Please use a personal email. My email is ‘mail’ @ ‘my actual name’. It does not get more personal than that
But you can’t use emails starting with mail@, admin@, support@, info@, main@, etc.
Instead they advised me (3 times) to create a personal email on a service like Yahoo, Outlook, Gmail, Orange, etc
Security professional here. This is legit a good call on their part. It’s because those types of addresses won’t bounce emails but aren’t necessarily in your control; it’s very, very easy to spam those petition forms with mail@ for a million real domains without bouncing the emails, making them seem legit.
You own your domain, obviously, so it’s really as simple as creating a forwarding/alias address of “changeorg@domain.tld”. If creating a forwarding/alias address is that much of a problem for you I suggest that you likely shouldn’t be hosting your own email in the first place.
Your laziness isn’t a good reason to be upset with a company taking steps to reduce their security overhead significantly
They do though mention “+” and “-” also banned in the username part, which is kinda annoying
that’s to stop people from spamming signatures with user+1@gmail, user+2@gmail, user+3@gmail, etc.
You can still spam with user1@domain.tld, user2@domain.tld etc and it takes basically no extra effort
I’d assume one needs to verify the email by clicking a link, so to spam user1@domain.tld, user2@domain.tld would mean you need access to those inboxes. That means you need to go through the effort to actually create those emailadresses on whatever freemail service you chose, or you need to host the emailserver yourself and have all mails run into a catchall inbox.
Hosting your own emailserver is definately not “basically no extra effort”, even for a lot of tech-savvy people, paying for a hosted email service using your own domain is easier, but also seems like not a good investment just to spam a petition website.
The foo+bar@gmail.com functionality, however, is pretty well known tool - even by non-tech savvy people. Even some people I know that I consider basically tech-illiterate have known this for years, they have told me when they found out about it and asked me if I was aware of this functionality.
The first one I mentioned requires preparation, setting up email accounts or an email server, the second one is basically already set up for most email users and ready to go, the latter is therefore definately a lot less effort to pull off.
IF you already have an email domain you control.
Calling “acquiring and setting up an email domain and configuring the mail server for wildcards” “basically no extra effort” is a bit disingenuous compared to “solve a captcha for a Gmail account”
Yeah I agree that one seems silly on the surface but for their specific situation I understand why: services like Gmail allow using a + to create faux-labels. So for example foo@gmail, foo+bar@gmail, and foo+baz@gmail all get delivered to the same account. For change.org that’s a problem because it allows a single email account to fill out the form many times.
Ideally, they would simply truncate everything after and including those symbols but it’s possible other services have different rules (maybe yahoo let’s you prepend faux-tags instead of appending them, or something like that) so simply blocking their use altogether could be the more robust solution
Eh, honestly I think blocking plus addressing as a workaround to block people from using multiple identities on the site is very weak argument and ignores completely the reason plus addeesses are being used in the first place, tagging.
And the addition of “-” just tells they don’t really know what they’re doing, considering it’s not only valid but also very common symbol in email addresses
I don’t think the reason they’re being used is relevant to their problem though. “Think like an attacker” wins the day here: as an attacker, I don’t care what it’s meant for, only how I can use it to my advantage. If it’s something they observed as a problem, I understand why they would want to stop it.
As for “-”, yeah, I don’t have a particularly good explanation for that one except the assumption that it’s something similar to + addressing on a different service.
“-” is the default delimiter in qmail. I administer a system, where both + and - are valid recipient delimiters for historic reasons and we can’t really get rid of it.
Believe me, it has caused all kinds of problems, where we have to go deep into the finer differences between aliases and virtual aliases and transport maps in postfix to route mails correctly. Especially since we have a lot of Mailinglists with - as a valid character in them.
So to summarize: the assumption by changeorg is valid, however the execution seems rather flawed.