Protecting Your PHP Web App From Disposable Email Users

Disposable email also known as throw-away or temporary emails are emails created just to accomplish a short-term goal. With the high rate of spam, internet users have resorted to using disposable emails instead of their regular email. Examples of disposable email providers include: mailinator.com, Burnthespam.com, YOPmail.com, spamgourmet.com E.t.c

How Disposable Email Address Works

Most Disposable Email address works in one of these three ways;
1. Just like your regular email address (send and receive mails)
1. Act as an Email Forwarder
1. Receiving incoming mails only

Why are Disposable Emails Harmful?

Nowadays, disposable emails are now being use by spammers to carry out their unscrupulous activities.
Take for example, an internet user while signing up to a website will use a disposable email say [email protected] and as usual, a confirmation email will be sent. He clicked on the confirmation link, and he is registered and can now make use of the site. Now that his goal has been achieve, the disposable email is either deleted or left dormant.

If you are serious about making your web app credible, you should stop fake users using disposable email from accessing your site as you won't be able to build relationships and send important newsletters to them.

If your website is built with PHP, I’m going to explain how to stop spammers using disposable email addresses via DEA filter or Block Disposable Email Addresses RESTful API.

  • Using DEA filter

    Head over to DEA filter, download the script and register to obtain an API key , unzip and extract the archive to your web server.
    The script comes with a wonderful demo with both JavaScript and PHP validation. I prefer you use the PHP validation as user with JavaScript turn off can go round it.
    Am going to be extending it later in this article but first let take a look at how it work.

    How It Works

    First the deaFilterClient.php file containing cURL and JSON code that communicate with DEA-filter is included using PHP include function.

    <?php include_once "deaFilterClient.php";?>

    Next we create an HTML form with an input field for email with "name" attribute equal to "email".

    
    <form action="" method="post">
    <input type="text" name="email"/>
    <input type="submit" value="check"/>
    

    Finally, the PHP code to check if the email entered is a disposable email or not.

     <?php
    // check if the email submitted is disposable with API key as second parameter
    
    if (checkDEAfilter($_REQUEST["email"],"5a8047b40e57750726618b8146066ef6"))
    {
      echo "valid!";
    }
    else
    {
      echo "not valid!";
    } 
    ?> 
     

    Now that we have basically explained how to setup DEA-filter to stop users using disposable email, next is extending it a bit to be suitable for a live website.

    What to Expect

    We are going to create an HTML form with as usual an Email field, but this time, a validation button will be located close to the email input field, so that when clicked, a server-side PHP validation is made to check the status of the email inputed. if the email is found not to be disposable, an icon signifying Good will be displayed and the validation button will disappear but if found to be disposable, an icon signifying bad will be displayed instead, along with the validation button. The icons can be found in the images folder of the script.

    Coding the HTML Form with Disposable Email Validation

    In order to prevent passing API key each time the checkDEAfilter function is called, simply edit the deaFilterClient.php file and assign your API key to the variable $apiKey such that when using it, only the email to validate is passed.
    The modified deaFilterClient.php should look like the code below;

     <?php
    
    function checkDEAfilter($deaEmailToCheck)
    { 
    $apiKey = "5a8047b40e57750726618b8146066ef6"; // change to your API key
    
    $curlPost = "mail=" . $deaEmailToCheck."&key=".$apiKey; //address to check
    
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, "http://www.deafilter.com/classes/DeaFilter.php"); //must point to the DeaFilter.php class
    curl_setopt($ch, CURLOPT_HEADER, 0);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_POST, 1);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $curlPost);
    curl_setopt($ch, CURLOPT_VERBOSE,0);
    $data = curl_exec($ch);
    curl_close($ch);
    
    $data = json_decode($data);
    
    
    if ($data->result != "ok")
    {
        return false;
    } else
    {
        return true;
    }
    }
    

    Next is the coding of the HTML form. make sure you do a form validation and check again if the status of the email before the form is sent to the server for processing.

    
    <?php include "deaFilterClient.php";?>
    
    <form action="" method="post">
    <label for="male">Email Address</label><br/>
    <input type="text" name="email" id="email" value="<?php echo (isset($_POST["email"])) ? $_POST["email"] : "";?>"/>
    <?php 
    // validate and detect if email is disposable or not
    if (isset($_REQUEST["email"])) 
                { 
        if ( !checkDEAfilter($_REQUEST["email"])) {?>
         <img src="images/cancel.png"/> &nbsp; &nbsp; <input type="submit" value="validate"/> <?php } 
    else echo '<img src="images/accept.png"/>';} else echo '<input type="submit" value="validate"/>';
    ?>
        <br/><br/>
        <input type="submit" name="submit" value="submit form"/>
        </form>
    // validate the form before sent to the server for processing
    // Check if email is set and if it not disposable
    <?php if((isset($_REQUEST["submit"])) && (checkDEAfilter($_REQUEST["email"]))) {
            echo "your email is " . $_REQUEST['email'] ;
            }
            ?>
    

    Demo => goo.gl/ycyId1
    Source code => goo.gl/TymGHO

  • Using Block Disposable Email Addresses API

    I found Block Disposable Email Addresses to be more effective than DEA-filter. the only demerit about it is, it works with credits. you'll need to purchase more credits when the free ones is exhausted. like DEA-filter, you need to signup to get your API key.

    To use it instead of DEA-filter, only replace the code in DEA-filter's deaFilterClient.php file with the HTML form code unchanged.

    
    <?php
    function checkDEAfilter($email)
    { 
    $key = "d619f9ad24052ad785d1edf65bbd33b4"; //replace with your API key
    $request = "http://check.block-disposable-email.com/easyapi/json/".$key."/"    .$email;
    $response = file_get_contents($request);
    $dea = json_decode($response, true);
    
    if ($dea['request_status'] == 'success') {
    if ($dea['domain_status'] != "ok") {
      //Access Denied
      return false;
    } else {
      // Access Granted
      return true;
    }
     } else {
    // something else went wrong with the address (maybe a malformed domain)
    return "false";
    }
    }
    

    Demo => goo.gl/ycyId1
    Source code => goo.gl/Cv4gbv

Conclusion

Getting rid of spam users who uses disposable email should be taken seriously. by so doing, you get to know the real users using your web app and also sanitizing it from fake users which in turn reduce your app resources consumption.

Don’t miss out!
Subscribe to My Newsletter
Invalid email address