Please use a personal email. My email is ‘mail’ @ ‘my actual name’. It does not get more personal than that
But you can’t use emails starting with mail@, admin@, support@, info@, main@, etc.
Instead they advised me (3 times) to create a personal email on a service like Yahoo, Outlook, Gmail, Orange, etc
You must log in or register to comment.
Security professional here. This is legit a good call on their part. It’s because those types of addresses won’t bounce emails but aren’t necessarily in your control; it’s very, very easy to spam those petition forms with mail@ for a million real domains without bouncing the emails, making them seem legit.
You own your domain, obviously, so it’s really as simple as creating a forwarding/alias address of “changeorg@domain.tld”. If creating a forwarding/alias address is that much of a problem for you I suggest that you likely shouldn’t be hosting your own email in the first place.
Your laziness isn’t a good reason to be upset with a company taking steps to reduce their security overhead significantly
They do though mention “+” and “-” also banned in the username part, which is kinda annoying
Yeah I agree that one seems silly on the surface but for their specific situation I understand why: services like Gmail allow using a + to create faux-labels. So for example foo@gmail, foo+bar@gmail, and foo+baz@gmail all get delivered to the same account. For change.org that’s a problem because it allows a single email account to fill out the form many times.
Ideally, they would simply truncate everything after and including those symbols but it’s possible other services have different rules (maybe yahoo let’s you prepend faux-tags instead of appending them, or something like that) so simply blocking their use altogether could be the more robust solution
Eh, honestly I think blocking plus addressing as a workaround to block people from using multiple identities on the site is very weak argument and ignores completely the reason plus addeesses are being used in the first place, tagging.
And the addition of “-” just tells they don’t really know what they’re doing, considering it’s not only valid but also very common symbol in email addresses
I don’t think the reason they’re being used is relevant to their problem though. “Think like an attacker” wins the day here: as an attacker, I don’t care what it’s meant for, only how I can use it to my advantage. If it’s something they observed as a problem, I understand why they would want to stop it.
As for “-”, yeah, I don’t have a particularly good explanation for that one except the assumption that it’s something similar to + addressing on a different service.
“-” is the default delimiter in qmail. I administer a system, where both + and - are valid recipient delimiters for historic reasons and we can’t really get rid of it.
Believe me, it has caused all kinds of problems, where we have to go deep into the finer differences between aliases and virtual aliases and transport maps in postfix to route mails correctly. Especially since we have a lot of Mailinglists with - as a valid character in them.
So to summarize: the assumption by changeorg is valid, however the execution seems rather flawed.
Good info! Sounds like a nightmare :x
Yeah, I can’t say their solution is the most elegant but it certainly makes a kind of sense when their criteria for success is “maximize participation while satisfying ‘uniqueness’ critics”
The local parts of email addresses are standardized, and there is an RFC handling subadressing as well, see RFC 5233 - it’s not like Gmail invented this behavior.
Also, RFC 5321 clearly states (2.3.11) that the local part of an email must only be interpreted by the receiving server, so that part should not be parsed, modified or mangled in any form - the assumptions poor web forms or validation libraries make these days are incredibly annoying and simply not compliant.
So no, non of your suggestions are good, let alone ideal. Ideally, people would simply implement the specs and stop making lazy and false assumptions. In the case you cited, it turns out email validation is simply not the proper tool to limit how often the form can be submitted. Similar websites use e. g. text messages.
Requiring SMS validation is a massive barrier to entry and not a viable option for a service like Change.org that relies on a certain level of participation.
There’s literally another comment made at almost the same time as yours complaining blocking the use of + and such is too high a barrier to entry and just the devs being lazy. Meanwhile your suggestion is raise the barrier to entry even higher if you care about uniqueness of submissions
It’s a no-win situation for Change.org so they went with something that meets their business needs. Can’t really expect much else from them tbh
I’m aware of that, but let’s be honest here: social and political changes are not introduced, let alone solved, by technology.
You said it perfectly: this is about business needs. I’d like to argue to make the barrier for entry even higher (tie it to a form of citizen identity) and mandate the petition must be reviewed / acted upon once it has become significant - frameworks like this do exist already in several countries.
Everyone has multiple email addresses today, does that not fundamentally erode the validity of change.org as a platform for direct democracy then? I do believe this is the case, so I’d love if another website would at least stop violating already existing standards and force their erroneous interpretation of how email addresses work down our throats.
Oh yeah don’t get me wrong, I think change.org as a product is hot stinky garbage. I don’t take anything they produce seriously lol
I just don’t expect them to do anything differently under the current circumstances is all heh. And their business is married to the design at this point, so I don’t see them pivoting any time soon. As you suggest, they need a competitor that can do it right to come along and actually produce some kind of meaningful results in the political arena, but that’s a whole other can of worms.
I literally have an idea for this, and am kinda just sitting on it until I find the right people. I’ve been on the lookout about 10 years now for a) someone with a comprehensive understanding of constitutional law and b) someone with a comprehensive understanding of political finance and lobbying, both of whom also need to be progressive and interested in 501©(3) work. A bit of a unicorn :p
Gmail allow using a + to create faux-labels
I wonder how they handle gmail addresses with dots as you can put dot in anywhere and it still will redirect to your email.
I’ve setup (for few services which don’t allow + sign) emails like foobar@gmail.com, foo.bar@gmail.com, fo.o.bar@gmail.com and they all come to my inbox.
I imagine because it can’t be used to add additional junk characters to the address, they probably just strip them out before doing their string comparison
If they know this case. In other email services dots are usually not a junk characters.
For the same of checking uniqueness it’s probably fine to just ignore them. Yeah, it sucks if johndoe@obscure.domain and john.doe@obscure.domain can’t sign the same petition but outside of the big email services I imagine that kind of collision is pretty rare
that’s to stop people from spamming signatures with user+1@gmail, user+2@gmail, user+3@gmail, etc.
You can still spam with user1@domain.tld, user2@domain.tld etc and it takes basically no extra effort
IF you already have an email domain you control.
Calling “acquiring and setting up an email domain and configuring the mail server for wildcards” “basically no extra effort” is a bit disingenuous compared to “solve a captcha for a Gmail account”
Spamming user+1@gmail, user+2@gmail takes absolutely no technical knowledge whatsoever - anyone can do it with 1 gmail account.
Spamming user1@domain, user2@domain etc requires 1 of two things:
-
you can sign up for multiple email accounts using a third party service. You’re going to run into trouble with Gmail or other big providers if you start creating accounts en masse.
-
you create your own email server. this requires someone with selfhosting knowledge and some basic coding (or rather server config) experience.
-
it takes basically no extra effort
I’d assume one needs to verify the email by clicking a link, so to spam user1@domain.tld, user2@domain.tld would mean you need access to those inboxes. That means you need to go through the effort to actually create those emailadresses on whatever freemail service you chose, or you need to host the emailserver yourself and have all mails run into a catchall inbox.
Hosting your own emailserver is definately not “basically no extra effort”, even for a lot of tech-savvy people, paying for a hosted email service using your own domain is easier, but also seems like not a good investment just to spam a petition website.The foo+bar@gmail.com functionality, however, is pretty well known tool - even by non-tech savvy people. Even some people I know that I consider basically tech-illiterate have known this for years, they have told me when they found out about it and asked me if I was aware of this functionality.
The first one I mentioned requires preparation, setting up email accounts or an email server, the second one is basically already set up for most email users and ready to go, the latter is therefore definately a lot less effort to pull off.
Security professional here too. Agree that this is reasonable, and making a big deal about it is kinda meh.
making a big deal about it
Maybe I’m wrong but isn’t this sub for posting minor annoyances?
True, I do find it mildly infuriating that someone is mildly infuriated at this
Catchall - the new spam bin ;-) It’s soooo good to have your own domain for mail…
I have been using catchall on my domain since 2002. I have never told anyone any of my real accounts. When I have to send an email, I just add that account (change@ whatever), send the e-mail and delete the account afterwards, rebanishing the company to my catchall. I’ve had it scripted for ages.
When I do get an unsolicited email from let’s say ShittyCompany Inc, I set up a rule to forward all incoming shittycompany@(mydomain) emails to info@ shittycompany. This way they just spam themselves. Takes 2 seconds to run the script and I never see emails from shittycompany again.
They send a mail asking to confirm my email by clicking a link. I can’t see how spam registering with those emails would work
My understanding is that signing a petition and creating an account aren’t necessarily linked, and it’s up to the person who created the petition whether verification is required.
After signing the petition, they pop a large notification about needing to validate my account by clicking on the link in the mail they sent. If I didn’t do it, the signing wouldn’t count
Right I’m saying I always thought that was an optional feature, determined by the person who created the petition. I don’t think it’s a universal requirement for all change.org petitions
Oh ok. Yeah maybe! From a front end user point of view it doesn’t make much sense though
Web developer here. The problem here is not with emails but with change.org’s business model, which is reliant on lying to people that their petitions actually mean anything. But, anyone with half a brain cell can easily spot that they don’t have any legal backing whatsoever nor do they do any kind of identity verification, therefore those petitions are completely worthless. They might as well not give a fuck and allow cheating. For all they care, it only boosts counters and makes them appear more popular than they actually are.
Create an alias and set forwarding
“why should I change? He’s the one who sucks!”
Ah, the age old “right” vs “effective” argument.
Never seen office space?
I haven’t ever used it, never signed a petition, but isn’t change.org only about petitions? I can kinda see their reasoning… They may even have had their hand forced to do it.
Loads of people who want their way probably signed up with tons of accounts to skew the results. If it’s going to work, I guess they need to be able to show that they’re legit, out at least that change.org are doing their best to make it that they are.
It’s easy to set up one gmail account for example and use it a million times with moving a dot throughout the name or putting a plus sign and anything after the username but before the @ symbol.
They still require you to confirm the email by clicking a link sent to that email, although someone mentioned that this may be an option to the creator of the petition
I do understand the requirement of not using . or + but blocking mail@ info@ seems too extreme to me.
Automailers often have names like that i.e. noreplymail@companyname.com so it may be more about stopping spam or stopping people from using spam email accounts.
That sounds like nonsense.
Can be automated. Creating a new e-mail account is more annoying.
Ah, change.org. I remember when they said “you can sign a petition without an account, just a mail validation”, immediately followed by “if you don’t create an account, the validation link in the mail will not work, fuck you”.
Guess they didn’t really want people to engage.
Here’s the thing, you own the domain, set up what ever email alias you want and send it to your primary.
Yeah, I just set up a catch-all and use individual emails for everything, like the gmail + trick but without sites rejecting + characters occasionally.
Of course, I have several domains and one is a .rodeo that some older sites refuse to believe is a TLD so there’s that problem…
Maybe we can start a change.org petition to get this resolved.
We can, op can’t
This took me too long to figure out🤣
As a person who ages ago created and single letter (before the @) email address thinking myself clever and efficient… I’m amazed and distressed how many forms have insisted that my email address is invalid.
Some developers prefer using half-baked regexes from stackoverflow, rather than reputable libraries for email address validation.
Hmm. Why am I mildly surprised that I can’t find anything non-regular about the syntax. There’s nested comments but that’s part of MIME quoting, not the actual address format, so it’s reasonable to not accept those in an HTML entry field because HTML is many things, but not MIME.
This is a feature, not a bug. The rest of us don’t want crap being sent to admin email addresses, so fix your damn email and try again.
Personally I use generated email addresses to most places, but my personal address is <FIRST>@<LAST>.us
The email i was trying to use was mail@ my actual name and surname.
It is very handy to share and easy for people to remember.
I dont feel that it needs fixing when it is perfect for me and my needs but not for some company that needs to be overly careful
Bro. You can’t sign a petition on change.org.
Just move on with your life.
deleted by creator
The only outrage I see is in your comment 🙄
I have all my admin/mail/webmaster/etc blacklisted a long time ago because those are the that get spam first when spammers parse lists of registered domains.
I wonder if abuse@'s get any spam…
If your domain is your actual name, then it should be trivial to create an SMTP alias for mail@domain.com that is for yourname@domain.com.
Attach that to your email address and inbound email for either will get to you, but only your primary address will be used for outbound communication.
Another fun one…
Gmail ignores periods in addresses.
So firstnamelastname@gmail.com also gets email for:
firstname.lastname@gmail.com
first.name.last.name@gmail.comOr any combination…
Wouldn’t it make more sense to alias out each place you submit an email address to, so you can see who sells your contact details or otherwise gets hacked?
Eg: changeorg@yourna.me, netflix@yourna.me etc.?
I just go with full domain names. Like change.org@yourna.me. Even combos where data is shared, like shop.com-bank.org@your.name or jitsi.corp-gravatar.com@your.name. But some places actually went out of their way to disallow their own domains anywhere in the field. I’ve encountered it maybe like 3 times across all of ~1000 logins I have in my password manager.
And the amount of times I had to explain to people that yes, this is a legit email, yes it has your company’s name and your personal name in it, it is exactly as intended, so don’t send me spam because I will know it was you who sent it…
This is exactly what I do. When I start getting a bunch of spam addressed to Walmart@[my domain] I can blanket filter that straight into spam because I know Walmart sold my info.
Yeah i set up a catch all mail now. It just seems like a very defensive method to me.
Set all mails addressed to your domain but to the wrong email to be sent to your primary email. Then sign the petition with “<service_you_are_signing_up_fo>@yourname.com”.
I do this with my domain and it works great.
Only negative I’ve had is that people with a similar name have ended up signing up for things and misspelling theirs with it ending up on mine.Yeah. I didn’t have a catch all mail and have set it up now. I was just surprised and ‘mildly infuriated’ that they would block this
Catch all is better you can see who’s selling your email lol
Is it possible to create an alias like fuckchange@domain?
From the end user standpoint…my interest in reading about much less signing this petition just plummeted
As others have said, I’d suggest either:
- enabling a catchall address (which will redirect to anything@yourdomain.com --> spam@yourdomain.com)
- creating an alias: something@yourdomain.com --> mail@yourdomain.com
Both are done on your server/hosting side.
I create a new alias account on my email server for each new account. That way when I am done with them I can just delete it and never get their spam ever.
