Tell HN: Levono won't process orders from ProtonMail addresses

80 points by probinso ↗ HN
Nobody was able to tell me why, but after a few days of trying to place an order customer service was able to identify the reason I could not place an order was because I had a protonmail account. If you are trying to order from levono and you are unable to, this may be the reason.

42 comments

[ 3.3 ms ] story [ 94.5 ms ] thread
They probably got bit by scammers placing orders with stolen credit cards from protonmail accounts. It's an unfortunate problem with trying to be private online. You end up being profiled.
Sometimes bizarrely aggressively by the most unexpected companies, too. Taco Bell's website downright refuses to work if it catches a whiff of a VPN or any attempt at privacy. A VPN means 403 errors on everything and turning it off doesn't always stop them. There's some kind of token endpoint that will continue to 403 after disabling the VPN. Even the payment processor refuses to load unless you disable a bunch of privacy settings because it's inside an iframe. All it displays in Firefox is a Firefox error page saying the (payment processor's) site won't allow Firefox to display the page in an iframe.

You'd think I'm placing an order for tacos from Fort Knox or something.

They probably got thousands of chargebacks from sketchy users who logged in from proxies and VPNs, but very few legitimate orders.
It’s also possible that it’s for tax compliance. When doing online commerce, it is sometimes required for the merchant to charge different tax rates depending on the location of the buyer, and then remit that tax to the corresponding government tax authority. For some countries, a reverse charge mechanism is possible, where the merchant puts the relevant tax info on the invoices and the buyer is supposed to pay the tax to their own tax authority directly. In any case, the IP address is an important piece of due-diligence evidence, which supports the merchant’s claim that the buyer is from a particular location. So if a merchant detects a VPN address, it’s not a good piece of location evidence, and so they refuse to do business outright.
Digital products might be tricky, but probably for physical products delivery address is used for tax purposes, so IP doesn't matter.
Trying to buy something online from the US for my Australian family members is nigh on impossible. The places that even allow entering a non-Australian billing address often decline my American credit card.
We have a fraud decline set for protonmail too, not a gigantic company - but we've had too much fraud from the domain.

It sucks, but it's a very small loss in potential revenue overall.

How do you determine what is "small loss"?

Get the feeling 90% of fraudsters could use gmail and there's very little chance anyone on Earth would block them.

Does this distinguish between paid and non-paid accounts?
I don't know of any way to do so, we're not calling an api to check.
Are you simply blocking @pm or @protonmail addresses, blocking domains that have protonmail MX, or blocking known protonmail SMTP servers?
Being that we're talking about blocking emails based on fraud, I'd be understandable towards not wanting to share exactly on how you do it.
Yeah, that wasn't the original question. I'm a paying protonmail customer, for privacy, for my whole family. Trying to get a read of how much that's likely to be an issue in future.
They wouldn't have access to that information. ProtonMail doesn't provide it.
I don't know how it's actually done, but we use Kount and have a lot of different rules set up within it. I know protonmail accounts get crazy high danger ratings based on our settings.

They've got all kinds of levers within the platform based on your risk tolerance.

Hmm. GitHub is not sending verification emails to my protonmail right now
Are you using an @protonmail.com address or a custom domain Protonmail?
Malicious actors are among the best aware of security issues and thus concentrate on the services with the highest security grade.

That being the cause of these services being flagged as malicious is... "unfortunate", to stay polite.

Nonsense. Fraudsters use protonmail because it’s particularly easy to create new accounts.
It's straightforward to create new accounts everywhere, including in GMail. Why to single out ProtonMail then?

Personally I have been approached by fraudsters and their email was on GMail, not ProtonMail...

It’s not very straightforward to create gmail accounts with proxies, and google loves to randomly ban fresh accounts.
Google loves to ban old accounts you haven't logged into in awhile if you don't provide them a phone number.
Gmail needs a phone number. Proton Mail doesn't. That's why my email is with the latter.
Phone verification services are like 10 cents on average. Aged gmail accounts available from 30 cents or less
> Aged gmail accounts available from 30 cents or less

They’re frustratingly unreliable, but definitely an option.

Nobody is claiming that fraudsters only use protonmail.

I am using aged accounts regularly and rarely run into issues, you just need the right type of account and know a bit about the protection you are fighting against.
The reality is we're seeing most fraudsters on ProtonMail too, I'm afraid.

We considered just banning it as we're quite small, just over 10k members.

(comment deleted)
It increasingly looks like modern email is not really usable. But when looking for an alternative, it's not really there - even with some capabilities missing. It's interesting why.

Surely we can supply HTTP(S) URL-based addresses instead of emails when communicating with people or with flexible enough software. Some inflexible contacts can be coerced. What we need however is a system, preferably known enough to present an alternative.

Get a domain and use that address with protonmail. If you are not paying to PM, you can forward e-mails from your domain to PM.
I've been told adding a custom domain to ProtonMail requires an upgrade to their 'premium' services, which, is payable. Wonder if there is a way for those of us who own a domain get forwarding with their free plan. Genuinely curious.
Get your domain on Google Domains and use their free email forwarding.
I'm guessing many ProtonMail users don't really feel enthusiastic about receiving their emails through Google.
I had a bank not being able to send me emails, a semi big russian provider and maybe some more.

Sucks but well, if they dont want my business, others do.

It may be because their developers are using protonmail to test the system. One easy (not necessarily correct) way of filtering out test orders in production (who does that? :) ) is to filter out your test domain (protonmail). Any real customers using protonmail are therefore out of luck.
That would be a major oversight.

I've seen some websites whitelist accepted emails to email providers which make registration a bit more verified - by require a phone number for example (eg. GMail, Hotmail and the like).

I'm unsure where protonmail stands on anonymity.

Maybe something like this is happening.

It's not clear how are they "blocking" Protonmail (@sender, MX lookups...), but if they are then that's a very lazy (read: incompetent) workaround and I suggest you try shopping at a competitor who perhaps use a proper anti-fraud solution.

If a corporation of such size deals with abuse by blocking a sender domain name, then their security infrastructure is below poor and it should be an immediate red flag not to trust your sensitive information with them.

Or just use a different email address if you really want a laptop, depending on what your priorities are.

Semi-related to businesses not doing business with privacy-minded individuals:

Best Buy will cancel your orders after you successfully place them, if you order while using a VPN. They won't tell you why if you call and ask, but it wasn't hard to figure out.

This is so unbelievably sad to me on so many levels.