undefined | Better HN

0 pointsethagnawl8mo ago0 comments

This reminds me: I've noticed that Starbucks now requires a few pieces of information to use their WiFi network. One is email and they are doing some sort of validation which will reject emails like whoopsileanedonxxxxxxxx@aol.com but will accept other, legit AOL emails. How are they deciding what is/not a valid email? Are they using a compiled list of emails that have been seen in the wild? What if it's a brand new address, though? Presumably AOL isn't exposing a service for them to use in realtime. I haven't tested this extensively or with other providers.

It's obvious that they care (to some extent) that they're getting valid emails, so why not use a basic regex on the FE and an OTP which gets sent to the provided address?

0 comments

codedokode8mo ago

They can connect to a mail server and pretend that they are going to send a message and the server would reject the invalid recipient email.

ethagnawlOP8mo ago

I had no idea this was possible. This sounds almost like an HTTP OPTION request. I'd love to find an example of client code which does this.

brk8mo ago

You're looking for the SMTP VRFY and EXPN commands. However implementation is very hit-or-miss. In the good ole' days of the internet, VRFY was widely implemented. Then spammers realized they could connect to a mailserver and do a form of a VRFY dictionary attack to find valid addresses, so it stopped being supported.

toast08mo ago

> why not use a basic regex on the FE and an OTP which gets sent to the provided address?

I can't prove I control an email in order to use your wifi, if I can't use your wifi.

swores8mo ago

Some wifi networks give you a limited number of minutes online during which you need to click a verification link they've emailed you in order to not get cut off.

ethagnawlOP8mo ago

That's a great point. I guess I'm so conditioned to various 2FA methods that I take some amount of access (i.e. mobile) for granted.

aembleton8mo ago

Use *@example.com, it usually works.

j / k navigate · click thread line to collapse

0 pointsethagnawl8mo ago0 comments

It's obvious that they care (to some extent) that they're getting valid emails, so why not use a basic regex on the FE and an OTP which gets sent to the provided address?

0 comments

codedokode8mo ago

They can connect to a mail server and pretend that they are going to send a message and the server would reject the invalid recipient email.

ethagnawlOP8mo ago

I had no idea this was possible. This sounds almost like an HTTP OPTION request. I'd love to find an example of client code which does this.

brk8mo ago

toast08mo ago

> why not use a basic regex on the FE and an OTP which gets sent to the provided address?

I can't prove I control an email in order to use your wifi, if I can't use your wifi.

swores8mo ago

Some wifi networks give you a limited number of minutes online during which you need to click a verification link they've emailed you in order to not get cut off.

ethagnawlOP8mo ago

That's a great point. I guess I'm so conditioned to various 2FA methods that I take some amount of access (i.e. mobile) for granted.

aembleton8mo ago

Use *@example.com, it usually works.

j / k navigate · click thread line to collapse