Disclaimer : temporary mails providers are out of the scope of this question.
Let's say I have a simple web app example.com. And I really want my users to be unique (at least for my database IDs).
So when an user register, the following process is done :
So far so good, however an user with [email protected] could create a lots of account (8192 according to https://thebot.net/api/gmail/)
I am aware that I could check for a gmail address and then removes dot(s), so this would not work. It clearly seems to be the easier road to prevent abusive users to abuse my system.
On the other hand, there might be a lot of other mail provider using the same strategy, and filtering by providers seems kind of clumsy...
What would be the best practice for this usecase without messing user registration and keep users unique ?
Am I just taking the wrong path for this kind of validation ?
Edit: an example of this kind of abuse would be a website with torrents files where you have to maintain a ratio of 1.
When you create an account, you have a ratio of 15 (as if you seeded 15 GB and downloaded 1GB) if an user can create multiple account with the same email it seems to me that this an issue for the site.
(I recently came across a website like this which allow multiple account with same mail) and I was just wondering how you guys would deal with this hence the question.
On the other hand, Facebook where users doesn't really have any advantages to have multiple accounts does not allow multiple accounts with same email.
I don't personally have any website that would really benefit from preventing this trick but I am curious.
You will not be able to uniquely identify if two arbitrary addresses belong to the same user.
The interpretation of the "local" part of an e-mail address (the bit before the "@" sign) is left to each mail server so while you can know the special treatment that Gmail does of dots you can not come up with a general approach for any e-mail address. Even without leaving Gmail for instance you have the "+" trick for different e-mails, let alone the semantics that every other mail server out there may be using. You may try to adapt as you detect abuse, however it will quickly become a resource-expensive game of cat and mouse.
Depending on the cost of the abuse you may decide to do nothing and live with it, implement some basic rules for the main providers or (if protecting abuse is valuable enough) request from the user something that is finite, unique to each individual and that has a high acquisition cost. For instance you could do document verification (driver's license, passport, id card, etc.) or use their mobile to do some SMS verification (obtaining mobile numbers is more expensive than e-mail addresses).