536

Please use a personal email. My email is 'mail' @ 'my actual name'. It does not get more personal than that

But you can't use emails starting with mail@, admin@, support@, info@, main@, etc.

Instead they advised me (3 times) to create a personal email on a service like Yahoo, Outlook, Gmail, Orange, etc

top 50 comments
sorted by: hot top controversial new old
[-] neatchee@lemmy.world 368 points 7 months ago* (last edited 7 months ago)

Security professional here. This is legit a good call on their part. It's because those types of addresses won't bounce emails but aren't necessarily in your control; it's very, very easy to spam those petition forms with mail@ for a million real domains without bouncing the emails, making them seem legit.

You own your domain, obviously, so it's really as simple as creating a forwarding/alias address of "changeorg@domain.tld". If creating a forwarding/alias address is that much of a problem for you I suggest that you likely shouldn't be hosting your own email in the first place.

Your laziness isn't a good reason to be upset with a company taking steps to reduce their security overhead significantly

[-] hemko@lemmy.dbzer0.com 105 points 7 months ago

They do though mention "+" and "-" also banned in the username part, which is kinda annoying

[-] neatchee@lemmy.world 87 points 7 months ago* (last edited 7 months ago)

Yeah I agree that one seems silly on the surface but for their specific situation I understand why: services like Gmail allow using a + to create faux-labels. So for example foo@gmail, foo+bar@gmail, and foo+baz@gmail all get delivered to the same account. For change.org that's a problem because it allows a single email account to fill out the form many times.

Ideally, they would simply truncate everything after and including those symbols but it's possible other services have different rules (maybe yahoo let's you prepend faux-tags instead of appending them, or something like that) so simply blocking their use altogether could be the more robust solution

[-] hemko@lemmy.dbzer0.com 40 points 7 months ago

Eh, honestly I think blocking plus addressing as a workaround to block people from using multiple identities on the site is very weak argument and ignores completely the reason plus addeesses are being used in the first place, tagging.

And the addition of "-" just tells they don't really know what they're doing, considering it's not only valid but also very common symbol in email addresses

[-] neatchee@lemmy.world 26 points 7 months ago

I don't think the reason they're being used is relevant to their problem though. "Think like an attacker" wins the day here: as an attacker, I don't care what it's meant for, only how I can use it to my advantage. If it's something they observed as a problem, I understand why they would want to stop it.

As for "-", yeah, I don't have a particularly good explanation for that one except the assumption that it's something similar to + addressing on a different service.

[-] bloor@feddit.de 23 points 7 months ago

"-" is the default delimiter in qmail. I administer a system, where both + and - are valid recipient delimiters for historic reasons and we can't really get rid of it.

Believe me, it has caused all kinds of problems, where we have to go deep into the finer differences between aliases and virtual aliases and transport maps in postfix to route mails correctly. Especially since we have a lot of Mailinglists with - as a valid character in them.

So to summarize: the assumption by changeorg is valid, however the execution seems rather flawed.

[-] neatchee@lemmy.world 10 points 7 months ago

Good info! Sounds like a nightmare :x

Yeah, I can't say their solution is the most elegant but it certainly makes a kind of sense when their criteria for success is "maximize participation while satisfying 'uniqueness' critics"

[-] scrion@lemmy.world 18 points 7 months ago

The local parts of email addresses are standardized, and there is an RFC handling subadressing as well, see RFC 5233 - it's not like Gmail invented this behavior.

Also, RFC 5321 clearly states (2.3.11) that the local part of an email must only be interpreted by the receiving server, so that part should not be parsed, modified or mangled in any form - the assumptions poor web forms or validation libraries make these days are incredibly annoying and simply not compliant.

So no, non of your suggestions are good, let alone ideal. Ideally, people would simply implement the specs and stop making lazy and false assumptions. In the case you cited, it turns out email validation is simply not the proper tool to limit how often the form can be submitted. Similar websites use e. g. text messages.

[-] neatchee@lemmy.world 10 points 7 months ago* (last edited 7 months ago)

Requiring SMS validation is a massive barrier to entry and not a viable option for a service like Change.org that relies on a certain level of participation.

There's literally another comment made at almost the same time as yours complaining blocking the use of + and such is too high a barrier to entry and just the devs being lazy. Meanwhile your suggestion is raise the barrier to entry even higher if you care about uniqueness of submissions

It's a no-win situation for Change.org so they went with something that meets their business needs. Can't really expect much else from them tbh

load more comments (2 replies)
load more comments (7 replies)
load more comments (5 replies)
[-] twistypencil@lemmy.world 17 points 7 months ago

Security professional here too. Agree that this is reasonable, and making a big deal about it is kinda meh.

load more comments (2 replies)
[-] Treczoks@lemmy.world 8 points 7 months ago

Catchall - the new spam bin ;-) It's soooo good to have your own domain for mail...

[-] H4mi@lemm.ee 9 points 7 months ago

I have been using catchall on my domain since 2002. I have never told anyone any of my real accounts. When I have to send an email, I just add that account (change@ whatever), send the e-mail and delete the account afterwards, rebanishing the company to my catchall. I’ve had it scripted for ages.

When I do get an unsolicited email from let’s say ShittyCompany Inc, I set up a rule to forward all incoming shittycompany@(mydomain) emails to info@ shittycompany. This way they just spam themselves. Takes 2 seconds to run the script and I never see emails from shittycompany again.

load more comments (2 replies)
[-] cosmicrookie@lemmy.world 8 points 7 months ago

They send a mail asking to confirm my email by clicking a link. I can't see how spam registering with those emails would work

load more comments (4 replies)
load more comments (13 replies)
[-] Kolanaki@yiffit.net 65 points 7 months ago* (last edited 7 months ago)

If you own the domain being used, I assume you also host your own email... You can't just make a new address for this and have them all forwarded to your actual email?

"This_is_not_generic" @ "your actual name"

Unless they block that too, I don't think they're trying to force those services on you; they're just popular options and this is an automated response sent by an automated process that only checks the first half of the email and not the domain.

[-] SomeoneSomewhere@lemmy.nz 15 points 7 months ago

It's pretty common to own a domain but not actually host the email server; doing on-premises email is a security PITA and most providers simply blacklist large swathes of residential and leasable (e.g. VPS) IPs.

Unfortunately, if you get someone else to host your email, they often charge by the account, not by the domain. Setting up a new mailbox is therefore irritatingly expensive.

A catch-all email works well, though, and is free from most of the hosting providers. Downside is you get spam...

Jane@JaneDoe certainly seems more common than mail@JaneDoe.

[-] Damage@feddit.it 12 points 7 months ago

Aliases also exist, that's what I use.

My main e-mail Is name@surname.tld

load more comments (1 replies)
[-] Natanael@slrpnk.net 56 points 7 months ago

Create an alias and set forwarding

[-] cornshark@lemmy.world 52 points 7 months ago* (last edited 7 months ago)

"why should I change? He's the one who sucks!"

[-] isles@lemmy.world 14 points 7 months ago

Ah, the age old "right" vs "effective" argument.

load more comments (1 replies)
load more comments (1 replies)
[-] Babalugats@lemmy.world 47 points 7 months ago* (last edited 7 months ago)

I haven't ever used it, never signed a petition, but isn't change.org only about petitions? I can kinda see their reasoning.. They may even have had their hand forced to do it.

Loads of people who want their way probably signed up with tons of accounts to skew the results. If it's going to work, I guess they need to be able to show that they're legit, out at least that change.org are doing their best to make it that they are.

It's easy to set up one gmail account for example and use it a million times with moving a dot throughout the name or putting a plus sign and anything after the username but before the @ symbol.

[-] cosmicrookie@lemmy.world 11 points 7 months ago

They still require you to confirm the email by clicking a link sent to that email, although someone mentioned that this may be an option to the creator of the petition

I do understand the requirement of not using . or + but blocking mail@ info@ seems too extreme to me.

[-] Siethron@lemmy.world 14 points 7 months ago

Automailers often have names like that i.e. noreplymail@companyname.com so it may be more about stopping spam or stopping people from using spam email accounts.

load more comments (1 replies)
load more comments (1 replies)
[-] cley_faye@lemmy.world 41 points 7 months ago

Ah, change.org. I remember when they said "you can sign a petition without an account, just a mail validation", immediately followed by "if you don't create an account, the validation link in the mail will not work, fuck you".

Guess they didn't really want people to engage.

[-] teletext@reddthat.com 39 points 7 months ago* (last edited 7 months ago)

That's quite a sensible rule, actually.

[-] DeltaTangoLima@reddrefuge.com 36 points 7 months ago

Please use a personal email. My email is ‘mail’ @ ‘my actual name’. It does not get more personal than that

It's a legit rule they're enforcing, IMO. Generic email addresses are usually unmonitored mailboxes that don't bounce. Easy to use if you're spamming contact forms and stuff like that.

Instead they advised me (3 times) to create a personal email on a service like Yahoo, Outlook, Gmail, Orange, etc

I think this is more a boilerplate suggestion, to lower the barrier to entry for people. Gotta remember, those of us that host our own email and/or use our own personal domains are definitely in the minority.

[-] kashifshah@lemmy.sdf.org 33 points 7 months ago

lol “security” in this case is probably more like expediency in trying to solve a spam problem

[-] teletext@reddthat.com 27 points 7 months ago

Yes, so they don't become a spam proxy filling up RFC 2142 address names.

load more comments (1 replies)
[-] pacoboyd@lemm.ee 31 points 7 months ago

Here's the thing, you own the domain, set up what ever email alias you want and send it to your primary.

load more comments (1 replies)
[-] Raiderkev@lemmy.world 30 points 7 months ago

Maybe we can start a change.org petition to get this resolved.

[-] deezbutts@lemm.ee 34 points 7 months ago
[-] Jahuffine@lemmy.world 8 points 7 months ago

This took me too long to figure out🤣

[-] 0x0@programming.dev 26 points 7 months ago
[-] mriormro@lemmy.world 9 points 7 months ago

You really showed change.org, buddy.

load more comments (2 replies)
[-] ragica@lemmy.ml 26 points 7 months ago

As a person who ages ago created and single letter (before the @) email address thinking myself clever and efficient... I'm amazed and distressed how many forms have insisted that my email address is invalid.

load more comments (4 replies)
[-] AA5B@lemmy.world 22 points 7 months ago

This is a feature, not a bug. The rest of us don’t want crap being sent to admin email addresses, so fix your damn email and try again.

Personally I use generated email addresses to most places, but my personal address is @.us

[-] cosmicrookie@lemmy.world 8 points 7 months ago

The email i was trying to use was mail@ my actual name and surname.

It is very handy to share and easy for people to remember.

I dont feel that it needs fixing when it is perfect for me and my needs but not for some company that needs to be overly careful

[-] Lightborne@lemmy.world 13 points 7 months ago

Bro. You can't sign a petition on change.org.

Just move on with your life.

load more comments (3 replies)
load more comments (3 replies)
load more comments (1 replies)
[-] trk@aussie.zone 16 points 7 months ago

Then I guess for security reasons you won't be signing up.

[-] jordanlund@lemmy.world 16 points 7 months ago

If your domain is your actual name, then it should be trivial to create an SMTP alias for mail@domain.com that is for yourname@domain.com.

Attach that to your email address and inbound email for either will get to you, but only your primary address will be used for outbound communication.

Another fun one...

Gmail ignores periods in addresses.

So firstnamelastname@gmail.com also gets email for:

firstname.lastname@gmail.com
first.name.last.name@gmail.com

Or any combination...

f.i.r.s.t.n.a.m.e.l.a.s.t.n.a.m.e@gmail.com

[-] thatKamGuy@sh.itjust.works 14 points 7 months ago

Wouldn’t it make more sense to alias out each place you submit an email address to, so you can see who sells your contact details or otherwise gets hacked?

Eg: changeorg@yourna.me, netflix@yourna.me etc.?

load more comments (3 replies)
[-] uranibaba@lemmy.world 13 points 7 months ago

Set all mails addressed to your domain but to the wrong email to be sent to your primary email. Then sign the petition with "<service_you_are_signing_up_fo>@yourname.com".

load more comments (3 replies)
[-] Moonrise2473@feddit.it 8 points 7 months ago

Is it possible to create an alias like fuckchange@domain?

[-] ziviz@lemmy.sdf.org 7 points 7 months ago

Had something similar happen with indiegala. Had an account with them for years, then one day, could not purchase some games randomly. Hit up their support and got the answer "Oh, the purchase was denied because your account's email address is detected as a temporary email address".... The email address I've been using on that account... for years.... Is temporary.

load more comments
view more: next ›
this post was submitted on 13 May 2024
536 points (90.4% liked)

Mildly Infuriating

35767 readers
1459 users here now

Home to all things "Mildly Infuriating" Not infuriating, not enraging. Mildly Infuriating. All posts should reflect that.

I want my day mildly ruined, not completely ruined. Please remember to refrain from reposting old content. If you post a post from reddit it is good practice to include a link and credit the OP. I'm not about stealing content!

It's just good to get something in this website for casual viewing whilst refreshing original content is added overtime.


Rules:

1. Be Respectful


Refrain from using harmful language pertaining to a protected characteristic: e.g. race, gender, sexuality, disability or religion.

Refrain from being argumentative when responding or commenting to posts/replies. Personal attacks are not welcome here.

...


2. No Illegal Content


Content that violates the law. Any post/comment found to be in breach of common law will be removed and given to the authorities if required.

That means: -No promoting violence/threats against any individuals

-No CSA content or Revenge Porn

-No sharing private/personal information (Doxxing)

...


3. No Spam


Posting the same post, no matter the intent is against the rules.

-If you have posted content, please refrain from re-posting said content within this community.

-Do not spam posts with intent to harass, annoy, bully, advertise, scam or harm this community.

-No posting Scams/Advertisements/Phishing Links/IP Grabbers

-No Bots, Bots will be banned from the community.

...


4. No Porn/ExplicitContent


-Do not post explicit content. Lemmy.World is not the instance for NSFW content.

-Do not post Gore or Shock Content.

...


5. No Enciting Harassment,Brigading, Doxxing or Witch Hunts


-Do not Brigade other Communities

-No calls to action against other communities/users within Lemmy or outside of Lemmy.

-No Witch Hunts against users/communities.

-No content that harasses members within or outside of the community.

...


6. NSFW should be behind NSFW tags.


-Content that is NSFW should be behind NSFW tags.

-Content that might be distressing should be kept behind NSFW tags.

...


7. Content should match the theme of this community.


-Content should be Mildly infuriating.

-At this time we permit content that is infuriating until an infuriating community is made available.

...


8. Reposting of Reddit content is permitted, try to credit the OC.


-Please consider crediting the OC when reposting content. A name of the user or a link to the original post is sufficient.

...

...


Also check out:

Partnered Communities:

1.Lemmy Review

2.Lemmy Be Wholesome

3.Lemmy Shitpost

4.No Stupid Questions

5.You Should Know

6.Credible Defense


Reach out to LillianVS for inclusion on the sidebar.

All communities included on the sidebar are to be made in compliance with the instance rules.

founded 2 years ago
MODERATORS