Prevent harvesting of (un)disposable emailadresses
| Project: | Disposable e-mail protection |
| Version: | 6.x-1.0 |
| Component: | Code |
| Category: | bug report |
| Priority: | critical |
| Assigned: | Unassigned |
| Status: | active |
Paradoxically, this module prevents registration of disposable emailaddresses, but enables anyone to harvest and spam (un)disposable emailaddresses.
According to the official documentation (http://undisposable.org/docs.htm) the API allows checking against the online disposable hosts blacklist via following functions:
emailaddresses
http://www.undisposable.net/services/{$service_name}/isDisposableEmail/?email={$param_value}
hosts (domainnames)
http://www.undisposable.net/services/{$service_name}/isDisposableHost/?host={$param_value}
Whenever the function 'isDisposableEmail' is called, the module should isolate the host (domainname) from the emailaddress param_value and use that domainname to call the 'isDisposableHost'-function instead. This prevents emailadresses (mailbox names) from being sniffed, whenever the API is being used. NB: Currently, any (unauthorized) user can intercept (and thus harvest and spam) any untested emailadresses from the request addresses whenever a function other then 'isDisposableHost' is being used, as the API is NOT encrypted!