Jump to:
| Project: | Disposable e-mail protection |
| Version: | 6.x-1.0 |
| Component: | Code |
| Category: | bug report |
| Priority: | critical |
| Assigned: | advseb |
| Status: | closed (fixed) |
Issue Summary
Paradoxically, this module prevents registration of disposable emailaddresses, but enables anyone to harvest and spam (un)disposable emailaddresses.
According to the official documentation (http://undisposable.org/docs.htm) the API allows checking against the online disposable hosts blacklist via following functions:
emailaddresseshttp://www.undisposable.net/services/{$service_name}/isDisposableEmail/?email={$param_value}
hosts (domainnames)http://www.undisposable.net/services/{$service_name}/isDisposableHost/?host={$param_value}
Whenever the function 'isDisposableEmail' is called, the module should isolate the host (domainname) from the emailaddress param_value and use that domainname to call the 'isDisposableHost'-function instead. This prevents emailadresses (mailbox names) from being sniffed, whenever the API is being used. NB: Currently, any (unauthorized) user can intercept (and thus harvest and spam) any untested emailadresses from the request addresses whenever a function other then 'isDisposableHost' is being used, as the API is NOT encrypted!
Comments
#1
The service stopped working. The module is currently in the process of getting ported to another service provider (http://www.block-disposable-email.com/). An initial version for Drupal 6 was just added to git and a dev release will show up on the project page within 24 hours.
The new version of the module only submits the domain name of the email address to the external service, but not the complete email address. This should fix the point raised in this issue.