The web is filled with bots(majority of traffic comes from them, according to cloudflare). Those, and malicious users, tend to use disposable e-mails or untrustworthy providers to do all sorts of things that will cause admins a huge headache. Said e-mails however all share common tactics and characteristics, making it possible to filter the majority of them.
In this tutorial, I’ll share how I personally made a simple checker, with the help of an open source project I found on github, to filter out spam providers and save you from the headache of finding and deleting spam accounts.
Email Validation Steps
1. Basic Email Format Validation
Before checking whether an email is disposable, you should first verify that it is in a valid format. This can be done using PHP’s filter_var function with the FILTER_VALIDATE_EMAIL filter.
$email = 'user@example.com';
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
echo "The email address is invalid.";
return;
}2. Extract Email Domain
Once you have a valid email format, extract the domain part of the email address. This is typically done by splitting the email string at the “@” character.
$user_email_domain = explode("@", $email)[1];3. DNS MX Record Check
A legitimate email domain should have MX (Mail Exchange) records that indicate it is configured to receive emails. The checkdnsrr function can be used to verify this.
if (checkdnsrr($user_email_domain, 'MX') === false) {
echo "The email is likely disposable or the domain is not configured for email.";
return;
}4. Check for SPF Records
SPF (Sender Policy Framework) records are an additional layer of verification that can help identify if the email domain is protected against spoofing, which is often associated with spam emails.
$txt_records = dns_get_record($user_email_domain, DNS_TXT);
$spf_found = false;
foreach ($txt_records as $record) {
if (preg_match('/v=spf1/', $record['txt'])) {
$spf_found = true;
break;
}
}
if (!$spf_found) {
echo "The email is likely disposable as it lacks an SPF record.";
return;
}5. Check Against Disposable Email List
The final step is to check if the domain of the email address is listed in a database or list of known disposable email providers. This can be done by fetching a list from a trusted source or using an API service.
// Assuming you have a list in a variable $disposableEmailDomains
if (in_array($user_email_domain, $disposableEmailDomains)) {
echo "The email is likely disposable.";
return;
}6. Concluding the Check
If the email address passes all the above checks, it can be considered likely legitimate.
echo "The email is likely legit.";Practical Considerations
- Error Handling: Always include error handling for network operations and external file access. This ensures your script doesn’t break unexpectedly and provides feedback to the user.
- Real-time List: For the disposable email list, consider using a real-time API if possible, as lists can quickly become outdated.
- Performance: Be mindful of the performance implications when accessing external resources, such as DNS queries and remote files. These operations can slow down your application.
- User Privacy: While checking for spam or disposable emails, ensure you do not inadvertently expose user data or violate privacy policies.
Example PHP Script with Explanations
Here’s a simplified version of what the entire script might look like, with explanations for each part:
<?php
function checkemail() {
// Display the email input form
?>
<form method="post" action="">
<input type="text" name="email" placeholder="Enter E-mail" required>
<button type="submit">Check</button>
</form>
<?php
// Check if the form has been submitted
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
// Get the submitted email
$email = $_POST['email'];
// Validate the email format
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
echo "<h2>$email is an invalid e-mail.</h2><br>";
return;
}
// Extract the domain from the email
$user_email_domain = explode("@", $email)[1];
// Perform MX record check
if (checkdnsrr($user_email_domain, 'MX') === false) {
echo "<h2>$email is likely disposable.</h2><br>";
return;
}
// Perform SPF record check
$txt_records = dns_get_record($user_email_domain, DNS_TXT);
$spf_found = false;
foreach ($txt_records as $record) {
if (preg_match('/v=spf1/', $record['txt'])) {
$spf_found = true;
break;
}
}
if (!$spf_found) {
echo "<h2>$email is likely disposable due to missing SPF record.</h2><br>";
return;
}
// Fetch the list of disposable email domains(Please contribute to the github!)
$url = 'https://raw.githubusercontent.com/wesbos/burner-email-providers/master/emails.txt';
$context = stream_context_create(['http' => ['ignore_errors' => true]]);
$handle = fopen($url, 'r', false, $context);
if ($handle) {
// Read the list line by line
while (($line = fgets($handle)) !== false) {
// Clean up the line
$blockedDomain = trim($line);
// Check if the email domain matches a disposable domain
if ($user_email_domain === $blockedDomain) {
echo "<h2>$email is likely disposable.</h2><br>";
fclose($handle);
return;
}
}
fclose($handle);
} else {
echo "Error accessing the disposable email list.<br>";
return;
}
// If all checks pass, the email is likely legitimate
echo "<h2>$email is likely legit.</h2><br>";
}
}
// Call the function to start the process
checkemail();
?>This script encapsulates the entire process within the checkemail function and outputs messages to the user based on the results of each check. It’s important to note that the actual implementation of fetching the disposable email list and handling potential issues with network requests should be carefully managed to ensure the script’s reliability and security.
