Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
ethagnawl 4 days ago

This reminds me: I've noticed that Starbucks now requires a few pieces of information to use their WiFi network. One is email and they are doing some sort of validation which will reject emails like whoopsileanedonxxxxxxxx@aol.com but will accept other, legit AOL emails. How are they deciding what is/not a valid email? Are they using a compiled list of emails that have been seen in the wild? What if it's a brand new address, though? Presumably AOL isn't exposing a service for them to use in realtime. I haven't tested this extensively or with other providers.

It's obvious that they care (to some extent) that they're getting valid emails, so why not use a basic regex on the FE and an OTP which gets sent to the provided address?

codedokode 4 days ago | parent | next [-]

They can connect to a mail server and pretend that they are going to send a message and the server would reject the invalid recipient email.

ethagnawl 4 days ago | parent [-]

I had no idea this was possible. This sounds almost like an HTTP OPTION request. I'd love to find an example of client code which does this.

brk 4 days ago | parent [-]

You're looking for the SMTP VRFY and EXPN commands. However implementation is very hit-or-miss. In the good ole' days of the internet, VRFY was widely implemented. Then spammers realized they could connect to a mailserver and do a form of a VRFY dictionary attack to find valid addresses, so it stopped being supported.

toast0 4 days ago | parent | prev | next [-]

> why not use a basic regex on the FE and an OTP which gets sent to the provided address?

I can't prove I control an email in order to use your wifi, if I can't use your wifi.

swores 4 days ago | parent | next [-]

Some wifi networks give you a limited number of minutes online during which you need to click a verification link they've emailed you in order to not get cut off.

ethagnawl 4 days ago | parent | prev [-]

That's a great point. I guess I'm so conditioned to various 2FA methods that I take some amount of access (i.e. mobile) for granted.

aembleton 4 days ago | parent | prev [-]

Use *@example.com, it usually works.