I've definitely blocked protonmail domains before. The calculus is that 100% of the accounts from that domain are fraud and 0% are legitimate, so it just saves a lot of time to block it. Stops fraud before it even starts. This is, of course, annoying for the 1 legitimate customer mixed in with the billions of bots. But basically, they have an abuse problem that they need to solve. Gmail also has plenty of fraudulent accounts, but it also has a lot of legitimate accounts, so they avoid the *@gmail.com ban.
It sucks that people use wide swaths like this, but that's how the cookie crumbles when you have a problem at 3 in the morning that you need to fix now and then go back to bed.
Yeah, that's fine. If you want to spend 20,000 hours rewriting our 100% open-source product from scratch because we used to have a hosted offering that was overrun by fraud and I made a rash decision in the middle of the night, feel free! Recommend just downloading the source from Github though and using our work for free. That is absolutely the best way to stick it to me for sharing my thought process on HN. (Use the 19,9999 hours you saved to listen to enjoyable music or hang out with friends! It's fun!)
Like I said, I was paged in the middle of the night because protonmail accounts were being created at a rate of hundreds per second to use our hosted free trial to mine crypto. So I blocked the domain name. I'm not saying this is wonderful or anything, but it is what I had to do at the time.
I see that my post got massively downvoted, but this is the thought process for people administering things. You get overrun and then you make a rash decision. I basically had the choice to to block protonmail from using the free trial, eliminate free trials, or require everyone in the Universe to type in a credit card, pay their bill and not dispute the charges for 90 days. I chose the first one. Free trials continued for the vast majority of the world. But hey, we ended up deciding not to do the cloud offering (in part because of this), so maybe I fucked up that decision.
I'll definitely be thinking about fraud/risk from day 1 the next time I do a cloud service, so that innocent users of email domains abused by fraudsters are not unfairly discriminated against. I didn't do it the first time, and that's on me. I just wanted to share the thought process of someone in the trenches; not make a value judgement of your email provider! You as an individual user of some service can't be held accountable for the actions of the other users of that service. I get that and I feel bad about what I did at the time.
But, having been where the UK government is, I totally get where they're coming from. That's all I wanted to say. Protonmail can do some vetting of their customers, so that their emails become more trustworthy, if they feel like it. That would make their product more valuable for all the legitimate users.
All you're really saying 'freemail is bad because of abuse, gmail is just too big to fail', which is not a whole lot of news after 25 years on the internet, I guess that's where some of the downvotes come from.
Appreciate the thoughtful answer despite the downvotes; I didn't consider how bad fraudulent email creation still is -- would CAPTCHA protection have solved this issue? I'm picturing a web GUI for your product, but I see a console offering on your website too.
They weren't actually doing much automation for account creation; we would see accounts created from mobile phone providers using mobile UAs, and then after they had an API key we'd see the accounts used from compromised cloud hosting accounts. (Free CI trials were probably a big chunk of this too, but I can't prove that.) The mistake we made was really being too generous with free trials; you need the compute to test our product, but free compute is something you just can't give out these days because of the crypto gold rush. I signed up for fly.io recently and they just ask you for a credit card as soon as you hit "create account". We were scared of that at the time, but I thought it was completely reasonable.
Well the irony is that Shodan.io also blocks protonmail email accounts and yet Shodan is your goto search engine to launch surgical hack attacks on entities.
I known www.urban-automotive.co.uk are losing out on business because they block protonmail accounts as I'm sure many other businesses are!
Hitting those who dont understand privacy in the wallet is an easy accomplishment!
Thank you for contributing to the discussion, enjoy downvotes as your reward.
I had similar issues with signups from Proton. I use the service myself so I didn't want to block it at the domain level, I hope they address this soon.
It sucks that people use wide swaths like this, but that's how the cookie crumbles when you have a problem at 3 in the morning that you need to fix now and then go back to bed.