Comment

Yeah I agree that one seems silly on the surface but for their specific situation I understand why: services like Gmail allow using a + to create faux-labels. So for example foo@gmail, foo+bar@gmail, and foo+baz@gmail all get delivered to the same account. For change.org that’s a problem because it allows a single email account to fill out the form many times.

Ideally, they would simply truncate everything after and including those symbols but it’s possible other services have different rules (maybe yahoo let’s you pretend faux-tags instead of appending them, or something like that) so simply blocking their use altogether could be the more robust solution

source

Sort:hotnew top

hemko@lemmy.dbzer0.com ⁨5⁩ ⁨months⁩ ago
Eh, honestly I think blocking plus addressing as a workaround to block people from using multiple identities on the site is very weak argument and ignores completely the reason plus addeesses are being used in the first place, tagging.

And the addition of “-” just tells they don’t really know what they’re doing, considering it’s not only valid but also very common symbol in email addresses

source
- neatchee@lemmy.world ⁨5⁩ ⁨months⁩ ago
  I don’t think the reason they’re being used is relevant to their problem though. “Think like an attacker” wins the day here: as an attacker, I don’t care what it’s meant for, only how I can use it to my advantage. If it’s something they observed as a problem, I understand why they would want to stop it.
  
  As for “-”, yeah, I don’t have a particularly good explanation for that one except the assumption that it’s something similar to + addressing on a different service.
  
  source
  - bloor@feddit.de ⁨5⁩ ⁨months⁩ ago
    “-” is the default delimiter in qmail. I administer a system, where both + and - are valid recipient delimiters for historic reasons and we can’t really get rid of it.
    
    Believe me, it has caused all kinds of problems, where we have to go deep into the finer differences between aliases and virtual aliases and transport maps in postfix to route mails correctly. Especially since we have a lot of Mailinglists with - as a valid character in them.
    
    So to summarize: the assumption by changeorg is valid, however the execution seems rather flawed.
    
    source
    neatchee@lemmy.world ⁨5⁩ ⁨months⁩ ago
    Good info! Sounds like a nightmare :x
    
    Yeah, I can’t say their solution is the most elegant but it certainly makes a kind of sense when their criteria for success is “maximize participation while satisfying ‘uniqueness’ critics”
    
    source
scrion@lemmy.world ⁨5⁩ ⁨months⁩ ago
The local parts of email addresses are standardized, and there is an RFC handling subadressing as well, see RFC 5233 - it’s not like Gmail invented this behavior.

Also, RFC 5321 clearly states (2.3.11) that the local part of an email must only be interpreted by the receiving server, so that part should not be parsed, modified or mangled in any form - the assumptions poor web forms or validation libraries make these days are incredibly annoying and simply not compliant.

So no, non of your suggestions are good, let alone ideal. Ideally, people would simply implement the specs and stop making lazy and false assumptions. In the case you cited, it turns out email validation is simply not the proper tool to limit how often the form can be submitted. Similar websites use e. g. text messages.

source
- neatchee@lemmy.world ⁨5⁩ ⁨months⁩ ago
  Requiring SMS validation is a massive barrier to entry and not a viable option for a service like Change.org that relies on a certain level of participation.
  
  source
  - scrion@lemmy.world ⁨5⁩ ⁨months⁩ ago
    I’m aware of that, but let’s be honest here: social and political changes are not introduced, let alone solved, by technology.
    
    You said it perfectly: this is about business needs. I’d like to argue to make the barrier for entry even higher (tie it to a form of citizen identity) and mandate the petition must be reviewed / acted upon once it has become significant - frameworks like this do exist already in several countries.
    
    Everyone has multiple email addresses today, does that not fundamentally erode the validity of change.org as a platform for direct democracy then? I do believe this is the case, so I’d love if another website would at least stop violating already existing standards and force their erroneous interpretation of how email addresses work down our throats.
    
    source
    neatchee@lemmy.world ⁨5⁩ ⁨months⁩ ago
    Oh yeah don’t get me wrong, I think change.org as a product is hot sticky garbage. I don’t take anything they produce seriously lol
    
    source
Racle@sopuli.xyz ⁨5⁩ ⁨months⁩ ago

Gmail allow using a + to create faux-labels

I wonder how they handle gmail addresses with dots as you can put dot in anywhere and it still will redirect to your email.

I’ve setup (for few services which don’t allow + sign) emails like foobar@gmail.com, foo.bar@gmail.com, fo.o.bar@gmail.com and they all come to my inbox.

source
- 0x0@programming.dev ⁨5⁩ ⁨months⁩ ago
  IIRC Gmail interprets foo.bar, f.o.o.b.a.r and foobar as the same account (the latter).
  
  source
  - sukhmel@programming.dev ⁨5⁩ ⁨months⁩ ago
    At some point they didn’t, so I heard there are now a couple of accounts that only differ in dot and it’s not yet resolved by Google ¯\_(ツ)_/¯
    
    source
  - Racle@sopuli.xyz ⁨5⁩ ⁨months⁩ ago
    Yep, that what I was trying to say 😄 Been using that feature for years.
    
    source
- neatchee@lemmy.world ⁨5⁩ ⁨months⁩ ago
  I imagine because it can’t be used to add additional junk characters to the address, they probably just strip them out before doing their string comparison
  
  source
  - Racle@sopuli.xyz ⁨5⁩ ⁨months⁩ ago
    If they know this case. In other email services dots are usually not a junk characters.
    
    source
    neatchee@lemmy.world ⁨5⁩ ⁨months⁩ ago
    For the same of checking uniqueness it’s probably fine to just ignore them. Yeah, it sucks if johndoe@obscure.domain and john.doe@obscure.domain can’t sign the same petition but outside of the big email services I imagine that kind of collision is pretty rare
    
    source