Monday, December 8, 2008

Dear World, email addresses are not identity

Its no secret that part of putting up any website or service is the consideration of security measures to stop people from abusing the system. And as you can imagine, those particular issues are probably doubled or tripled with a site like Mailinator (and of course Talkinator). Needless to say, I've gotten pretty good at unorthodox security.

Anonymity does indeed breed bravery.

The normal Mailinator use case is that you have a need for a quick email address to sign-up for some web service. Some people however, use Mailinator as an actual primary email repository. With the RSS feed, it acts as a convenient dropbox for newsletters or other semi-private email needs.

Unfortunately, there are some wacky funsters out there that think it might be fun to sign-up for some website over and over and over and over (and over). Often this is for some site that has "vote for your favorite band" or "sign up for a free gift" or some such thing.

The primary flaws of these systems is not Mailinator - its that these websites equate the idea of identity with email addresses. Seriously, long before Mailinator existed I had 3 or 4 email accounts that I actively used and another 10 I had probably abandoned. I'm not sure what those site designers were thinking - Mailinator or not, email addresses are FREE.

If you give someone something that has any value at all in exchange for free email addresses, they're going to ask for lots. I'm probably in a unique position to view this, but I see this idea as incredibly broken.

One option I had was to simply ignore this idea. Let crafty script-writers create systems that sign up for Wink accounts 1000 times an hour. (As I write this, I'm watching some automated system using several hundred IPs trying to sign-up for wink.com using Mailinator - and watching the Mailinator system dutifully send each request to the abuse page).

The problem with this is that someday, wink.com will catch on. And they'll ban Mailinator. This is sadly, a wonderfully broken solution to a still existing broken site design.

The problem for me is that I likely have legitimate users that want to sign up for Wink - and I want them able to do so (and I imagine Wink might want more users too, so by extension they'll lose some or all of the ones I lost). What's insanely broken for sites banning Mailinator is that there are tens of Mailinator-copy-cat disposable web services out there. Or even worse, someone with access to a server and a domain, who can install sendmail and create a few thousand accounts. Simply put, banning mailinator is like catching a single mouse and thinking you've solved the mouse problem.

You stop the bad guys, but for about a day until they implement a new system.

I had an interesting discussion with an acquaintance recently. During the conversation I described Mailinator to him. His mouth gaped open and told me he would look into it and probably ban it from his site. I asked what he would be banning it "from". He said he had a trial piece of software that people could sign-up for and download. And he wanted their real information to email them later (i.e. I did my best not to say that he was sending "spam") to see if they wanted to buy.

I noted that sometimes when I download software to try, I do want to enter my real email. I'm interested enough to want to be registered. But other times, I'm just in browsing mode. If given the chance I'd download and check it out, but if you give me too much impedance I'll probably just go check out his competitor.

In those cases when I'm just browsing, I'll use mailinator.

In other words, there are 3 types of potential customers. Those that don't care about his software. Those who really love the idea of trying his software and will do anything to do so. And those who are on the fence.

For obvious reasons, Mailinator is my "on-the-fence" tool of choice. If he banned it, he'd be refusing some subset of those potential customers. So it basically comes down to the question - whats better?

1) Definitely get user information you can spam later - or
2) get your product in front of as many eyeballs as possible.

Also noting the fact that NO email insures any relation to an actual person whatsoever (including yahoo, gmail, hotmail, etc.) - whats the point?

We continued our discussion and agreed that from a marketing perspective, you actually don't want to remove the email sign-up altogether. It actually brings value to some customers. If you remove it or make it optional, most everyone will skip it just to get to the goodies. But by leaving it and knowing that some people, using Mailinator or Yahoo or whatever, will give you temporary email addresses, you're maximizing your potential customer base.

It didn't hurt my argument to mention a few other disposable email services that he'd have to ban too. I sure don't know them all - they seem to come and go a lot. And that surely doesn't count ones that run semi-privately. Basically, it would be a fulltime job to keep up.

Oh. So, back to our script kiddies above. Mailinator includes a system to stop scripts from signing up for websites over and over. I love fun algorithms/data-structures so your homework can be to design something like Mailinator's abuse trigger system - a key-value datastruct that ages with time and is refreshed by lookups that come in at some notable (and tweaked) rate (in the same ballpark as a LRU cache, but definitely more dynamic).

Its unlikely a human will set-off the triggers but its possible. The sad part (for script writers) is that the algorithm doesn't trigger until their script gets going, so its probably a bit heart-breaking to spend a few hours perfecting a script to scrape Mailinator and then have Mailinator detect it only once it gets going and shut it down hard.

The first level is the Abuse Page. If you push it, Mailinator will ban IP addresses - but only under certain conditions. That's rather an imprecise way of stopping abuse. In addition, it looks for patterns of mailbox usage regardless of IP. An obvious one is that if one subject "Welcome to Wink!" shows up a lot in the read emails. Sadly, its difficult to distinguish valid users trying to sign-up for wink amongst the botnet hitting right now - so they'll probably get the abuse page too for the time being.

Potential site abusers taught me a lot and hardened the site considerably. Abuse attempts are still a common occurrence but far less normal than a few years ago. I assume many scripters went to less caring disposable services.

I often get asked if I care if sites ban Mailinator. I don't really. In some cases its prudent if you really do need to email people that use your service. In most cases however, its simply a knee-jerk reaction attempting to patch an otherwise flawed system. Not only is it a sure way to eliminate some potential customers, the flaw will show up again soon when the abusers shift to another method - and probably another method without Mailinator's facilities to stop scripts.

In the end, there is no real identity on the Internet. At least none past an IP address and a subpoena. At best, email is optional identity. And prudently, it should probably be treated that way.

6 comments:

aklemm said...

Nice article. Do you think OpenID will help solve the identity problems you describe?

Evan Reiser said...

Coincidentally, as I was avoiding redoing the registration system at gamernook.com, i stumbled accross our blog

Great article, i totally agree, i feel like this article will affect how i build registration but im not sure how yet. I guess if websites provide a service delivered via email that people actually want, they will be must more likely to use their real email.

Thanks for mailinator

Brendan said...

we could have used your abuse trigger system recently. Nice idea.

Some Java script was used to send 3800 e-mails to our e-commerce web site via the 'e-mail us' web form

A CAPTCHA would work but, it tends to be a little customer unfriendly

Anonymous said...

Nice article.

There's been a number of times where I gave up on trying to download a piece of software from a site wanted too much of my information. A lot of times I just get it from Download.com instead :)

flypup said...

EXACTLY! Now that being said is there a way to start an extermination project for people that spam needlessly? I know businesses need to advertise. I get that. I know that people are lazy and that sending out mail is easy for both the business and the buyer. The big BUTT in that is the people who use this to scam and extort and bother me, you, and others in our boat. I have about 15 accounts that I uses for varying reasons.

As a person online a lot, I can tell you that I rarely give out my permanent email even to businesses that I purchase from for the same reasons that I don't give it out to john doe on the web. Regular stores online spam and I don't want it. Even if you put that you don't want it you get it... and sure you can go through the hassle of complaining and at some point you might get off the list but that takes time and energy I'm not willing to invest. It's much easier to have a disposable email that I can give out and delete later which I do from my ATT account as I can have 5 e-addresses or something like that. That takes some work which I'm willing to do for something I'm buying. But for things I'm browsing I use Mailinator...and lots of innocuous things that I like to sign up. I luv the service. I hate that people are using it and getting it banned but I can always default back to the more work disposable if needed. The irony is that the scammers are scamming the scammers and the people hurt are ones like me and you stuck in the middle of the mire just wanting to use and trade and exchange information. I'm not against a license to use the internet much like to drive a car. :) Much like my idea about birth control in the water until you pass a test how how to care for one along with financial license showing you know how to budget. LOL okay, the pain meds for my root canal must still be working!!!
Anyhow, keep up the good fight! flypup

qwazix said...

Internet identity is a big subject and it raises the question. "If e-mail is not identity then what should be the all-accepted internet ID or do we really need one?"