Please use a personal email. My email is ‘mail’ @ ‘my actual name’. It does not get more personal than that
But you can’t use emails starting with mail@, admin@, support@, info@, main@, etc.
Instead they advised me (3 times) to create a personal email on a service like Yahoo, Outlook, Gmail, Orange, etc
You must log in or register to comment.
Security professional here. This is legit a good call on their part. It’s because those types of addresses won’t bounce emails but aren’t necessarily in your control; it’s very, very easy to spam those petition forms with mail@ for a million real domains without bouncing the emails, making them seem legit.
You own your domain, obviously, so it’s really as simple as creating a forwarding/alias address of “[email protected]”. If creating a forwarding/alias address is that much of a problem for you I suggest that you likely shouldn’t be hosting your own email in the first place.
Your laziness isn’t a good reason to be upset with a company taking steps to reduce their security overhead significantly
Security professional here too. Agree that this is reasonable, and making a big deal about it is kinda meh.
making a big deal about it
Maybe I’m wrong but isn’t this sub for posting minor annoyances?
True, I do find it mildly infuriating that someone is mildly infuriated at this
They send a mail asking to confirm my email by clicking a link. I can’t see how spam registering with those emails would work
My understanding is that signing a petition and creating an account aren’t necessarily linked, and it’s up to the person who created the petition whether verification is required.
After signing the petition, they pop a large notification about needing to validate my account by clicking on the link in the mail they sent. If I didn’t do it, the signing wouldn’t count
Right I’m saying I always thought that was an optional feature, determined by the person who created the petition. I don’t think it’s a universal requirement for all change.org petitions
Oh ok. Yeah maybe! From a front end user point of view it doesn’t make much sense though
Catchall - the new spam bin ;-) It’s soooo good to have your own domain for mail…
I have been using catchall on my domain since 2002. I have never told anyone any of my real accounts. When I have to send an email, I just add that account (change@ whatever), send the e-mail and delete the account afterwards, rebanishing the company to my catchall. I’ve had it scripted for ages.
When I do get an unsolicited email from let’s say ShittyCompany Inc, I set up a rule to forward all incoming shittycompany@(mydomain) emails to info@ shittycompany. This way they just spam themselves. Takes 2 seconds to run the script and I never see emails from shittycompany again.
That’s a good way to potentially get your personal domain as potential spam.
Yes, potentially. It’s still going strong after 22+ years of me doing this though.
Web developer here. The problem here is not with emails but with change.org’s business model, which is reliant on lying to people that their petitions actually mean anything. But, anyone with half a brain cell can easily spot that they don’t have any legal backing whatsoever nor do they do any kind of identity verification, therefore those petitions are completely worthless. They might as well not give a fuck and allow cheating. For all they care, it only boosts counters and makes them appear more popular than they actually are.
Let’s talk about the security of using email to do anything in this day and age.
You’re not wrong, but this isn’t really a security matter, it’s an “apparent uniqueness” matter. Their goal, I assume, is to satisfy critics enough that a given petition’s participants are sufficiently unique while keeping the barrier to filling out the form as low as possible. So they end up in a situation where neither of perfect, but they’re both “good enough” for what the business needs.
I dealt with this in the anti-cheat space: my goal was never to remove all cheating, because that’s too expensive (insanely so). My goal was to make the public believe they weren’t playing against cheaters too often. If the solution was forcing the cheaters to perform at a level that was just below the most skilled human players, that was actually a success, because if the players can’t differentiate between cheaters and pro players, then they can’t effectively determine how prevalent cheating actually is.
Part of me hated that we had to treat it that way, but another part of me understood that if I pushed too hard on “eliminating cheating” my department would become more costly than it was worth and they’d pivot away from gameplay that needed anti-cheat at all
Risk management is the name of the game, as always, eh?
That’s a slick technique for anti-cheat, heh. What did you think of the Call of Duty “fake data” approach? That cracked me up - things in game that only cheaters can see, so they end up self-reporting themselves as cheaters lol
As it ever will be, much as it may pain our moral sensibilities.
Re: CoD - I loved it. Laughed my ass off. Absolutely a big fan of creative approaches to getting cheaters to tell on themselves. I proposed something similar to my team when we had a problem with players manipulating the position of objects in the world so they were directly in front of the player: add an object of the same type inside map geometry and attach a “kill volume” to it, so it was like a landmine. Move the object in front of the player and they instantly die :P Wish we’d done it but couldn’t get the level designers’ time to implement it unfortunately
One we did do though: back when the product I worked on was on PS3 one of the big problems was hacked consoles spoofing platform entitlements (the thing that tells the game what purchases they should have access to). So we added an entitlement that couldn’t be acquired in any legitimate way, and gave you a specific item in game. Then we just checked player inventories once a week for anyone with that item and banned their account, their console, and any account that played on that console for a meaningful amount of time. Did the same thing with an item you could only get to by clipping through geometry. Even put the word “intrusion” in the item’s name haha.
The cheats are so technically complicated at this juncture that the creative stuff is often the most effective. I mean, people are literally voluntarily installing hypervisor rootkits to run the cheats, so they can talk to their drivers below even the kernel. It’s so hard to come to with technical solutions to a problem like that that doesn’t wind up costing massive server processing power to validate every input.
Haha that is a great idea! Give the landmine kill a special animation just to make sure that the cheaters get the message or let them figure it out in time lol?
Heh, did you share that inventory technique on news.ycombinator? I could have sworn that I read a story there a team doing that.
I know exactly what you are talking about - I was digging into the modding of this one game and happened upon a cheater’s forum. Blew my mind that the first step was to completely gut your computer’s security lol. But at the same time, was enlightening to see that. Seems like some of the work has been moved to the Anti-Cheat systems, but I’m guessing that there must be large gaps in what the AC can actually do for you at the application level?
Let em figure it out. Wasting their time is a core strategy in reducing their impact and will to continue cheating
I certainly didn’t share it myself but it’s possible my old boss did!
TBH, in my very personal opinion the third party anti-cheat apps are like 50% placebo. Just makes people feel better. They are very protective of their “secret sauce” but I can say none of them are anywhere close to perfect. The thing they’re best at is taking the easy stuff off our plates so we can focus on the more difficult problems of hardening the game itself and analyzing telemetry.
I spent about a decade in the enterprise software development space, so I totally get it. I couldn’t put it into words as well as you did, however.
After watching the FCC bigwigs debate robocalls several years ago, I’ve become a believer in a future where your internet access is always authenticated to your real life ID, dark web excepted of course.
In their case, it was posited as a best-in-class solution to the problem of spam in the telephony space. Same logic applies to email. I mean, look at what Twixxer did with the verified checkmark requiring a credit card. The trend is already there.
I get the fear of being de-anonymized on the internet, but it may be the case of something we hate being something we need, when you start to throw deepfakes into the mix.
Funny you mention the robocall thing… I’m literally leaving a company that works on that problem (though not as their primary business) Wednesday. It was a short stint - mostly because they are resistant to solving massive technical debt problems and I’m not trying to doom my future self - but what I witnessed was…depressing. Getting anything done was like pulling teeth, and that’s with the recent FTC pivot to taking this stuff more seriously. STIR/SHAKEN is a reasonable start but it still has almost no teeth behind it.
I’m with you on the identity issue. I mean, if we’re being really honest, the only people losing out by not implementing strong personal identification verification are the legitimate end users because the threat actors have gotten so unbelievably good at fingerprinting user behavior. And it’s only going to continue getting worse. With ML growth as unfettered as it is, there is nothing we can do. So I’d much rather take the reigns and make identity verification a robust feature instead of a bug we can’t squash.
Kudos for looking out first your future self - I had to leave the field entirely after it got to the point where I couldn’t stand to look at a computer anymore. Still can’t for more than an hour, two years later.
I intend to reply more later, because this does deserve a longer reply, but I am short on steam.
In the meantime, have you heard of login.gov? Check that out. The day that .com gets a hook into that is the day that identity problems are (mostly) solved.
Yes! I LITERALLY just set up my stuff there a few days ago for TSA Precheck and CBP because I’m heading to Japan next month. I love what they’re doing.
Heh, I saw it on news.ycombinator.com back when it was announced- they have made strides if you can access TSA now!
In the beginning it was just a form for every manner of authentication and then a big CTA, essentially telling other .gov entities to start making project requests.
Your laziness isn’t a good reason to be upset with a company taking steps to reduce their security overhead significantly
Your laziness isn’t a good reason to add an unnecessary barrier of entry for your users.
If you own the domain being used, I assume you also host your own email… You can’t just make a new address for this and have them all forwarded to your actual email?
“This_is_not_generic” @ “your actual name”
Unless they block that too, I don’t think they’re trying to force those services on you; they’re just popular options and this is an automated response sent by an automated process that only checks the first half of the email and not the domain.
It’s pretty common to own a domain but not actually host the email server; doing on-premises email is a security PITA and most providers simply blacklist large swathes of residential and leasable (e.g. VPS) IPs.
Unfortunately, if you get someone else to host your email, they often charge by the account, not by the domain. Setting up a new mailbox is therefore irritatingly expensive.
A catch-all email works well, though, and is free from most of the hosting providers. Downside is you get spam…
Jane@JaneDoe certainly seems more common than mail@JaneDoe.
Aliases also exist, that’s what I use.
My main e-mail Is [email protected]
Check out PurelyMail - only charges by emails sent/received and storage. No limits on accounts or domains connected.
Create an alias and set forwarding
“why should I change? He’s the one who sucks!”
Ah, the age old “right” vs “effective” argument.
Never seen office space?
I’ve got a catch-all setup to go straight to my spam folder, OP could do something similar.
I haven’t ever used it, never signed a petition, but isn’t change.org only about petitions? I can kinda see their reasoning… They may even have had their hand forced to do it.
Loads of people who want their way probably signed up with tons of accounts to skew the results. If it’s going to work, I guess they need to be able to show that they’re legit, out at least that change.org are doing their best to make it that they are.
It’s easy to set up one gmail account for example and use it a million times with moving a dot throughout the name or putting a plus sign and anything after the username but before the @ symbol.
They still require you to confirm the email by clicking a link sent to that email, although someone mentioned that this may be an option to the creator of the petition
I do understand the requirement of not using . or + but blocking mail@ info@ seems too extreme to me.
Automailers often have names like that i.e. [email protected] so it may be more about stopping spam or stopping people from using spam email accounts.
That sounds like nonsense.
Can be automated. Creating a new e-mail account is more annoying.
Ah, change.org. I remember when they said “you can sign a petition without an account, just a mail validation”, immediately followed by “if you don’t create an account, the validation link in the mail will not work, fuck you”.
Guess they didn’t really want people to engage.
That’s quite a sensible rule, actually.
Please use a personal email. My email is ‘mail’ @ ‘my actual name’. It does not get more personal than that
It’s a legit rule they’re enforcing, IMO. Generic email addresses are usually unmonitored mailboxes that don’t bounce. Easy to use if you’re spamming contact forms and stuff like that.
Instead they advised me (3 times) to create a personal email on a service like Yahoo, Outlook, Gmail, Orange, etc
I think this is more a boilerplate suggestion, to lower the barrier to entry for people. Gotta remember, those of us that host our own email and/or use our own personal domains are definitely in the minority.
lol “security” in this case is probably more like expediency in trying to solve a spam problem
Yes, so they don’t become a spam proxy filling up RFC 2142 address names.
Security ain’t free.
Here’s the thing, you own the domain, set up what ever email alias you want and send it to your primary.
Yeah, I just set up a catch-all and use individual emails for everything, like the gmail + trick but without sites rejecting + characters occasionally.
Of course, I have several domains and one is a .rodeo that some older sites refuse to believe is a TLD so there’s that problem…
Maybe we can start a change.org petition to get this resolved.
We can, op can’t
This took me too long to figure out🤣
As a person who ages ago created and single letter (before the @) email address thinking myself clever and efficient… I’m amazed and distressed how many forms have insisted that my email address is invalid.
Some developers prefer using half-baked regexes from stackoverflow, rather than reputable libraries for email address validation.
Hmm. Why am I mildly surprised that I can’t find anything non-regular about the syntax. There’s nested comments but that’s part of MIME quoting, not the actual address format, so it’s reasonable to not accept those in an HTML entry field because HTML is many things, but not MIME.
deleted by creator
I don’t know why single character email addresses would fail that test, though.
Could be that they get a huge amounts of bounces from those kinds of addresses. I’m sure at least half of Germany is using
a@bc.deas the go-to “I don’t wanna give out my email” address.
You really showed change.org, buddy.
Unfortunately, I’ve run into plenty of sites that won’t accept subdomain email addresses.
OP needs to use this alias.
This is a feature, not a bug. The rest of us don’t want crap being sent to admin email addresses, so fix your damn email and try again.
Personally I use generated email addresses to most places, but my personal address is <FIRST>@<LAST>.us
The email i was trying to use was mail@ my actual name and surname.
It is very handy to share and easy for people to remember.
I dont feel that it needs fixing when it is perfect for me and my needs but not for some company that needs to be overly careful
Bro. You can’t sign a petition on change.org.
Just move on with your life.
sign me up
Agreed. Fuck this fake outrage era we live in.
The only outrage I see is in your comment 🙄
My friend uses me@<their name>, wonder if that would work better
Would an alias solve this?
With the tiniest, slimmest, barely existent bit of effort to make an alias - yes.
But OP would clearly prefer to complain.
I have all my admin/mail/webmaster/etc blacklisted a long time ago because those are the that get spam first when spammers parse lists of registered domains.
I wonder if abuse@'s get any spam…
If your domain is your actual name, then it should be trivial to create an SMTP alias for [email protected] that is for [email protected].
Attach that to your email address and inbound email for either will get to you, but only your primary address will be used for outbound communication.
Another fun one…
Gmail ignores periods in addresses.
So [email protected] also gets email for:
[email protected]
[email protected]Or any combination…
Then I guess for security reasons you won’t be signing up.
