The question is one of ratio, and false positives versus false negatives.
If 90% of tutanota-orginated emails are fraudulent, tutanota is an excellent fraud indicator, even though it will block legitimate emails.
If 10% of gmail-originated emails are fraudulent, gmail is a terrible fraud indicator, even though it will let fraudulent emails pass through, possibly more than the count of fraudulent emails coming from tutanota.
But if you block Tutanota the fraudsters will just switch to Gmail, and all you accomplished is that you inconvenienced legit Tutanota users.
I wonder why so many companies drag their feet when implementing actually useful anti-fraud measures (like supporting Verified-by-Visa) and instead block random email providers.
> drag their feet when implementing actually useful anti-fraud measures (like supporting Verified-by-Visa)
Most ecommerce merchants are non-technical, and utilise 3rd party platforms (Shopify, Bigcommerce etc) that in combination with their Payment Gateway don't support these systems.
I can safely say that every order my business has received with a Tutanota address has turned out to be fraud. It is a really strong indicator for a fraudulent transaction.
There are many other signals, but for some reason this is a really strong one.
We see a similar trend with Aleeas, and Simplelogin.
We still get fraud from Gmail and Outlook addresses, but it is picked up using other indicators, IP, IP owner, Shipping Address, phone number reachability, carrier, Payment Methods, name, useragent, "for lease" or "for sale" status of the delivery address etc etc...
The question is, does blocking Tutanota reduce total fraud, or does it just make fraudsters to move to a different email hoster and you end up with the same total fraud?
Real-world ecommerce systems often end up with quite a long list of email domains that either provide some weight to a "fraud or not?" algo, or are outright banned.
You don't just block tutanota, you block a big, long list of high-abuse email sources, periodically updated.
It surprises me that this would be effective, since setting up an email host that's just capable of receiving emails should be trivial.
Then again, maybe I am overestimating fraudsters, and by blocking email hosts that make it too easy to sign up you can get rid of a significant chunk of them...
Their game is high-volume-low-cost/effort, which I think is the main reason that this approach does significantly cut fraud volume (admittedly at, typically, a tiny cost in lost sales).
A lot of them are just stuffing stolen credit card numbers to try to find which ones still work, anyway, so they don't care about breaking into your system in particular, they just want to find any system that will let them attempt a charge. If they're finding enough of those using cheap or free anonymous accounts from low-credibility email address providers, they have no reason to spend more time or effort on it.
Blocking these providers doesn't mean you won't still see better-targeted fraud attempts, but it cuts down on a ton of the low-effort but high-volume automated crap—and that stuff can kill a merchant payment processing account in a weekend, if you're not pretty good at blocking it.
Consider when you’re tempted to ‘what about’ an issue that there’s an important distinction you’ve missed rather than see it as evidence of some grand injustice - in this case that GMail processes orders of magnitudes more email than Tutanova.
