I'm locked out of my 6 year old Chipotle account because they now say my email address is invalid when I login. Here is me asking for their help:

sacbuntchris@lemmy.world to Mildly Infuriating@lemmy.world – 1566 points –

I also reached out to them on Twitter but they directed me to this form. I followed up with them on Twitter with what happened in this screenshot but they are now ignoring me.

289

When you insist on implementing your own email address validation...

I have my own domain that uses a specific 2-letter ccTLD - it's a short domain variation of my surname (think "goo.gl" for Google). I've been using it for years, for my email.

Over those years, I have discovered an astonishing number of fuckheaded organisations whose systems insist I should have an email address with a "traditional" TLD at the end.

A few years back I bought a .family domain for my wife and I to have emails at ourlastname.family That lasted a week because almost every online service wouldn’t accept it. Now we have a .org

Doesn't surprise me one bit. I've noticed that a lot of websites will only accept .com and a few will only accept email addresses from popular providers (Gmail, Hotmail, outlook, etc.)

My guess is that it's trying to reduce spam and fake account generation.

My guess is that it's trying to reduce spam and fake account generation.

Thus preventing the growth of any small providers and further entrenching Microsoft, Google, Apple, and a handful of others as the only "viable" options.

Feels very relevant to the fediverse, with how people tend to compare it to email.

Yeah, that's it pretty much.Like 99% of your legitimate users are going to be standard gmail/yahoo/hotmail/etc. You see a user from ten minute mail, it's probably some shady shit.

Not necessarily shady.

I use 10 minute email if a merchant requires me enter an email account before seeing the total price on an item (including shipping). That's the most common pattern I've seen. My guess is that they want to ping you to complete the purchase.

Or a website might require free registration in order to view the content.

One place I use 10-minute email is actually Spotify. I didn't want to give them my Gmail address since your name is exposed to the world via their sharing API.

Don't get me wrong, there are a lot of bad uses for it as well. But privacy minded people use it too.

ELI5 the bit about spotify's sharing API?

When you share your playlist or have Spotify hooked up to some other service like discord, it shows the name associated with the account.

And changing that name is not as straight forward as you might think.

Given the fact that it's shared so easily, I wouldn't be surprised if email addresses could be exposed with the right options.

I went with .io specifically for this. It doesn't look special or anything, it's just cheaper than .org and accepted anywhere I've tried, so far.

What registrar do you use? Last time I checked .io domains where like 4x the price of a .org

My first email address was @k.ro (a free email provider many many years ago) and many websites thought a valid second-level domain name cannot be just one letter

Same. There are a lot of sites that just outright refuse to accept my email address that I’ve had for years, because it’s not a .com TLD.

CVS and E*Trade both refused to accept my fairly standard user@mydomain.info address during initial registration, but had no issue changing to that address once the account was created. It would be nice if their internal teams communicated a bit better.

The only useful email validation is "can I get an MX from that" and "does it understand what I'm saying in that SMTP". Anything else is someone that have too much free time.

It's easier to Google "email regex [language]" and copy the first result from stack overflow.

Definitely a timesaver. Much faster to get incorrect email validation that way then to try building it yourself.

Skip the building step and go straight to pulling your hair out over why it’s not working! Efficiency!

That probably lead to this exchange.

Stack Overflow is useful, but...it needs more than a little parsing for useful answers.

I know (hope) you're being facetious, because the objectively best way to do email validation is to send a fuckin email to the provided address.

To be valid, the email just has to match [anything@anything]. ,🙃@localhost can be perfect legal if localhost supports utf8 in usernames.

I'm not aware of any correct email validations. I'm still looking for something accepting a space in the localpart.

Also a surprising number of sites mess with the casing of the localpart. Don't do that - many mailservers do accept arbitrary case, but not all. MyName@example.com and myname@example.com are two different mail addresses, which may point to the same mailbox if you are lucky.

The only correct regex for email is: .+@.+

So long as the address has a local part, the at sign, and a hostname, it's a valid email address.

Whether it goes somewhere is the tricky part.

Sorry, this is not a correct regex for an email address.

Sending using mail on a local unix system? You only need the local part.

STOP VALIDATING NAMES AND EMAIL ADDRESSES. Send a verification email. Full stop. Don't do anything else. You really want to do this anyway, because it's a defense against bots.

I think it's fair to prevent users from causing mail sent to your internal systems. It probably won't cause any issues getting mail to the machine inbox for (no domain name), but it reasonably makes security uneasy.

The statement I was responding to was "This is the correct email regex". There is no correct email regex. Don't parse emails with a regex. You probably don't need to parse emails at all.

Yes, but no. Pretty much every application that accepts an email address on a form is going to turn around and make an API call to send that email. Guess what that API is going to do when you send it a string for a recipient address without an @ sign? It's going to refuse it with an error.

Therefore the correct amount of validation is that which satisfies whatever format the underlying API requires.

For example, AWS SES requires addresses in the form UserName@[SubDomain.]Domain.TopLevelDomain along with other caveats. If the application is using SES to send emails, I'm not going to allow an input that doesn't meet those requirements.

Therefore the correct amount of validation is that which satisfies whatever format the underlying API requires.

You mean the validation which the underlying API will perform on its own? You don't need to do it.

I disagree. You should have validation at each layer, as it's easier to handle bad inputs and errors the earlier they are caught.

It's especially important in this case with email because often one or more of the following comes into play when you're dealing with an email input:

  • You're doing more than sending an email (for ex, creating a record for a new user).
  • The UI isn't waiting for you to send that email (for ex, it's handled through a queue or some other background process).
  • The API call to send an email has a cost (both time and money).
  • You have multiple email recipients (better hope that external API error tells you which one failed).

I'm not suggesting that validation of an email should attempt to be exhaustive, but a well thought-out implementation validates all user inputs. Even the underlying API in this example is validating the email you give it before trying to send an email through its own underlying API.

Passing obvious garbage inputs down is just bad practice.

Here's my address: @@@@@

And this right here is a great example of why simple basic RegEx is rarely adequate

At the very least, should be something like

^[^@\s]+@([^@\s.]+\.)+[^@\s.]+$

I'm like 99% sure I missed at least a few cases there, and will say "please don't use this for anything production"

Here's two: you can have multiple @s forming relays in an email address, and you can also break all the rules around dots and spaces if you put quotes around the local part, eg ".sarah.."@emails.com

And this is exactly why I wouldn't do my own, I had no idea either of those were legal/possible

To be fair nor do most email providers! It's in the spec, though.

You should be able to double quote the local part and use the space. "like this"@email.net. Good luck getting that through a validator though.

1 more...

When you insist on implementing your own email address validation regex string...

1 more...

but they are now ignoring me.

Hmm. Did you try giving them your email address?

Yes, now my twitter dms are stuck in an infinite loop

Gimme your email address and I'll see what I can do

And the password is >!*****************!<

You gotta put backtick quotes around your password on lemmy, otherwise it is automatically censored. It's a security feature of ActivityPub.

Somebody made a shitty regex.

Probably, from what I can see the address in question isn't really that exotic. but an email regex that validates 100% correctly is near impossible. And then you still don't know if the email address actually exists.

I'd just take the user at their word and send an email with an activation link to the address that was supplied. If the address is invalid, the mail won't get delivered. No harm done.

Actually, one of our customers found out the hard way that there is harm in sending emails to invalid addresses. Too many kickbacks and cloud services think you're a bot. Prevented the customer from being able to send emails for 24 hours.

This is the result of them "requiring" an email for customers but entering a fake one if they didn't want to provide their email, and then trying to send out an email to everyone.

Our software has an option to disable that requirement but they didn't want to use it because they wanted their staff to remember to ask for an email address. It was not a great setup but they only had themselves to blame.

My guess is that would also occur with valid but non-existing e-mail addresses no? The regex would not be a remedy there anyway.

Of course you should only use the supplied e-mail address for things like mass mailings once it has been verified (i.e. the activation link from within the mail was clicked)

That's exactly what they did. They used something like noaddress@ourbusniess.com to get around the checks we had in place. I've intentionally been vague but most people will give their email address to our customers and won't give a fake one. So under normal situations the amount of bounce backs would be minimal: fat fingering, hearing them incorrectly, or people misremembering their email. Not enough to worry about. Never thought we'd come across a customer intentionally putting in bad email addresses for documentation purposes. They could have just asked us to make the functionality they wanted.

The best of validation is just to confirm that the email contains a @ and a . and if it does send it an email with a confirmation link.

TLDs are valid in emails, as are IP V6 addresses, so checking for a . is technically not correct. For example a@b and a@[IPv6:2001:db8::1] are both valid email addresses.

I feel like using a@[IPv6:2001:db8::1] is asking for trouble everywhere online.

But its tempting to try out, not many people would expect this.

Jeez and I feel like I'm tempting fate just by using a custom domain.

Email standard sucks anyway. By the official standard, User@email.com and user@email.com should be treated as separate users...

Personally I don't think that sucks or is even wrong. Case-independent text processing is more cumbersome. 'U' and 'u' are two different symbols. And you have to make such rules for every language a part of your processing logic.

If people can take case-dependence for passwords (or official letters and their school papers), then it's also fine for email addresses.

The actual problem is cultural, coming from DOS and Windows where many things are case-independent. It's an acquired taste.

Im with the earlier "yeah.. No."

Because

"If people can take case-dependence for passwords"

They cant now do they ? If they could passwords would be a-okay and there wouldn't be any need for stickies on monitors, password managers, biometrics, SSO, MFA and passwordless authentication.

The dumbest idea in computing is assuming everyone is as smart as you.

They aren't. Why isn't *nix any bigger? Here's your answer. People are stupid.

Why did IT only finally took off with windows 3.11? because people could understand that. Barely. Most of us where way to dumb for everything which came before.

Why does ipv6 acception takes so long? Because people are stupid and don't get it. Nobody really gets hex. So they just stay with what they can read and more or less get. Even the hardest part of ip4, subnetting, has an easy way out: just add 255.255.255.0 in there and it works. Doesnt work? Keep replacing 255 with zeros and eventually it will. Subnetting on ipv6? No idea. Let's just disable ipv6 on the internal lan and leave everything on ipv4. Zero migration, zero risk, zero training needed.

Why do so many companies only go half assed into cloud? Because they don't get it.

Powershell? Only half, a third even, of the admins truly get it.

I could go on.

Succes is build on simplicity.

Oh, I like writing such rants too, so I'll answer with lots of words.

They cant now do they ? If they could passwords would be a-okay and there wouldn’t be any need for stickies on monitors, password managers, biometrics, SSO, MFA and passwordless authentication.

Hardware tokens. With sufficient demand the scale would make them really cheap.

It's exactly because of having experience with making work the whole zoo that engineers don't understand how much easier that would be for normies.

The dumbest idea in computing is assuming everyone is as smart as you.

Assuming that everyone is as dumb as me in areas where I'm dumb would also be a mistake.

Why isn’t *nix any bigger? Here’s your answer. People are stupid.

Because of oligopoly. People are not stupid, but they have priorities and they don't have some of the knowledge we have. Also it doesn't really have to be that big immediately, all in good time.

Why did IT only finally took off with windows 3.11? because people could understand that. Barely. Most of us where way to dumb for everything which came before.

Can't comment on that, I was born in 1996.

Why does ipv6 acception takes so long? Because people are stupid and don’t get it. Nobody really gets hex. So they just stay with what they can read and more or less get. Even the hardest part of ip4, subnetting, has an easy way out: just add 255.255.255.0 in there and it works. Doesnt work? Keep replacing 255 with zeros and eventually it will. Subnetting on ipv6? No idea. Let’s just disable ipv6 on the internal lan and leave everything on ipv4. Zero migration, zero risk, zero training needed.

Because not everything supports it right, including some industrial equipment and network hardware, there may be new bugs in everything involved, the old ways work and it's not just v4 with longer address, so people fear making mistakes in configuration.

Why do so many companies only go half assed into cloud? Because they don’t get it.

Now think about similar horrors in, say, piping in houses, or other construction stuff. Or cars. Or roads. Everything is half-assed. It's normal.

Powershell? Only half, a third even, of the admins truly get it.

I kinda get it, but also hate it. Hard to read.

In general:

The most precious secret you can get from experience is that people are not stupid when they are given easy opportunity to try many things and choose what they like.

'U' and 'u' are two different symbols. And you have to make such rules for every language a part of your processing logic.

Unicode has standard rules for case folding, which includes the rules for all languages supported by Unicode. Case-insensitive comparisons in all good programming languages uses this data.

Note that you can't simply convert both strings to uppercase or lowercase to compare them, as then you'll run into the Turkish i problem: https://haacked.com/archive/2012/07/05/turkish-i-problem-and-why-you-should-care.aspx/

So good that we all use Unicode now. No CP1251, no ISO single-byte encodings, no Japanese encoding hell.

It's that capitalization is language dependent, which email addresses shouldn't be as I hope the rules for France shouldn't be different than for Dutch. For instance é in Dutch is capitalized as E, but in French it is É. The eszett didn't even have an official capital before 2017

In most programming languages, case-insensitive string compare without specifying the culture became deprecated. It should imo only be used for fuzzy searching doubles, which you probably will do with ToUpper for performance reasons, or maybe some UI validation.

For instance é in Dutch is capitalized as E, but in French it is É

Sure, but we're just talking about string comparison rules, and Unicode sees all three of those as being equal. For example, a search engine that uses proper case folding rules in its indexer should return results for "entrée" if you search for "entree", "Čech" if you search for "cech", etc.

It should imo only be used for fuzzy searching doubles, which you probably will do with ToUpper

You can't just use ToUpper for comparisons due to issues like you mentioned, and the Turkish i problem. You need to do proper case-insensitive comparisons, which is where the Unicode case folding rules are used.

offtopic: The eszett strictly speaking was a ligature for 'sz', which Hungarian orthography kinda preserved while for German the separated version is 'ss', and there's plenty of such stuff in nature.

In most programming languages, case-insensitive string compare without specifying the culture became deprecated. It should imo only be used for fuzzy searching doubles, which you probably will do with ToUpper on all four performance reasons, or maybe some UI validation.

Thank you for saying that more clearly.

But then you run into the issue of incredibly trivial impersonation on any email service which doesn't reserve all variants of registered names

Yes, email as it really exists kinda sucks, but the idea was nice. When it ran over UUCP, LOL.

I know at least one bank that has case-insensitive password in their app 🌚

1 more...
.+@.+\..+

TLDs could theoretically have MX records too! Email addresses as specified also support IPv6 addresses! The regex would need to be .+@.+ and at this point it's probably easier to just send an email.

I'm with you, and I agree that is technically correct, but I believe the sheer number of people who might accidentally write "gmail" instead of "gmail.com" compared to people using an IPv6 address (seems like a spam bot) or using a TLD like "admin@com" make requiring the dot worthwhile.

That's why I have an "allow anyway" button for addresses that look misspelled but are still technically valid.

Edit: believe it or not, that was a typo.

1 more...

That's what it looks like to me too

I could probably write a RegEx for email format validation that's accurate, but why would I when there are ones already written and readily available that covers all possible legit variations on the standard? I never understood why people insist on writing their own (crap) RegEx for something with as many possible variations they can miss like email...

And that one isn't even a weird edge case! It's a domain with a sub domain, if they can't even cover that case then it's an extra shitty RegEx

Let's see your regex pattern that covers every possible valid email address and rejects all invalid then. It's not remotely as easy as you're making it out to be.

Not saying this isn't a shitty pattern, but you can't make a claim like that.

What claim, that I probably could? I didn't say anything at all about it being easy, it would be a pain in the ass and involve a lot of checking the RFC, but I could probably make one that accurately represents the spec if I wanted to take the time, and even then I'm not exactly confident I would hit every edge case.

But why would I go to that hassle when there are well designed and vetted ones available?

I believe you missed the point I was making

The full email address syntax described in the RFC cannot be precisely matched with a mere regular expression due to the support for nested comments. The need to track arbitrarily deep nesting state makes it a non-regular language.

If you remove the comments first the remainder can be parsed with a very complex regex, but it will be about a kilobyte long.

when there are well designed and vetted ones available?

I'm not convinced of this, tbh. IIRC the RFC can't be described in a regex at all.

It doesn't need to be perfect, it just needs to prevent common mistakes and let valid emails through.

1 more...

Smells like bad regex

Exactly. After the @ they should just confirm there's at least one period. The rest is pretty much up in the air.

Which would still be technically wrong. There does not need to be a dot.

Even that would be technically incorrect. I believe you could put an A record on a TLD if you wanted. In theory, my email could be me@example.

Another hole to poke in the single dot regex: I could put in fake@com. with a dot trailing after the TLD, which would satisfy "dot after @" but is not an address to my knowledge.

And this sort of thing is exactly how you end up with bad regex that invalidates valid emails.

The point isn't to invalidate all bad emails. It's to sort out most of them.

Something something http://[2607:f8b0:4004:c09::8a] and http://3627734062 are valid url's without a dot, and are probably valid for emails too, but I'm too lazy to actually verify that.

1 more...
1 more...

I've had issues with this in using govt emails too. DOD accounts all have multiple dots based on branch and dept. It broke so many systems and emails never went through.

The easiest and most correct check: any character, then @, then any other character.

1 more...
2 more...

The best way to validate an email address is to sent it an email validation link.

Anything outside of that is a waste of effort.

That is 100% a chatbot using a regex email validator someone wrote as a meme that the chipotle dev copied from stack overflow without context.

1 more...

To do that, it looks like I just need some final info from you first...

1 more...

That is 100% a bot, and whoever made the bot just stuck in a custom regex to match “user@sld.tld” instead of using a standardized domain validation lib that actually handles cases like yours correctly.

Edit: the bots are redirecting you to bots are redirecting you to bots. This is not a bug. This is by design.

This is not a bug. This is by design.

I'd say it's a bug in the design as it clearly fails to work with a completely fine email.

They meant that they are intentionally trying NOT to help the customer, hopefully they just give up at some point. (That's why they are redirecting to bots and not to an actual human.)

I've encountered plenty of poor souls in equally poor countries getting paid a pittance who entirely seem like bots

Lol, why would that be true? They want to help, they just have a shitty bot

Most companies try to gain and retain customers. You're suggesting that at Chipotle, they sat down and decided to actively not help theirs?

It’d be a lot easier to not make a bot at all if that was the case. They aren’t intentionally not trying to help, they’re intentionally spending as few resources as possible on helping while still doing enough to satisfy most customers. It’s shitty but it’s not malicious like you guys are implying.

Well, writing "operator" or "human" or "transfer" or "what the @#$" or something irritated may help.

But using a standardized library would be 3PP and require a lot of paperwork for some reaosn.

It might even be worse than that, imagine if they let one of those learning algorithms handle their customer service.

That all loads of companies that do. In this case it would be better because it would actually understand what constitutes an email rather than running some standard script with no comprehension of what it's doing.

The difference between AI and automated script responses is AI is actually thinking at some level.

I think AI generally tries to bullshit more often than participating in what the user wants to accomplish. It would be like speaking with customer support who don't actually work for the company, is a pathological liar, and have a vested interest in making you give up as fast as possible.

That's not what AI is though.

An AI is pretty good and doing whatever it's programmed to do it's just you have to check that the thing it's programmed to do is actually the thing you want it to do. Things like chatGPT our general purpose AI and essentially exist more or lesses a product demonstration than an actual industry implementation.

When companies use AI they use their own version on their own trained data sets.

If you program your learning algorithm to "solve" customer problems in the shortest amount of time possible with the least amount of concessions possible, it will act exactly as I just described. The company would have to be run by buffoons to give the phone machines the ability to change user account information or have the ability to issue refunds, so the end result is that they can only answer simple questions until the person on the other end gives up.

That is not how AI works.

It's not programmed at all, it's a developed network, it evolves in the same way that the human brain evolves, saying it will try and solve the problem in the shortest possible time is like saying that human agents will try and solve the problem in the shortest possible time. It's a recursive argument.

You have rather proved my original point which is that everyone talking about AI doesn't know what they're talking about.

You might say "oh but an artificial intelligence could never possibly match the intelligence of humans" but why would that be the case? There's nothing magical or special about human intelligence.

Wow you really went off on an irrelevant tirade, there. There is a defined accuracy when you set up the learning algorithm, there is an end goal result that you define with which the program chooses and eliminates "choices" for a given generation. You program it, it doesn't magically conjure from a witches cauldron or a wish from a genie.

And also, we're not talking about actual intelligence and sentience here, we're talking about AI as in modern Learning Algorithms, as I explicitly stated at the start of this thread before you used the term AI for the first time in this thread. Idk why you're comparing it to human level intelligence when it's barely passable as a poor and easily abused mimicry.

With your repetitive, nonsensical, baseless logic I think you would pass for one of those glorified chatbots.

Modern customer service is about willfully designed layers of broken system engineered specifically to frustrate the majority of people that can't regulate their emotions. It's always a series of about "12 doors" you have to cross through that are exceedingly difficult to pass through. They are designed to sap your energy with the hope that you eventually reach a boiling point, hang up, get distracted, go on with your day and never follow up out of fear of starting the same process again.

I just keep mashing zero until a human talks to me.

Most IVR systems block that option because fuck you that's why.

Ive recently had the automated response tell me "If you keep doing that I'm going to terminate this call, now, have you calmed down?"

Needless to say I lost my absolute shit on that robot.

“I wont respond to that”

“You just did you dumb bitch!”

“I won’t respond to that”

::aneurism::

"Returning a call" if they take voice, has been very helpful to me

Chipotle is telling you they don’t want your money

I would sure like the free stuff they promised me after my past purchases

I work for Chipotle Corporate. Please send me your email address. I'll make sure it gets fixed.

7 more...

If that's their standard, you can probably just edit the html to make the login button active and then sign-in.

It depends if they have backend validation on their API as well that has the same rules

You're talking to a bot that has a crappy parser and doesn't understand what a subdomain is.

This is why you never attempt to validate an email address beyond requiring an @ followed by a period, and send a verification email

Technically you don't need a period for a valid address. "a@a" is a valid email address.

Not a lot of people sending emails using hostnames nowadays though.

Could be a Tld without a domain in front.

Can you give an example of that?

I've been working with websites, frontend and backend code for almost 20 years, somehow never knew this was a thing. Weird.

That's really neat. It of course makes sense because I can't see any reason why a TLD couldn't have MX records, but I am surprised that any TLD actually does.

I found an RFC with domains that have MX, A, and/or AAAA records. https://datatracker.ietf.org/doc/html/rfc7085

Yeah, I’ve noticed that a lot of sites are starting to disallow aliasing with email addresses. So annoying.

Which is blatant incompetence considering there is a very straightforward RFC covering domain names.

https://www.ietf.org/rfc/rfc1035.txt

Has anyone followed standards properly? There are weird workarounds in Linux's TCP implementation because they had to do the same non-standard workarounds as BSD which was added since there are too many buggy TCP implementations out there that will break if the RFC is followed to the letter...

Clearly AI.

Nah, it's just a old school chat bot following a predefined flow chart. And in this flowchart someone implemented an improper email check.

It's pretty much the same as if there was just a website with an email field which then complains about a non valid email which in fact is very valid. And this is pretty common, the official email definition isn't even properly followed by most mail providers (long video but pretty funny and interesting if you're interested in the topic).

You can use symbols like [ ] . { } ~ = | $ in the local-part (bit before the @) of email addresses. They're all perfectly valid but a lot of email validators reject them. You can even use spaces as long as it's using quotation marks, like

"hello world"@example.com

A lot of validators try to do too much. Just strip spaces from the start and end, look for an @ and a ., and send an email to it to validate it. You don't really care if the email address looks valid; you just care whether it can actually receive email, so that's what you should be testing for.

Not even a dot: TLDs are valid email domains. joe@google is a correct address.

Mmm... That doesn't seem right, it's usually gotta be fully expanded to at least a particular A record/MX.

How would you tie the tld itself to an MX?

TLD is just another DNS layer, try an SOA or NS lookup for "com." those are obviously hosted somewhere. Hell the "." at the end is even another layer with the root nameservers. You'd probably trip up a bunch of systems that filter on common convention rather than the actual RFC, but you could do it.

How the hell were the original rfc designers so creative as to result in such a flexible system?? It's gets crazier the more you look at it.

It makes the system as a whole simpler. Your computer only needs to remember one root DNS server (although most computers allow setting 4 for redundancy) as opposed to one DNS server for each TLD, and it also makes adding TLDs easier.

Don't forget +

Super handy with Google email.

A lot of providers support plus‑aliasing, although it‌'‌s usually in a company‌'‌s best interest to block plus‑aliases.

+ symbols aren't always used for aliasing though, and companies that strip them out can break the email address. There's no guarantee that dan+foo@example.com is the same person as dan@example.com.

I have a catchall domain and used to use email addresses like shopping+amazon@example.com with a Sieve rule to filter it into a "shopping" folder, but these days I just do amazon@example.com without the category or filtering.

Yea but most of the time its more important to block code injection than to have the last promille of valid mail adresses be accepted.

You're not going to get code injection via an email address field. Just make sure you're using prepared statements (if you're using a SQL database) and that you properly escape the email if you output it to a HTML page.

interesting if you're interested in the topic

The first rule of tautology club is the first rule of tautology club.

Yeah that video is great. My favourite part is the Russian post address thing.

He has a lot of interesting and funny talks like that.

The problem is their website also implemented an invalid email check when I try to login which is what got me to this point

Nah, it's just a old school chat bot following a predefined flow chart.

yes but that would be an AI still

A bunch of IF statements don't qualify as an AI. That's not how that works.

Yeah mate you're talking out of your ass. A bunch of if statements can, in fact, constitute an AI depending on the context. You don't know what you're talking about, stop trying to pretend you do.

AI is a broad concept, a pathfinding algorithm can be considered AI, a machine learning image generator can be considered AI, a shitty chatbot with predefined responses (like this one) can be considered AI. Reducing something to a stupid sentence like "just a bunch of if statements" to try to make it seem absurd is. I can reduce something like ChatGPT the same way and it'd be pretty much as accurate as your take.

You can draw any AI as a predefined flowchart, that's literally the point, they just make decisions based off of data. Large NLP algorithms like ChatGPT are no exception, they're just very large involving incomparably heavier mathematics.

Here is a good stackoverflow answer to it that actually gives credible sources (including from the people who pioneered AI themselves): https://stackoverflow.com/a/54793198

AI is very broad. You can use many different definitions of varying specificity to describe AI which can all be correct, even a shitty chatbot counts as AI despite being so basic. There's no bottom limit for the complexity of AI.

Selecting a canned-text response based on simple keywords is a long way from AI, and it's foolish to equivocate equate the two of them.

Also, chill tf out, and don't be so aggressively presumptious. I have enough experience with the topics in question to point out how misleading this statement is.

I suppose you didn't click the link I sent – either that, or you think you know better than some of the leading figures in the field of AI... it's not "a long way from AI", it IS AI in its design and its purpose. It's misleading to assert that it isn't AI because it doesn't meet your arbitrary complexity standard.

I doubt you have any relavant experience in AI research or engineering based off of how you treat the concept of AI and even data science in general here... boiling the bot down to "just a series of if statements" – and then implying that lack of complexity makes it not an AI – is extremely naïve and is itself misleading, you can do that for anything, every program is ultimately just a bunch of if-else/goto and simple math operations. It's just an attempt to conceptually reduce it so much that it seems absurd that it could be in the same category as more advanced AI. Despite the name, AI doesn't have to meet some bar for "smartness", it's a ridiculously broad term and any program intended to mimic human behaviour falls under AI (no matter how poorly it does it).

You confidently and rudely/condescendingly asserted something that is very blatantly ignorant of the subject of AI, I find it reasonable for me to assume that you had no idea what you were talking about, and I find it reasonable to very plainly call you out.

Also you misused "equivocate"... it's not a word used to compare two things, it means using double speak/speaking evasively, "to equivocate the two [AI vs. chatbots]" doesn't mean anything. Did you mean "equate"?

I did click your link. The accepted answer there states:

"The term artificial intelligence denotes behavior of a machine which, if a human behaves in the same way, is considered intelligent.

Again, I don't think that selecting basic responses based on keywords found in the string meets the criteria for being qualified as an AI, as anyone with experience of a chat bot this simple knows it won't hold up the illusion of "intelligence" for very long.

I did mean "equate", you're correct. The rest of my point remains - a very simple chat-bot like this is leaps and bounds from what would be termed an AI these days. To equate the two is misleading.

The answer you're referring to (not the accepted answer but the highest voted yes) also says

Tic-Tac-Toe is a very simple game, so it is very easy to make a simple application behave exactly the same as an intelligent human would. So, if this is the definition of artificial intelligence to which you subscribe, then yes, you would be justified in calling your "jumble of if/else statements" an AI.

In this case I feel like it is a safe, if somewhat useless, application of the term.

The ambiguity arises when you ask what it means for "if a human behaves the same way". If you word it like that then something like ChatGPT or Stable Diffusion wouldn't count, because you can easily see they're not human even if you didn't know first, but then this tic-tac-toe bot would count. It's a definition they didn't elaborate on enough so we don't know what they mean by "intelligent human behaviour". Maybe "intelligent human behaviour" extends to just giving somewhat relevant answers based on certain words/lexemes in the sentence? Certainly that intelligence is human, I mean a dog or seal can't do that, only a human. As it stands there is no complex art or chat AI that can't be distinguished from a human, so if we want to restrict it to actually acting like a human then AI doesn't exist, unless we're talking about simple tasks like tic-tac-toe, and there are programs that surpass humans like chess engines which also wouldn't be considered AI, which I find a silly definition to go by. "Human intelligence" doesn't mean "as smart as the average human", it means sentient-like capacity to make decisions, even if it's extremely simple. The task itself doesn't change what counts.

That is why I find the take by the pioneers of AI a lot more useful – they don't put some arbitrary subjective limit on complexity that disqualifues seemingly obvious examples of AI like the IEEE's ambiguously worded definition does.

What's in "these days" doesn't exactly matter – sure, average people nowadays often only use AI to mean complex ML/NLP AI and not the other types of AI, but that doesn't stop other AI from existing and being AI lol. And especially since people use it the previously common way too still – people who play video games will still call the bots/NPCs "AI", or call the pathfinding algorithm "pathfinding AI", for example. And a majority of data science/AI literature will still call simple AI like this one in the post "AI".

It's easy to see why asserting your poor definition of AI as the correct one and anything else (even the definition that most professionals in AI agree to, which the comment I sent has a link to multiple with reasons to their credibility over others, one is literally the 4th most cited book in this century) as "misleading" is pretty annoying. You're trying to gatekeep AI and put your own subjective interperetation of one specific definition on it and ignore multiple leading AI professionals' definitions lol...

Im not attempting to "gatekeep" anything. I'm pointing out that drawing a parallel between a keyword-based chat it script and a full LLM is disingenuous.

Wdym drawing a parallel? I literally never did that lol, I just said it's AI even if it's not LLM-level AI despite "just being a bunch of if statements". They don't have to be the same complexity in order to be in the same grouping. My original comment was exactly "it is an AI tho", I didn't say or imply "it's an advanced neural network capable of taking on the greatest of commercial LLMs"

You're totally, technically correct and I apologise :)

Reading this back it seems I've had a kneejerk reaction to seeing the word "AI" slapped onto a basic chatbot. I appreciate that yes, by all metrics it's an AI - yet it draws a parallel between this kind of Hello-World chat-bot and the current state of AI, which I felt is misleading. Like comparing a canoe to a cruise ship, you know?

1 more...
1 more...
1 more...
1 more...
1 more...
1 more...
1 more...
1 more...
1 more...
1 more...

That is AI...

Even “algorithm”, you could say! The text adventure game I made in BASIC when I was 14 is going to blow your mind. It is 100% artificial and uses logic (IF statements), hence AI!

1 more...
1 more...

My Ameriprise account has its own email address because the fuckers don't believe any email starting with email@ is a real email. I've called them a million times and got them to file a bug, which they did, and then closed as won't fix.

Reply, that you'd be happy to provide your e-mail. but first, you must verify them, my having them provide an e-mail.

No, dots are NOT necessary. Actually you do not even need to supply a domain or a top level domain because mails then default to the default system which is usually localhost.

But even for routed mail there doesn't need to be a dot.

There is still valid Bang-Adressing for UUCP routed emails:

!bigsite!foovax!barbox!me

This is a valid email which basically means "send my email to bigsite, from there to foovax, then to barbox, to the user me."

And if you are in a playful mood - mix FQDN and BANG addressing...

A couple of years ago I made Hotmail crash by sending a mail to googlemail.de!hotmail.com!googlemail.com!hotmail.de!googlemail.ca!hotmail.ca!googlemail.fr!hotmail.fr!... [repeated it for 32kByte] ...!myuseraccount - their server literally crashed completely all over the world for like 15 minutes. I am so proud of myself but then it was their fault for not complying to RfC822.

I'm assuming by "dot" you meant @

I’m assuming by “dot” you meant @

In fact both are optional. With FQDN-Adressing a user without domain defaults to localhost, with Bang-Adressing there is no @ because the last system is left for interpretation of the last receiver and if he consideres it a user, so be it.

enshitification of everything intensifies

Not enshittification. Just the usual shitty customer service experience.

IMO the biggest issue is separating the customer from support people too much, and likely separating the support people from the actual business too much. They throw up that stupid bot in between customers and contacting support because they don't want support people answering the same questions a million times, yet in doing so they just make the customer experience worse. And the bot does a bad job helping people with basic stuff, and a worse job of letting people get actual help from a person when the bot realizes it can't do what the user needs.

The people on Twitter told me to use the website contact form because they don't have any actual connection to the company. I'm guessing they're outsourced and can regurgitate from an FAQ, but they have no ability to escalate to someone with any power.

Pretty much every customer service you contact is going to be an agent of a 3rd party call center. It's been that way for decades.

At the one I worked at, only a single person would know how to contact the client directly, and that was the campaign director. And the campaign directors were terrified of contacting the parent company because they didn't want to lose the contract and get fired (for what? I have no idea).

It took like 8 months for us to even be able to report a serious memory leak issue in one of their proprietary bullshit chat platforms.

Get the bot to tell you it's connecting you to someone like you did, then give it a fake email address to get past that point.

Honestly I mostly just posted this to be funny but this is good advice

In this case, the fake email address could be sacbuntchris(at)lemmy.world to be used with that idiot bot.

Then I might get the added benefit that someone from Chipotle's web dev team finds us dunking on them.

I signed up to an insurance company here in Japan with first.last+something@domain.com and they later changed their rules and I couldn't sign in at all. They told me to open a new account. I didn't want to pay them once let alone twice. Never doing business with them again.

Yeah I tried to use + in some signups recently but it just gets cut

Same. Nowadays I just use a catch-all email address. Companyname@domain.tld. Allows me to name, shame, and block the company that leaks my email address.

I like to use the Gmail feature where you can add +randomstring to your email and it still gets to the regular email to sign up to random sites. But this way you can identify and block spam if that email get's compromised. Technically this Google catch all feature also isn't following the email standard but at least it's useful.

Problem with that is that you can very easily strip off the + and any bit after it to get your “normal” email address. Then again, when they find out mine is a catch-all, they can spam me as well… I guess you never win.

In what sense do you think this isn't following the email standard? The plus sign is a valid character in the local part, and the standard doesn't say how it should be interpreted (it could be a significant part of the name; it's not proper to strip it out) or preclude multiple addresses from delivering to the same mailbox.

Unfortunately the feature is too well-known, and the mapping from the tagged address to the plain address is too transparent. Spammers will just remove the label. You need either a custom domain so you can use a different separator ('+' is the default but you can generally choose something else for your own server) or a way to generate random, opaque temporary addresses.

If you want to talk about non-compliant address handing, aside from not accepting valid addresses, the one that always bothers me is sites that capitalize or lowercase the local part of the address. Domain names are not case-sensitive, but the local part is. Changing the case could result in non-delivery or delivery to the wrong mailbox. Most servers are case-insensitive but senders shouldn't assume that is always true.

And that's why I want to talk to a person.

No one wants to pay a person. And your business is worth losing. Because their bot fixes 90 percent of their problems. Not justifying. Just mocking their shitty approach.

The bot may transfer it to an operator if you ask it right.

Or it may not, cause usually in such cases it's made clear initially that you are writing to a bot, and the purpose of that bot is to give the human a summary of what you want, to make it quicker (for them, not for you).

I literally can not make an account in their app. No idea why. It’s trash just keeps saying something went wrong

Are you rooted and/or ad blocking at the system and/or network level? It's probably that.

Whenever I have the random "Something went wrong" in an app that doesn't resolve in a day or 2 it's almost always because it has root detection or it's using an API call on a URL that gets filtered somewhere along the line in my adblocking system.

BK app is all fucked whenever I try to redeem coupons unless I disable AdAway

For me BK doesn't allow to add my card (even their web interface does, FFS, so I know it's not my bank or something). But at least I can see the order status (useful when playing board games somewhere near a BK, to not wait there and not to skip things said and dice rolled).

I have enough 7-11 points to buy out several franchise locations, but I can't use them.

I made the account with Facebook, then later deleted Facebook. Since I don't have a Facebook to log in to the app to redeem points, I can't redeem them at all.

I contacted corporate about this, and they say there's nothing I can do.

The fun part is that my still valid email was connected to the now defunct Facebook, so I can't use my email either. Not even to make a new account.

Same deal with my phone number.

So if I ever want a free shitty taquito, I basically need an entirely new Identity.

A lot of oauth2 implementations don't really seem to have a mechanism to change providers or switch to email alone. It's going to be fun when one of the big providers like Facebook or Google decide they don't want to do oauth2 any more and a bunch of their users are suddenly locked out of millions of third party websites.

you hear about google deleting a lot of old accounts? imagine how many of those were used purely to make accounts on other sites.

Yep, that's going to be a small taste of what could happen.

Burritos are easy to meal prep. Make your own shit and stop paying these clowns.

Could we please stop with this nonsense that "hey just make your own blahblah".

Yeah, when I have literally 10 minutes between meetings to stuff something into my mouth, I'll sure start to prep my meal. And on weekends? Fuck that too, I just want to lay on my couch doing nothing. But certainly not my meal.

It's obvious that these people don't work full time with a family

And this is one of the many reasons that these days I create a @duck.com email address for each website.

My password manager (Bitwarden) happily generates for me both the mail and the password… now instead of having to look up for the unique password for each website I need to look for both the unique password and unique email 🤷

Furthermore if they are incompetent enough to make shitty regexp they are for sure incompetent to keep their db safe from hacking/leaking… and I am fine with a duck.com address being locked, less so with my actual email address

Alot of email verifications, very recently, are now having trouble with verifications in the domain name especially if it has a second period like yours.

Incompetent verification is definitely a problem, like they applied the most simplistic concept of 'what's a valid email address'. I had a problem like this with a website that needed an address, trying to sign up for a phone at my new house. My address went like '123123 State Road 533' The name of the road was State Road 533, that is, as in Highway 533. However, the address interpreter read it as a road called State Rd and ignored the 533, and told me the address wasn't found.

Its quite common on email domains.

I have a .email gTLD and I am frequently told its not a valid domain. Its getting better but apparently many forms only consider .com, .org, .edu etc valid.

I used to have an email address “myfirstname@i.am”. I thought it was really cool… until I kept having issues logging into sites that didn’t understand how email worked. I now use “companyimgivingmyemailto@myname.com”, and I just confuse humans who think I work at their company, and that I don’t understand how email works…

Chipotle needs to watch this video:

https://piped.video/watch?v=mrGfahzt-4Q

I tried to start that video, but I got "Failed with error code 1003, see logs for more info". (I don't think I have have access to any logs, so I guess that part isn't for me.) Maybe Chipotle wasn't able to watch it either, and so that's why their system is broken.

Chipotle’s customer service sucks ass even after you get a person. Good food though.

Don't use edu emails on anything you don't want to loose access too

Same thing here with my Taco Bell app. Can't use it because my email became not a valid email address.

Stand with me against this injustice. I'll be the Baja to your Blast

Wow. Chipotle are honestly kind of awesome for helping you out like this. It sucks that more companies won't protect their customers from themselves like this.

Did you even look at the screenshot?

I believe they're saying that Chipotle is helping OP by making it so OP doesn't eat there.

Chipotle account? how does buying fast food involve an account? And for six years? for what?

They give you free stuff and it's nice to save your info so you can order food for pickup when out and about.

Interesting. I stopped eating fast food years ago, and I didn’t know they started doing things like that.

It's one of the things that really took off during lockdown. That, online grocery ordering, and curbside pickup are the three things that make life so much better for me.

Chipotle? As in the chili?
And that bot probably is confused because of the subdomain in the address, not understanding the format.

It's a shitty taco bowl type of restaurant in America

Yeah, it's Taco Bell with fewer options amd a higher price

Have you ever been to either restaurant? Aside from being "Mexican" food, they are nothing alike