3

I notice security companies such as Rapid 7 prevent people signing up with either free email accounts, or accounts provided by ISPs:

https://www.rapid7.com/products/metasploit/metasploit-pro-registration.jsp

To prevent software license abuse, this field requires an email address from a domain you or your employer owns, such as a company, university, or personal domain. Email addresses from internet service providers or free mail providers are not accepted

Now I imagine that this could be accomplished by a blacklist of ISPs and free email address providers but I also notice that it does not work with some of the temporary email address services so these must be catered for somehow. My other guess was that it did some sort of DNS lookup to validate the company, but this would not work if I had set up a domain using my own company solely for temporary email addresses that the general public could use.

My question is how does the form validation work to ensure that your email is not any form of temporary address?

The above page validates the email on lost focus, so you do not have to actually submit the whole form to test this (as I would not advocate spam).

SilverlightFox
  • 33,698
  • 6
  • 69
  • 185
  • 3
    You said it, blacklists. That's the only way to be sure. – Adi Dec 13 '13 at 14:43
  • 2
    Interesting. It won't accept my Riseup address, but it does accept an address from a major Russian web portal ;) It also accepts some anonymous work addresses. It says "Alternatively you could send us an email at info@rapid7.com". I wonder what their criteria are? – mirimir Dec 13 '13 at 19:49
  • 1
    @Adnan I thought nuking it from orbit was the only way? – AviD Dec 18 '13 at 10:19

2 Answers2

2

It's most likely blacklist-based. You wrote

I also notice that it does not work with some of the temporary email address services

-- these are, for obvious reasons, a prime target for blacklists, so them being blocked is not a reason why it shouldn't be blacklist-based. Of course, blacklists are never complete, but there are services that provide such blacklists as an API and I'd guess they are pretty comprehensive.

Indeed, they query an online service to validate the address, which will most likely check against a blacklist and appears to perform other checks (e.g. existence of domain, but not if the domain even has a MX record).

Jan Schejbal
  • 617
  • 4
  • 4
0

Most likely Rapid7 uses a commercial email validation provider that can differentiate between corporate/educational domains and free/ISP domains. The theory is that if your email address is from Hotmail or Yahoo, this means you must live in Mom's basement and you therefore are not a qualified sales prospect who might pay for a license for Metasploit Pro after the 7-day free trial version expires.

(The lesser product Metasploit Express will set you back $5,000 per seat, per year. The price for Metasploit Pro isn't provided. How much you got?)

Different email validation providers can validate according to various criteria, and they charge different prices that correspond to the desired service level.

Search [email validation] and read the websites/FAQs of the commercial validation providers.

Anyone with $8 to register a high-falutin' domain name can possibly defeat Rapid7's email validation test and obtain the free trial version. Or possibly not, if they check for the existence of a company or school by that name.

user35648
  • 905
  • 6
  • 8
  • 2
    -1 Your answer looks nice, but in reality it's devoid of any content. The question is something "How does Rapid7 make sure that the email isn't free/disposable?" and your answer is "Validation happens using different criteria". Yup, that's not an answer. – Adi Dec 18 '13 at 11:02