Problem statement
It is possible to combat fraudulent signups from disposable email services?
Solution
Right now, Auth0 does not offer any protection against disposable email addresses for signup flows. Nor is any kind of email domain reputation system offered.
To block disposable email addresses, one of the following two approaches is recommended:
- Compile a simple list of disposable email address domains. Then use a pre-user registration Action (Pre User Registration Flow) to block signup for users whose email address matches one of those domains.
- Set up a pre-user registration Action that integrates with an email reputation service. Send the user’s email address to the service and choose to accept or deny the signup based on this score returned.
Depending on the number of fraudulent signups, option 1 may be preferable since it’s easy to set up, and there is no additional monetary cost or overhead in terms of additional requests. The following is a quick example. This has not been tested, so do not use it in production.
const getEmailDomain = email => {
const parts = email.split('@');
return parts.length == 2 ? parts[1] : '';
}
exports.onExecutePreUserRegistration = async (event, api) => {
const badDomains = ['bad-domain1.tld', 'disposable-email.tld'];
const userDomain = getEmailDomain(event.user.email);
if(userDomain === '' || badDomains.includes(userDomain)) {
api.access.deny('bad_email_domain', 'Email address invalid');
}
};