"That email address is invalid"
September 16, 2020 8:49 AM   Subscribe

Can an email signup form detect my real address?

I want to access something being offered for free, but don't want to give out my email address. I've entered multiple plausible, fake addresses (ones I'm sure no one else is using!) but each time I get this 'invalid' message.

I'm wondering if a website can somehow tell what my real email is to know it's not what I'm entering. Or, maybe there's some interference with my adblocker / browser / plugins, or ??
posted by dancing leaves to Computers & Internet (17 answers total) 3 users marked this as a favorite
What are some of the fake addresses you’ve used?
posted by mr_roboto at 8:52 AM on September 16 [1 favorite]

I don’t think there’s any way it can know your real address (or at least any simple way that a signup form would plausibly implement). It’s more likely that whatever method you’re using to come up with the fake addresses looks obviously faked — for example, the form may have a whitelist of allowed domains, or a blacklist of special characters. For example, even though the + character is technically allowed in email addresses according to the spec, many web forms disallow it because it can be used to create “throwaway” email accounts.
posted by mekily at 9:00 AM on September 16 [5 favorites]

There are definitely web forms that can tell fake domains that people frequently use like jessamyn@example.com or jessamyn@mailinator.com and, of course, can tell if a top-level domain isn't valid.
posted by jessamyn at 9:01 AM on September 16 [4 favorites]

Usually the "valid email address" verification will look for:
[numbers and letters] [@ symbol] [numbers and letters] [top level domain such as .com]
test@example.com = valid
!"£@example.co.uk.com = invalid
Occasionally the validation will be badly programmed so it rejects certain things in email address which are legitimate (an example is the + symbol is valid in email addresses, but some sites won't accept it). The form might also just be broken and rejecting any email address.

If you don't want to give them your real email address, you could either sign up for a new free email address that you never check again, or if you use Gmail, use a "+ address" that you then add a filter for to delete anything sent to that address.
posted by EndsOfInvention at 9:01 AM on September 16 [1 favorite]

Most sites have filters that will make sure the email address is shaped like a proper email address -- some characters, an @, some characters with at least one dot with at least a couple characters after it.

Beyond that, they may put additional filtering based on patterns of sketchy email addresses they've seen used before. Maybe they block specific words or combinations of letters, specific email domains, etc.

For example, they might block bill@microsoft.com because people seem to like to use that as a fake email address. Or anything with homer.simpson in it (there are a lot of Homer Simpsons in the user database at my work). Or anything that's got a swear word in it. Or anything with a .ru domain. Or anything with a + because they know about the gmail thing and think you're using it to ignore their emails.

I suspect you just need to give a more normal-looking fake email address.
posted by katieinshoes at 9:05 AM on September 16 [1 favorite]

You might have luck with something like https://temp-mail.org which creates a real, temporary email address. It's likely whatever free thing you want is going to be delivered by email anyway, if it's digital, so you'll want to see the message.
posted by SansPoint at 9:07 AM on September 16 [1 favorite]

No, there's no such thing. Some places, particularly when they're only interested in people's business e-mail addresses, will block gmail/hotmail/etc. entirely.
posted by Candleman at 9:21 AM on September 16 [1 favorite]

The Web site can both validate the format of the e-mail address you entered (as @EndsOfInvention mentioned) and authenticate the address to be sure it represents a real mailbox. If I need a fake address, I just make one up using the mailinator.com domain (e.g., john@mailinator.com).
posted by davcoo at 9:23 AM on September 16 [1 favorite]

What folks are saying above is true: many sites are programmed to look at your email and guess whether it's valid using a variety of rules.

However it's also the case that SMTP (send mail transfer protocol) can be used to verify an email recipient is valid. It's like calling up the receptionist at an office building and saying "Oh hi, I'm looking for a Jenny Smith, does she work there?" Here's me talking to the SMTP server where jennysmith has her email:

RCPT TO:aaaaa
550 5.1.1 aaaaa... User unknown
RCPT TO:jennysmith
250 2.1.5 jennysmith... Recipient ok

The site you are trying to fool may do this validation right after you click OK, it would be plenty quick. If it's doing this, it's smarter than most websites, and you won't be able to trick it with an undeliverable address.
posted by fritley at 9:25 AM on September 16 [11 favorites]

I have been blocked from using mailinator addresses and + addresses. And at my doctor's web portal, from using my own real e-mail address. (I get the impression that medical-portal software is a special kind of awful—I couldn't even e-mail the developers because, you guessed it, their contact form rejected my e-mail address as invalid. I have a vanity domain, which probably has something to do with it. My doctor's office suggested getting a different e-mail address. /aside).
posted by adamrice at 11:08 AM on September 16 [1 favorite]

Null@null.com has worked for me in the past.

A well-formed email address is defined in IETF RFC 822 and there are many implementations of validators that make sure your entry is well-formed. Plus the site can run a domain-name check to see if your host exists, and [edit to add] as Fritley says can ask the host if you're there.
posted by k3ninho at 11:27 AM on September 16 [1 favorite]

I've had my actual main email address rejected as not being real. It was very annoying. Apparently some people who design these things think that all real addresses are via gmail or yahoo or aol and the like.
posted by chromium at 12:10 PM on September 16

As others have said the rules for this are arbitrary and unpredictable, something I have found works surprisingly often is to use their own domain, so at a website called localpizza.com you could try back.atcha@localpizza.com
I guess most companies are reluctant to block themselves.
The fact that they then get to deal with their own spam is also a nice bonus.
posted by Lanark at 12:21 PM on September 16 [11 favorites]

Yeah, just sign up for a free email account that you use exactly for this purpose.
posted by number9dream at 1:44 PM on September 16

fritley is mostly right, but many places turn off that 'RCPT TO' valid user check as it's seen as a security hole, so it depends on the server. They can at least do the DNS MX record lookup for the domain name to prove that the domain actually has a mail server, and they could cache that the domain is valid pretty easily.

So, checking that the bit after the '@' is a real place that accepts mail is easy. Checking that the bit before the '@' is a bit iffy. They're at least probably doing the 'looks like an email' regex check (and probably doing it wrong). They might be trying the whole do the connection and checking the 'RCPT TO' and the server you chose has that turned on and gives the 550 'User unknown' error. Other servers will answer 250 'Recipient ok' even to a non-existent user. YMMV.
posted by zengargoyle at 8:42 PM on September 16

To answer your question more directly: websites have no way of knowing that an email address is one that belongs to you without you telling them somehow. The only way for them to verify ownership of an email address is to send a verification email to the email address.

That said, if they're asking for an email address to use for signing up, then they likely want to send email to that address, and it's very possible that they send a verification email to activate the account. If you're using a fake email address, and the website tries to send a verification email to it, the mail server will reply with an error response, and it's easy for the service to detect that. You'll likely need a real email address of some sort; either a burner address like what mailinator gives you (as suggested above), or a new email account from an email provider like GMail that you only use for this site should work.
posted by Aleyn at 9:00 PM on September 16

It's quite possible the "get this thing free!" site you were signing up for is a scam and would also tell you your entirely valid email address was wrong.

For me, when I want to give a fake-but-plausible email address I use nobody@website.com, where website is the place I'm signing up for. A smart filter could realize that's fake but it seems to work 99% of the time. The nice thing here is I'm only costing the website itself resourecs; the mail will be delivered to their own server. And nobody is usually hardwired to just throw the mail away, so it doesn't really cause anyone any problems.
posted by Nelson at 8:10 AM on September 17

« Older What Are the Kids Designing These Days?   |   Wikipedia pages that are recognizable (but not... Newer »

You are not logged in, either login or create an account to post comments