Network Programming in .NET

If you are providing a freemium service online, and you find yourself giving away repeated free trials to users registering with disposable email addresses, then you can find yourself loosing money.

There will always be a cat-and-mouse game between service providers and disposable email address providers, so this particular “mouse trap” will not last long. However, I do welcome comments on other temp email providers, and detection mechanisms

Most temporary email addresses can be spotted by using a simple (long) list of known domains, which you can get from github here; https://gist.github.com/adamloving/4401361

However, certain providers, such as temp-mail.org register new domains every day, so yesterday’s domains are already obsolete. So, for the cost of a few thousand domain registrations a year, they can bypass most static detection.

If you check the Whois of the domains registered by this company, you can see that the domains they use are only 5 days old, i..e they are registered, then used on their website within 5 days, then disposed. They also use DNSOwl as a nameserver, which is operated by NameSilo, but is shared by a million other domains, so this could lead to false positives. – see https://securitytrails.com/list/ns/ns1.dnsowl.com

However, what I discovered is that the mail. subdomain points to the IP address 89.38.99.80, which appears to be their hosting provider, WorldStream BV. The mail. subdomain, is not necessarily their MX (Mail Exchanger), but the domain seems to be present. This could be a default DNS setup, but it’s a give away, and specific enough that it’s unlikely to lead to many false positives.

Here’s some C# code to check this

private void CheckForBlacklistedMX(string domain)
{
try
{
var address = System.Net.Dns.GetHostAddresses(“mail.” + domain)[0].ToString();
if (address != “89.38.99.80”) return; // black-listed https://temp-mail.org/en/
… Do something to warn user.
}
catch {}
}