4 Replies Latest reply on Nov 12, 2015 6:32 AM by socketz

    How do we know registrants really are who they say they are?

    jkurutz

      Hi all,

       

      I manage an external-facing community where I moderate all the registration applications. We do this to make sure the people in the community are there to discuss scientific and technical questions, and to make it difficult for competitors to see somewhat sensitive content. We require that everyone uses their real name and institution (company,university, research institute, etc., including "unaffiliated" or "independent").

       

      Lately we've been getting a lot of applications from China using generic email addresses like 319883245@qq.com. Does anyone else see these? Are these a sure sign of spam, or are they legitimate?

       

      Some in our company would like us to reject any application with a non-institutional email address. However, many people like to use generic accounts (gmail, yahoo, qq.com and 126.com) to manage their email streams and maintain relationships that outlast one's affiliation with an employer or school. Most of these applications look perfectly legitimate, but I can't tell from their email addresses alone whether their email actually belongs to the person with the other data.


      What I've been doing so far is sending a request to verify the applicant's identity by replying from an from an institutional email account. If I can find an entry for them on their institution's website, I'll often send them a "did you register for our site?" query to that known-genuine address. If they send me a reply from (their name)@(institution).cn, then I figure it's probably OK. Not NSA-secure, but we have to balance security with convenience.

       

      For some of our Chinese customers, the applicants are telling me their company or school is not providing them an institutional account - they ONLY have personal email accounts, and they only have ones with very generic names, like (10-digit-number)@126.com. Today I even received an email from (10-digit-number)@(university url).cn, which didn't help me much. If true, this looks like a cultural norm that we were't prepared for and now have to figure out. If they're just scamming, I'd like to know if this is a common ploy.

       

      How do we know registrants really are who they say they are? This process has become an existential dilemma for me.

       

      Any insights would be appreciated. Thanks.

       

      - Josh

        • Re: How do we know registrants really are who they say they are?
          JasonLax

          I'm not entirely surprised that a university or company won't provide institutional or business e-mail.

           

          About the numbers, this is common in China because it's traditionally easier to create and share addresses this way given the commonality of surnames and what would be the need to translate everything to pinyin (Chinese expressed with Latin characters).

           

          Nothing will ever be full proof (e.g it's easy for anyone to get a .edu e-mail address) and it's about striking the right balance, as you said.

           

          Thanks,

           

          Jason

          • Re: How do we know registrants really are who they say they are?
            it2000

            Everybody knows someone, so the users should at least know whether the email addresses of other users are well-known and whether one is a competitor.

            The mass of users knows so much, but taking advantage of it is hard.

            One day you could switch to invitation-only. So your users would suggest/invite other users.

             

            PS: Getting the passport number for Interpol verification should help too.

            • Re: How do we know registrants really are who they say they are?
              lbeason

              I was wondering something similar... is there a way to automatically accept or reject registrations based on the email domain?

                • Re: How do we know registrants really are who they say they are?
                  socketz

                  qq.com is a free email service out of SE Asia.  Naver is another popular one.  We block dozens of these services around the world (each region has unique ones).

                   

                  Within the Admin Console, take a look at People->Settings->Registration Settings->Blacklisted Domains

                   

                  Users with email addresses matching this list of domains will be forced into moderation before their registration will be approved.

                   

                  You can also select to block them, but the moderation path gives you more visibility (i.e. which competitors are trying to register on your site).

                   

                  This is also a good tool to use for Export Compliance control as well.

                   

                  Hope this helps.

                  1 person found this helpful