TL;DR: How often do you feel that there is something wrong with the email address of that new customer? The username and the domain look suspicious. With the new risk assessment features of the Email Verification API, you can get enough insights to make informed decisions about your users in real-time.
The Problem
There is a rising wave of abusers that sign up to services offering freemium or free-trial. Typically they want to exploit the resource you offer (compute, streaming, APIs, etc). The tension lies between converting more vs stopping these abusers.
One way to stop them, without introducing much friction, is to verify if their email is legitimate (without sending all users an email). This is what the Auth0 Signals Email Verification API provides.
What is the Auth0 Signals API?
The Auth0 Signals API is a standalone free service for the community. The service consists of an HTTP API that allows you to detect the reputation of an Email address or the IP address. The API checks the Email and/or IP address against several public denylists to evaluate its reputation. It responds with data about the originator and a score indicating the reliability level of the Email or IP address. Having this information enables you to detect malicious activities proactively.
When to use Email Verification signal?
The Email Verification signal provides a continually curated and accurate Email reputation data. It takes the hard work out of consuming Open-Source Intelligence (OSINT) by curating, parsing, and normalizing numerous denylists. Auth0 uses this data to protect its own service.
There are two main use cases for this API:
- Real-time risk assessment: Developers can embed into their code requests to the API and detect malicious activity proactively, not reactively. For example, automatically checking Email reputation during the authentication flow. With a disclaimer that it’s free, no SLA and rate limits are in place.
- Incident response and forensics: When security experts identify an incident, they begin investigation and response processes to determine if a genuine security incident occurred, its scope, and the best way to remediate the threat. The API and some assessment tools will become part of the Security professionals swiss army knife.
Auth0 Email verification signal enables all users to obtain a score that indicates the risk level of an analyzed Email address. The overall process involves an in-depth analysis of each email, combining several validation techniques based on custom-built algorithms scoring the legitimacy of an email. Clean and valid email addresses will have a neutral score. Suspicious addresses will have a negative rating: the more negative the score, the more probability of being an address with a low reputation.
How does the Email Verification API work?
First sign up in Auth0 Signals and get an API Key. If you have any doubt, you can read this short tutorial detailing all the steps The API documentation in the Auth0 Signals site explains how to use the service with or without an API Key. For example, let’s get the score for the email
test@example.com
. We will assume that example.com
is a very well known Disposable Email Address provider, so it should have a negative rating. To test the API, we will use the command curl
. The requests need two parameters: the Auth0 Signals API Key and the Email to analyze. It’s also possible to add parameters in the query string to tweak how the service works.$ curl -i -H "Accept: application/json" -H "X-Auth-Token: API_KEY" -X GET "https://signals.api.auth0.com/bademail/test@example.com"
or
$ curl -H "Accept: application/json" -X GET "https://signals.api.auth0.com/bademail/test@example.com?token=API_KEY"
the JSON response will be:
{ "response":{ ... "score":-3, "email_address":"test@example.com" }, "type":"bademail" }
We have trimmed the JSON object of the response to make this post more readable, but you can read the full JSON response in the documentation. The global score is
-3
. That’s a bad score. Let’s see how the scoring formula works in detail.The scoring formula explained
The global score or confidence score is the sum after analyzing different parameters of the Email address. These are the possible values:
- 0: Auth0 Signals is neutral about the Email address given. It means the service cannot find the Email address in any given individual service and cannot classify the Email as risky.
- -1: Auth0 Signals has detected the Email address in one of the checks.
- lower than -1: Auth0 Signals has detected the Email address in two or more checks. The lower the score, the riskier the Email.
The possible values range between -3 and 0, and there are no positive values because the algorithm does not calculate confidence levels, but rather levels of DISTRUST.
The email verification process analyzes different elements of an email address assigning a neutral or negative score for each part:
- Address: If any of these checks fail, the score of this test is -1.
- Address Syntax: This check removes improperly formatted email addresses. It must adhere to IETF standards.
- Role-Based Account: Email sent to role-based such as postmaster@, info@, sales@, admin@, etc. can negatively impact the deliverability, and even some ISPs will block them. This process detects and flags such addresses.
- Domain: test for the MX domains, and NS domains. If any of these checks fail, the score of this test is -1.
- Domain banned: The process searches the domain in different deny lists. To be a clean domain, it must not appear in any of them.
- MX domain banned: It searches the MX domains in different deny lists too. Clean MX domains must not appear in any of them.
- NS domain banned: It searches the NS domains in different deny lists too. Spammers use very well-known suspicious Nameservers, and we also can block them.
- Free Email Service: detects emails hosted by Free Email Services like (Google, Yahoo, Hotmail/Microsoft, etc.). Since this is a very aggressive option, the algorithm does not compute the result as negative, but it flags the email to help users to make a decision.
- Disposable Email Address: Throwaway/disposable email addresses, or “junk collector” email addresses" are detected and processed appropriately. It is a widespread threat indicator of bad actors using them to bypass signup forms or login forms that require a valid email address. The score for this test is -1.
- Banned Email Address: If the Email address belongs to some of our Email Abuse deny lists, then the score for this test is -1.
- SMTP Verification: Performs deep-level extended SMTP verifications on the email address. The process pings the addresses for mailbox existence without sending an actual email to the inbox. It will also check the validity of the MX records and will test if the server implements a catch-all policy. The score for this test is -1 for any of them.
- Lookup IP in OSINT deny lists: The algorithms check the email addresses and IP addresses against known DNSBLs and RBL to trap spam networks. The score for this test is -1 for any of them.
Using the Email Verification API in your application
It’s perfectly fine to use the API in your own services. If you are a developer, here goes some hints to get the most of the Email verification service:
- You can verify 4,000 emails in a 24-hour range. Use your quota wisely.
- The global score or confidence score should be considered an important signal. Still, we strongly recommend reviewing the different individual scores as you process production traffic to better understand the email address's reputation for your use case. Our general-purpose scoring formula can be too generic for some use cases.
- You can ignore the global score and focus on individual tests. For example: if you want to detect emails from Free Email providers, you can check the
object in the JSON and ignore the rest of the response.freemail
- Have a look at the Querystring parameters. This can help you adjust the results to your specific needs.
- Auth0 Signals is free for all and offered 'as is' with no SLA. This means you should make your code resilient in case the API stops responding.
- For production-grade usage use the Auth0 service that includes Signals built-in.
The Email Verification tools: Slack Bot
The Signals Slack Bot is a new tool built on top of the Signals API for Cybersecurity Professionals, SecOps, analysts, and forensics teams willing to use the bot to get the most of the API without having to write a single line of code. The tool uses the Email Verification and IP Reputation APIs combined with some interactive features to drill down on the data. The installation is very straightforward following the instructions on our community site.
Once the Slack Bot is installed and configured, any member of the Slack workspace can go to the SignalsBot in the Apps section and click on the Messages tab at the right-hand side of Home and execute the
email
(lowercase) command with the email to analyze:Summary
The Email Verification API is a powerful tool to prevent and mitigate sign-up and sign-in abuse at different stages. If the API integrates with the existing authentication workflow it can help to detect potential low-quality users. When the API or the tools are in the hands of Security professionals it can help SecOps teams perform threat intelligence duties more effectively. Be sure to check out the documentation for more details.
Join the community!
Check out the Auth0 Signals community. Go there to interact with other security professionals, get help on incident response actions, or learn more about digital abuse.
About the author
Diego Parrilla
Security Software Architect at OCTO