I manage an external-facing community where I moderate all the registration applications. We do this to make sure the people in the community are there to discuss scientific and technical questions, and to make it difficult for competitors to see somewhat sensitive content. We require that everyone uses their real name and institution (company,university, research institute, etc., including "unaffiliated" or "independent").
Lately we've been getting a lot of applications from China using generic email addresses like firstname.lastname@example.org. Does anyone else see these? Are these a sure sign of spam, or are they legitimate?
Some in our company would like us to reject any application with a non-institutional email address. However, many people like to use generic accounts (gmail, yahoo, qq.com and 126.com) to manage their email streams and maintain relationships that outlast one's affiliation with an employer or school. Most of these applications look perfectly legitimate, but I can't tell from their email addresses alone whether their email actually belongs to the person with the other data.
What I've been doing so far is sending a request to verify the applicant's identity by replying from an from an institutional email account. If I can find an entry for them on their institution's website, I'll often send them a "did you register for our site?" query to that known-genuine address. If they send me a reply from (their name)@(institution).cn, then I figure it's probably OK. Not NSA-secure, but we have to balance security with convenience.
For some of our Chinese customers, the applicants are telling me their company or school is not providing them an institutional account - they ONLY have personal email accounts, and they only have ones with very generic names, like (10-digit-number)@126.com. Today I even received an email from (10-digit-number)@(university url).cn, which didn't help me much. If true, this looks like a cultural norm that we were't prepared for and now have to figure out. If they're just scamming, I'd like to know if this is a common ploy.
How do we know registrants really are who they say they are? This process has become an existential dilemma for me.
Any insights would be appreciated. Thanks.