|
| 1 | +--- |
| 2 | +title: Email Filter |
| 3 | +description: Block CAPTCHA verification requests that use suspicious email addresses, including Gmail dot/plus-tag tricks and custom regex patterns. |
| 4 | +i18nReady: true |
| 5 | +--- |
| 6 | + |
| 7 | +The Email Filter (configured under the Spam Filter in site settings) lets you reject CAPTCHA verifications whose associated email address matches suspicious patterns. It is designed to catch common signup-spam evasion techniques — particularly the Gmail dot and plus-tag tricks — while keeping false positives low. |
| 8 | + |
| 9 | +Email filtering is available to Professional and Enterprise tier customers. |
| 10 | + |
| 11 | +## Overview |
| 12 | + |
| 13 | +When a dapp calls the Prosopo verification endpoint with an optional `email` field, the email address is evaluated against the configured rules before the CAPTCHA solution is checked. If any rule matches, verification is rejected immediately. |
| 14 | + |
| 15 | +## Providing the Email Address |
| 16 | + |
| 17 | +Pass the email in the `email` field when calling the server-side verification endpoint: |
| 18 | + |
| 19 | +```json |
| 20 | +{ |
| 21 | + "secret": "your_secret_key", |
| 22 | + "token": "PROCAPTCHA-RESPONSE", |
| 23 | + "email": "USER_EMAIL_ADDRESS" |
| 24 | +} |
| 25 | +``` |
| 26 | + |
| 27 | +If no email is provided, email filter rules are skipped. |
| 28 | + |
| 29 | +## Filter Rules |
| 30 | + |
| 31 | +### Maximum Dots in Local Part |
| 32 | + |
| 33 | +Limits the number of dots allowed in the part of the email address before the `@` symbol. For example, with a limit of `2`: |
| 34 | + |
| 35 | +- `alice@example.com` — allowed (0 dots) |
| 36 | +- `a.lice@example.com` — allowed (1 dot) |
| 37 | +- `a.l.ice@example.com` — allowed (2 dots) |
| 38 | +- `a.l.i.ce@example.com` — **blocked** (3 dots) |
| 39 | + |
| 40 | +This is effective against the Gmail dot trick, where `a.l.i.c.e@gmail.com` and `alice@gmail.com` are the same Gmail inbox but appear as different addresses to most systems. |
| 41 | + |
| 42 | +Leave blank to disable the dot limit. |
| 43 | + |
| 44 | +### Default Patterns |
| 45 | + |
| 46 | +A curated set of regex patterns targeting common evasion techniques: |
| 47 | + |
| 48 | +- **Many-dots local part**: Catches addresses with excessive dots in the local part (more than 3), which are almost always evasion attempts. |
| 49 | +- **Gmail random plus-tag**: Catches addresses like `user+vkd38uoukd5@gmail.com` where a random alphanumeric suffix is appended via a plus tag. |
| 50 | + |
| 51 | +Enable with the **Apply curated default patterns** toggle. |
| 52 | + |
| 53 | +### Gmail Address Normalisation |
| 54 | + |
| 55 | +When enabled, Gmail and Googlemail addresses are normalised before evaluating custom regex patterns: |
| 56 | + |
| 57 | +1. Dots are stripped from the local part (`a.l.i.c.e` becomes `alice`) |
| 58 | +2. Plus-tag suffixes are removed (`alice+tag` becomes `alice`) |
| 59 | +3. `@googlemail.com` is rewritten to `@gmail.com` |
| 60 | + |
| 61 | +This means a single custom regex pattern like `^alice@gmail\.com$` will match all of the following: |
| 62 | + |
| 63 | +- `alice@gmail.com` |
| 64 | +- `a.l.i.c.e@gmail.com` |
| 65 | +- `alice+spam123@gmail.com` |
| 66 | +- `a.l.i.c.e+tag@googlemail.com` |
| 67 | + |
| 68 | +Normalisation only affects Gmail/Googlemail addresses. Other domains are evaluated as-is. |
| 69 | + |
| 70 | +### Custom Regex Blocklist |
| 71 | + |
| 72 | +Add your own JavaScript regular expressions to block specific email patterns. Patterns are evaluated case-insensitively against the (optionally normalised) email address. |
| 73 | + |
| 74 | +Examples: |
| 75 | + |
| 76 | +| Pattern | What it catches | |
| 77 | +|---------|----------------| |
| 78 | +| `@disposable\.tld$` | Any address at `disposable.tld` | |
| 79 | +| `^spam@` | Any address starting with `spam@` | |
| 80 | +| `@(tempmail\|throwaway)\.` | Addresses at `tempmail.*` or `throwaway.*` domains | |
| 81 | +| `^test[0-9]+@` | Addresses like `test123@...`, `test99@...` | |
| 82 | + |
| 83 | +Patterns are validated when saved: |
| 84 | +- Maximum 256 characters per pattern |
| 85 | +- Maximum 50 patterns per site |
| 86 | +- Lookahead, lookbehind, and large quantifiers are rejected to prevent regex-based denial of service |
| 87 | +- Invalid regex syntax is rejected at save time |
| 88 | + |
| 89 | +### Spam Email Domain List |
| 90 | + |
| 91 | +A separate toggle (`spamEmailDomainCheckEnabled`) checks the email domain against a maintained list of known disposable/spam email providers. This runs independently of the rules above. |
| 92 | + |
| 93 | +## Evaluation Order |
| 94 | + |
| 95 | +When the email filter is enabled and an email is provided, rules are evaluated in this order: |
| 96 | + |
| 97 | +1. **Email validity** — malformed addresses are rejected |
| 98 | +2. **Maximum dots** — if configured, checked first |
| 99 | +3. **Default patterns** — if enabled, evaluated next |
| 100 | +4. **Custom regex blocklist** — each pattern is tested in order; first match wins |
| 101 | + |
| 102 | +Evaluation stops at the first match. The rejection reason is recorded for audit purposes. |
| 103 | + |
| 104 | +## Configuration via Portal |
| 105 | + |
| 106 | +Email filter rules are configured in the [Prosopo Portal](https://portal.prosopo.io) under **Site Settings > Email Filter**: |
| 107 | + |
| 108 | +1. **Enable Spam Filter** — master toggle for all email rules |
| 109 | +2. **Email pattern rules** — sub-toggle to activate pattern matching |
| 110 | +3. **Maximum dots in the local part** — numeric input |
| 111 | +4. **Apply curated default patterns** — toggle |
| 112 | +5. **Normalise Gmail addresses before matching** — toggle |
| 113 | +6. **Custom regex blocklist** — add/remove patterns with validation |
| 114 | + |
| 115 | +All changes are saved together via the **Save All Changes** button. |
| 116 | + |
| 117 | +## Verification Response |
| 118 | + |
| 119 | +When an email rule blocks a request, the verification endpoint returns: |
| 120 | + |
| 121 | +```json |
| 122 | +{ |
| 123 | + "verified": false, |
| 124 | + "status": "API.SPAM_EMAIL_RULE" |
| 125 | +} |
| 126 | +``` |
| 127 | + |
| 128 | +Possible status codes: |
| 129 | + |
| 130 | +| Status | Meaning | |
| 131 | +|--------|---------| |
| 132 | +| `API.SPAM_EMAIL_RULE` | Email matched a custom regex pattern | |
| 133 | +| `API.SPAM_EMAIL_DOMAIN` | Email domain is on the known-spam list | |
| 134 | + |
| 135 | +## Use Cases |
| 136 | + |
| 137 | +### Stopping Gmail Dot/Plus-Tag Abuse |
| 138 | + |
| 139 | +A single Gmail account can generate thousands of apparent email addresses using dots and plus tags. To block this: |
| 140 | + |
| 141 | +1. Enable **Email pattern rules** |
| 142 | +2. Enable **Apply curated default patterns** (catches random plus-tags and excessive dots automatically) |
| 143 | +3. Set **Maximum dots** to `2` |
| 144 | +4. Enable **Normalise Gmail addresses** if you also use custom patterns |
| 145 | + |
| 146 | +### Blocking Disposable Email Domains |
| 147 | + |
| 148 | +To block known throwaway email services: |
| 149 | + |
| 150 | +1. Enable **Spam email domain checking** (uses the maintained domain list) |
| 151 | +2. Optionally add custom patterns for domains not yet on the list: |
| 152 | + ``` |
| 153 | + @(tempmail|throwaway|guerrillamail)\. |
| 154 | + ``` |
| 155 | + |
| 156 | +### Organisation-Specific Patterns |
| 157 | + |
| 158 | +If you see abuse from specific patterns unique to your service: |
| 159 | + |
| 160 | +1. Add targeted custom regex patterns |
| 161 | +2. Monitor the `API.SPAM_EMAIL_RULE` status in your verification responses |
| 162 | +3. Adjust patterns based on what you observe |
| 163 | + |
| 164 | +## Availability |
| 165 | + |
| 166 | +| Tier | Email Filter | |
| 167 | +|------|-------------| |
| 168 | +| Free | Not available | |
| 169 | +| Professional | Full access | |
| 170 | +| Enterprise | Full access | |
0 commit comments