Students should not be able to signup with a fake email

[franzmoro]

Currently a student can signup with any email (even non-existing emails).
Do we want to prevent this? update: We should check for fake emails first

For lecturers this won't be an issue, as they need to verify with their email.
update: fake lecturer emails will affect our email service

[iteles]

@franzmoro @sohilpandya It's important that students can sign up with any domain email, but fake emails will kill our email service! Please see the comment here: #248 (comment)

Please speak to @roryc89 about whether we can re-use his bounce rate checker and blocker.

[sohilpandya]

We can try to use the following module to help us determine whether an email is valid or not - https://github.com/nmanousos/email-existence

This would help with bounce rates.

The idea would be to reject the signup process if the email does not exist according to the module.

3 Hours

[iteles]

@sohilpandya Beware of nmanousos/email-existence#28

[sohilpandya]

@iteles ahh, definitely not a reliable module...

[sohilpandya]

An alternative that has been suggested(after having a chat with Rory):

• Keep track of all the emails that have been bounced by SES, blacklist these emails and don't allow them to register using the same email again.

We feel that there is a lot of work involved for this to take place. We are not thinking of solving this issue by going down this avenue.

[franzmoro]

There are email verification services, such as mailboxlayer.

The free version allows up to 1,000 requests / month.
In future this might get us asking what would/should happen after the 1,000 signups mark (i.e. we don't check for them anymore, otherwise the whole signup service would go down), but we are still talking of 1,000 monthly user signups.

We need to bypass the usage of this API in our tests (e.g. mock it) so that we don't consume it.

The upgrade to 10,000 monthly requests (user signups) costs $9.99 / month.

[sohilpandya]

I've done some quick research and found that AWS SES keeps to a 5% bounce rate. that means for our account which has a limit of 50,000 emails/day, the number of emails that will have to bounce before our account is put under probation is 2500.

I don't think that we need to implement any of the two options that we have been discussing above.

[franzmoro]

This leaves us with:

• a flawed logic in our server. A bounced email should not lead to a user signup.
• error message shall be displayed in the front end

[franzmoro]

@iteles , although it has a "technical" label, someone should probably user-test this issue, right? ( @sohilpandya and I have, but best if someone else does too)

[iteles]

@franzmoro You're right, this is testable by our PO, so he should test it when it is ready!

[hhsadiq]

@sohilpandya @franzmoro Hey guys, can you tell how you guys were able to solve this issue (beside using paid service)? I am working on similar task and want to figure out fake/non-exisitng emails. Currently playing around with email-verify, but its causing some issues.

[sohilpandya]

@hhsadiq thanks for taking a look, we use validator module for checking invalid emails :) https://www.npmjs.com/package/validator

[vergun]

@hhsadiq

[iteles]

Closing this technical issue, resolved as per the above 👍