix@yourna.me etc.?
Set all mails addressed to your domain but to the wrong email to be sent to your primary email. Then sign the petition with "<service_you_are_signing_up_fo>@yourname.com".
Yeah. I didn't have a catch all mail and have set it up now. I was just surprised and 'mildly infuriated' that they would block this
Is it possible to create an alias like fuckchange@domain?
Had something similar happen with indiegala. Had an account with them for years, then one day, could not purchase some games randomly. Hit up their support and got the answer "Oh, the purchase was denied because your account's email address is detected as a temporary email address".... The email address I've been using on that account... for years.... Is temporary.
Home to all things "Mildly Infuriating" Not infuriating, not enraging. Mildly Infuriating. All posts should reflect that.
I want my day mildly ruined, not completely ruined. Please remember to refrain from reposting old content. If you post a post from reddit it is good practice to include a link and credit the OP. I'm not about stealing content!
It's just good to get something in this website for casual viewing whilst refreshing original content is added overtime.
Rules:
1. Be Respectful
Refrain from using harmful language pertaining to a protected characteristic: e.g. race, gender, sexuality, disability or religion.
Refrain from being argumentative when responding or commenting to posts/replies. Personal attacks are not welcome here.
...
2. No Illegal Content
Content that violates the law. Any post/comment found to be in breach of common law will be removed and given to the authorities if required.
That means: -No promoting violence/threats against any individuals
-No CSA content or Revenge Porn
-No sharing private/personal information (Doxxing)
...
3. No Spam
Posting the same post, no matter the intent is against the rules.
-If you have posted content, please refrain from re-posting said content within this community.
-Do not spam posts with intent to harass, annoy, bully, advertise, scam or harm this community.
-No posting Scams/Advertisements/Phishing Links/IP Grabbers
-No Bots, Bots will be banned from the community.
...
4. No Porn/Explicit
Content
-Do not post explicit content. Lemmy.World is not the instance for NSFW content.
-Do not post Gore or Shock Content.
...
5. No Enciting Harassment,
Brigading, Doxxing or Witch Hunts
-Do not Brigade other Communities
-No calls to action against other communities/users within Lemmy or outside of Lemmy.
-No Witch Hunts against users/communities.
-No content that harasses members within or outside of the community.
...
6. NSFW should be behind NSFW tags.
-Content that is NSFW should be behind NSFW tags.
-Content that might be distressing should be kept behind NSFW tags.
...
7. Content should match the theme of this community.
-Content should be Mildly infuriating.
-At this time we permit content that is infuriating until an infuriating community is made available.
...
8. Reposting of Reddit content is permitted, try to credit the OC.
-Please consider crediting the OC when reposting content. A name of the user or a link to the original post is sufficient.
...
...
Also check out:
Partnered Communities:
Reach out to LillianVS for inclusion on the sidebar.
All communities included on the sidebar are to be made in compliance with the instance rules.