Thanks for the list! I will add them to our blocklist :) Our business values e-mail destinations where we can actually incite the signed up user with interesting offers, or new product features, instead of sending it into a black hole.
If I give you a blackhole e-mail address, it's because I suspect you are going to spam me. Blocking the blackhole addresses only alienates me as a customer, confirms my suspicion that you intend to spam me and adds one more barrier to my trying your software or service.
It seems like you should recognize that a user does not want interesting offers when they submit a black hole address to you. Or maybe that's what you're saying you do?
By removing customer's choice to use a blackhole email, I suspect you are much more likely to lose them as a customer, rather than gain a happy customer with a valid email.
If they do go the latter route and give you a real email address, it is really so valuable to you? More likely, your interesting offers will get tagged with the "spam" flag, or auto-deleted by a filter.
What happens in that case is people just type in RandomDictionaryWord at majoremailprovider.com and then the person who really is at that address gets the pleasure of your interesting offers, even though that person probably never heard of you.
(My old gmail account gets Pizza Hut order confirmations from some guy in Texas. About every other week.)
Mailinator also has a neat one-way alias, so if you want to use MyName@mailinator.com you can have email sent to an alias mailinator generates like 321randomfoo@mailinator.com. That way, the people (spammers) that get the alias can't even check your inbox, which is still under MyName. http://mailinator.blogspot.com/2008/03/introducing-alternate...
Note that @mailinator.com email addresses are blocked at a significant number of sites due to its popularity. Throwaway email sites that alternate between several different domains work best.
You can't get a full list of them on mailinator.com, since it makes it easy for a misguided website administrator to just ban the whole list.
Instead, the site will randomly show one of the alternate domains on every page load. At one point, it would even give 'gmail.com' and other legitimate domains as the alternate if you tried to scrape them too quickly (or rather, they hypothetically-yet-definitely-didn't-do that).[1]
Today, the alternate domains are shown as an image[2], and even that isn't a complete list, since other people can simply redirect mail incoming to their domains to mailinator.com. Mailinator explicitly condones this.[3]
That will only work if you know exactly how your entire mail stack will handle resolution and you re-implement it exactly on your frontend. Consider this case:
Resolving not-mailinator.whatever.com returns:
not-mailinator.whatever.com. 86400 IN MX 10 a.bad-mailserver.com
not-mailinator.whatever.com. 86400 IN MX 10 b.bad-mailserver.com
not-mailinator.whatever.com. 86400 IN MX 10 c.bad-mailserver.com
not-mailinator.whatever.com. 86400 IN MX 10 d.bad-mailserver.com
not-mailinator.whatever.com. 86400 IN MX 10 e.bad-mailserver.com
not-mailinator.whatever.com. 86400 IN MX 10 f.bad-mailserver.com
not-mailinator.whatever.com. 86400 IN MX 10 g.bad-mailserver.com
not-mailinator.whatever.com. 86400 IN MX 10 h.bad-mailserver.com
not-mailinator.whatever.com. 86400 IN MX 10 mailinator.com
If you choose one at random, your frontend has a 90% chance of choosing a mail server that isn't mailinator. But when your MTA tries to send the message, it will notice that bad-mailserver.com is offline and try the other MXes, eventually hitting mailinator and delivering the message you tried to block.
You could put a limit on the number of MX records a domain can have, but Gmail has 5 and so you'd only reduce the chance of success to 80%.
Then you have to consider the mechanics of DNS. How many layers of CNAME indirection will you follow? Will you cache results? (If so, how will you trust that the responses are valid?) How long will you wait for DNS responses?
A poor implementation of DNS lookups will use unbounded time, unbounded bandwidth, and unbounded file descriptors. This isn't a hack you are going to code up in an afternoon, and one mistake means your website is going to randomly go down.
And so you have to ask: why? Why do you care if someone uses mailinator? Spammers are just going to set up their own domain or use someone's malware'd Windows box. And someone that wants to ignore your email is just going to have a procmail rule auto-submit your messages to Spamcop anyway.
So you gain nothing, spend a lot of time programming, and it won't solve any problems. In conclusion: worst idea ever.
Interesting, I know this is a bad idea, but: what if I connect directly to SMTP servers returned from retrieving MX records then send `RCPT TO: <some-email@mailinator.com>` and see if it passed or error with 550? My guess is there will be another whole range of issues involving open relays and servers that happened to not return 550 on nonexistence mailbox?
(I'm not trying to block Mailinator, just some exercise for myself.)
You can even donate a domain or have your own "private" mailinator domain by simply pointing the MX record for a domain or subdomain you control to their server.
I've always wondered why a site that blocks mailinator sites wouldn't just do an MX lookup on any domain you put in and check for mailinator redirects.
You should append the PositiveSSL CA 2 intermediate certificate to your certificate file. That comodo cert isn't in a few browsers'/systems' certificate stores yet.
Hmm... But why should the 'password' URL be so similar to the mail address. Doesn't this mean that if I know your mail address, I can fairly easily guess the secret URL to let me see that inbox?
(Granted that in the most common use case, if I know the email address, I probably know what's in the inbox, since I am likely the person who sent the message. But still, why not make these 2 different random strings?)
A couple more examples:
1QjYwHNM vs 1QjYwHOc
1Qk07A9x vs 1Qk07A9X
Yeah, the developer is going to want to fix that quick smart. At a complete guess they are two strings being generated in quick succession from the same seed, and they both happen to be very close. End result is that I can guess your email.
Also email addresses are in really tight set and easily guessable. So that system should be fixed in general. Not just for address / password issue. But also getting proper address distribution.
Addresses and URLs seem to be timestamp strings that change every microsecond, with the URL code being generated just before the email address. This makes it trivial to read someone's mail if you know their address.
You can verify this by repeatedly clicking 'Delete this address', which issues you a new mail box. The address string can be thought of as a number that is always incrementing, with the 'digits' drawn from [0-9a-zA-Z]. (So base 62.)
The URL number is always (sample size ~100) just a little smaller than the email number, but not by a consistent amount. Often about 20-30 steps away, but sometimes as much as 600 steps away (depending on server load?).
The number seems to be generated by a clock rather than a counter, since the rate at which the counter increases is very steady. The 5th digit from the right increments every 15 seconds, suggesting that there are (62^4)/15 ~= 0.99 million unique strings per second. Maybe the counter is just using the time in microseconds, and converting it to a string?
Issues raised:
1 - If I know your address, I can now guess the 'secret' URL to read your mail in a trivial number of guesses (certainly less than 1000). There doesn't seem to be any throttling of attempts on server side (I was able to manually cycle through ~30 invalid URLs fairly quickly).
2 - Email addresses 'leak' the time that they were created. (Not a clear security risk, but could be problematic in some cases)
3 - As Sami_Lehtinen says, addresses are guessable based on signup time, but given that these are disposable addresses, I'm not sure that's a big problem (who cares if a spammer guesses it). Also, even if there is a new user signing up every second, the success rate for guesses will be 1E-6.
Thanks for the hint! I already took a look into it. There are indeed only 676 options to guess the secret in many cases. We do block brute force attacks, but given that there are only 676 possibilities, you could just run the brute force tool at a very low speed.
Thanks, it looks very useful. However, if I want to reuse an address several times, it would be nice to be able to delete individual messages once I've read them.
Why? It seems like you are escalating a war AGAINST your users. Most folks who use a disposable address are trying to make sure their main address doesn't become a fount of spam. If I continue to visit your site/service, then I will probably decide to "update" my address on my own for the convenience. Am I really being naive?
You are being naive -- it really depends on the service. For trivial online services, a disposable email might be fine, but for anything that costs money, you're doing your users a disservice by letting them register with an email address that they won't be checking (and which could potentially get hijacked, if someone knew the address).
If a service prevents me from signing up with whatever email address I want, I won't be using it. It's one thing to discourage weak passwords, as that's a common mistake for people that don't know any better. It's another thing altogether to deny signing up with something like this, as they clearly will know the ramifications of doing so.
I have a website that gives freebies (=$$$) to new signups, so allowing throwaway accounts makes people do things like sign up for 100 accounts.
Not giving freebies is of course an option, but then there is goodwill lost on that end instead.
It sucks both ways. At least I don't spam my users, but they of course only trust that assertion so far and I certainly don't blame them - there seems to have been a significant rise in email marketing in the last 6+ months - probably some annoying YC startup or two making it much too easy for sites I signed up for at some point but really don't want to hear from send me email... Tsk, tsk ;)
Then just give the freebies to non-throwaway accounts. Now your users still have a choice, and you don't lose any goodwill (obviously, explain that throwaway accounts don't qualify).
This is on the same level as adding a CAPCHA if someone comment looks like spam.
You might not be naive, but you are probably mistaking the value of allowing sophisticated users to try in this way versus the value of getting an email that you can send weekly updates to.
Your site seems to display any arbitrary html sent via email. So it will load flash, javascript, honour meta redirects to other sites, etc. Try running it through https://emailprivacytester.com/
It's only useful until websites start filtering out the receivee domain - that's been happening with a few disposable email addresses.
And the highlight on " We even automatically click on common activation links for you" was a bit confusing. I was expecting a link to a page about the pointlessness of Challenge Response.
And what I really dearly want is an anonymous way to send an email - I don't mind having to sign up; I don't mind having to pay; but I really want a method where sending an email to $Person means they have to work very hard to get my real identity. (This is for good, not bad, reasons. But I can see the potential for abuse.)
Dan, I was looking into anonymous sending options recently.
Two quick questions:
- "don't mind having to pay"; what might you be willing to spend? $5/month? $50? 2c per email?
- "they have to work very hard to get my real identity"; get-a-court-order hard? Or harder than that?
Hi, I'm building something just like this called bip.io, throw away email addresses and identity protection are a 'feature' of a wider messaging API (its a glue platform, similar to ifttt or zapier or engineio). We're approaching a stable beta. If you'd like to try out the service, follow us on twitter @bipioapp and we will notify when the gates are open. Realistically about 4-6 weeks away, just putting it out there if you're looking for options...
(oh, and you can use whatever domain you can manage MX records for - its preferable in fact)
They don't require mobile numbers, and setting up a throwaway gmail takes about a minute, not tied to your identity at all. You don't even have to click and activation link, if you pass the CAPTCHA.
That being said, they certainly have IP logs, so make sure to enable Tor.
They've enforced mobile numbers for quite a while now, though I suspect that might be country dependant. I can't sign up for an account without one, through my normal or torified IP (I tried several).
US based, for me, the form element appears, also with country code pre-filled, but it is not required. Further down there is a CAPTCHA that you can elect to complete or tick a box for phone verification. Strange that it's country dependent!
You're very kind, thank you. But you are still incorrect. I cannot register a gmail myself without entering a phone number. Your "workaround" of a captcha does not exist when I try. Others are talking about country restrictions - I live in Canada, if it makes a difference.
The main challenge for these kinds of services is that they're only as useful as they are unknown.
If they start getting popular, they either
- start getting slammed with volumes of spam that are so high that the creator needs to start paying some serious hosting fees to keep the service running
- get blacklisted
Mailinator has outlasted all its competitors because it addressed both problems very early on. I wish receiveee best luck but I'm betting that it won't be around in a year from now.
has a massive database and a bounty for new additions!
We have 2 factor verification for http://8centsms.com/ but with the advent of disposable inbound SMS numbers via Twilio as well as disposable email addresses we were getting a bunch of people signing up and getting the free 10 credits repeatedly.
We haven't seen the problem recur since implementing this service, though so it seems the coverage is pretty good (/me prepares for onslaught of fake email signups to get the 10 free SMS credits via fake Twilio numbers ... )
All we need now is a service to blacklist disposable mobile numbers!!
I use disposable emails only to signup to services. I later save the email and pwd with 1Password. I've been doing this for a long time.
The reason I do this is because many startups (and non-startups) keep abusing on the amount of email they send you, even if I unsubscribe from their "newsletter" they come up with other non-newsletter emails - and this is just unbearable. I feel like being spammed most of the time.
The advantage of using disposable email is that I have access to the service, I decide when I receive emails and it's a great way to protect my account from being hacked (think of any recent social eng hack a la Amazon, Apple, etc. they couln't do it without your signin email).
A handful of other colleagues do the same thing. If you blacklist users who want to protect their privacy and want control over their inbox all you are doing is blocking (in our case) affluent users.
Many email services offer disposable addresses integrated with your real email account.
Yahoo in particular has an excellent system for doing this; you can generate disposable addresses by adding a unique string to a base name particular to your account (but which isn't identical to your real address, as it is if you use a '+' delimiter with Gmail). By default, all messages received at any disposable address go to your primary inbox, but you can designate an alternate folder for each of them. Since all of your disposable addresses are @yahoo.com, it's impossible for admins to blacklist the domain.
Sorry if this sounds like a commercial for Yahoo Mail; I'm just very happy with this feature and almost never resort to using Mailinator et al.
DEA users are most likely long time internet users who care about their privacy and have learned to protect their email. At the same time, they have enough interest to register and try your stuff - so let them be... If the site requires users to enter an email address for freebies, savvy users will eventually find a way around it, as you suggested. You might also be blocking the early adopters. Eg. bloggers who want to review your stuff, etc!
https://gli.ph Cloaked Email is more convenient than these services and can offer you the same or better privacy.
receiveee looks great for incoming one-time emails like spam and confirmation emails. Gliph allows two-way email, at the cost of having to create an account.
The cloak address you generate on Gliph forwards mail to your real inbox. when you reply it appears to come from an cloak address.
My favorite disposable email provider, by far, is 33mail.com, mainly because the addresses don't have to be disposable. You give a different email address to each service, and, if you get spam, you know the culprit and can block them right away.
Thanks for the tip. I always forget about these because the domains they use are usually too silly (they should just let us use raw IP addresses); and also because I use email so infrequently. Mailinator seems the only one I remember. There's another disposable email provider... I can't remember the name... the accounts are time-limited. Truthfully, it's an email forwarder; they ask for a personal email address. (Maybe you could forward to another disposable email provider.) You can choose to have the account last hours or days. I know I've seen it mentioned on HN.
You can also just add +domain to the local-part of your email address and do that without needing a disposable email service. Theoretically some sites may strip them out, but I doubt that many go to the trouble.
Also any Google Apps servers. Seems like a lot of extra work to look up a domain's MX records to figure out if it's safe to strip anything after + from their email address, which will only serve to annoy your users anyway.
Question for business owners/founders: how do you feel about people signing up for your services with these throwaway email addresses?
On the one hand, I respect people's privacy and right to use whatever email address they like.
On the other (more relevant) hand - I sometimes need to contact users who violate terms and conditions that their access may be switched off (I'd never do this without contacting them 2-3 times). Also, I might need to inform them that something has changed which might affect their usage. My service can be quite integral to a lot of apps, so to me that's an important feature...
My feelings are that trust is a two-way street. If people don't trust us with their email address, I don't think it's fair for them to expect us to trust them with an account on our service if they provide a fake email address.
If they are serious about evaluating our product, they can provide a real email address. If they aren't very serious or inherently don't trust us, then I'm willing to miss the opportunity of having them as a customer.
I respect their privacy, because we don't spam, sell, or abuse any of these email addresses ever, but I find it hard to trust anyone with an account on our service if they use a fake email address. Personally, when I sign up for services, I find it helpful to gauge the company based on how they use my email. If they automatically start sending me marketing materials the next day, that tells me a lot, and I'll generally cancel the service and report all of the subsequent marketing emails from them as spam. The only way to do that effectively is if I use a real email address.
Do people use these fake inboxes for any reason other than trying to prevent or cut down on spam? Am I overlooking some key aspect of allowing people to use these email addresses?
> If people don't trust us with their email address, I don't think it's fair for them to expect us to trust them with an account on our service if they provide a fake email address.
I've not used a single website that hasn't flooded me with "email newsletters", "promotions" and "reminders". Even my damn utility companies (each on their unique addresses) both sold and spammed the address I gave them with the stuff.
Why should a potential customer be willing to trust you with their email address? Perhaps you are very respectful of their privacy, but already their trust has been violated plenty of times by other, less honest companies. "One bitten, twice shy" and all that.
I'm not claiming that they should trust us. I'm only saying that it works both ways, and that we as business owners have a choice about whether to trust potential customers just as much as they have a choice about whether or not to trust us.
It might be anachronistic, but if a potential customer wants to begin a relationship with us with a lie, then of the two of us, I would think we have more reason to mistrust that individual than they have to mistrust us. Their mistrust is based on projecting bad behavior of other companies onto us whereas our mistrust is based on them actively beginning the relationship with a lie.
Of course, this decision may cost us some potential customers, but for now, that's something that we're willing to accept.
> "trust is a two-way street. If people don't trust us with their email address, I don't think it's fair for them to expect us to trust them with an account on our service"
Solid justification for disallowing them. My service doesn't even send a reply-verification to users (but Free users get a CAPTCHA... sadly) and just assumes validity. Perhaps I ought to integrate it at some point, but personally I hate having to click to verify my email address. Comes back to trust, again.
If you don't need their email address why do you even ask for it? In my mind reply-verification is mostly for account recovery purposes. If they fat-finger their email address they will never know it until they also forget their password. At least, that is what I experienced on the one app I deployed that didn't verify email addresses (but did need to send notifications to them).
Thoughts ?
Well, ...We (supposedly) live in a free country.
Analogy: When one fucks his/her neighbor's wife/husband (no, just kidding, nobody ever does that IRL), one at least draws the curtains, or goes rent a motel room 500 miles from home. It can lead to legal problems, big loss of money, and shattering a whole family (hurting real people for real), but no jurisdiction in north america or western Europe would sent someone to jail for that.
So... Signing into your new shiny service with a dupe email ? You bet i will. All the more if it's free. And that's just the beginning. It's time people realize their "profile" is as private as their "privates". Don't let anyone profile you for free. Your profile is worth more than that, right ?
That answers your question ?
(Btw nothing personal, as for the "illegal" stuff hapening on your service, it's mostly your problem, alas:( and that's not the easiest part. As long as you wish to profile users, you cannot securely (as in security by design) offer them privacy, and hence will run into the kind of troubles you allude to)
I think the adultery metaphor is a little far-fetched, or perhaps irrelevant, but I understand that privacy is as serious an issue as those things you mentioned.
Perhaps a better approach for startups/businesses is to inform users (perhaps with some kind of UI-friendly alert) that it's OK for them to use your service with a fake email for up to one week at a time (or etc.) - kind of as a trial - after which their account will be deleted.
This shows that you're happy for them to try the service out with no obligation - but if they won't use a 'real' email address, they wont get a 'real' account.
I invert-quote 'real' because, obviously, it's just as possible for them to use a throwaway gmail account.
I'd be fine if people signed up with these to try it, but they should use a permanent address if they want to continue using it. I would have no sympathy at all if they lost their account.
Fair play. I suppose the key thing is I've been able to strike up some really good relationships with users and customers by knowing their email addresses - but clearly users of throwaway email accounts aren't going to be open to that kind of communication anyway.
Mainly I've noticed a distinct correlation between spam signups/service abusers and throwaway email accounts.
Great tool. I would like to ask HN folks opinion on another kind of email service. Its quiet possible that google or yahoo can boot you from their service whenever they want...even if you don't think you violated their TOS. Do you guys think there is room for a service in which, once you signup, you will never be booted from the service? All data will be yours, or after you are gone, it will belong to your descendants.
Of course, there are spam considerations here..but I think they have to be worked out.
Some services, like Facebook, normalize the mail address (turn all letters to lower case). Can you make sure that mails to the normalized email also reach my inbox? (They don't now!)
What provider doesn't violate that part of the spec? I see plenty of sites/services that uppercase my email address for whatever clever reason they feel is necessary; not violating that part of the spec and actually making the address case-sensitive would be a detriment to the users.
One thing I like about receiveee more than mailinator and 33mail is that you can start using it without signing up. The user interaction is very smooth.
I have a google apps account which runs something like administrator@example.com I put their domain www.suspiciousvendor.com@example.com as my email address when I sign up. I get all emails sent to *@example.com in the google mail archive folder and I can search if I need to
http://www.tempomail.fr/ is what I have been using for a very long time. You can have it redirect to your normal e-mail address and there is a nice chrome plugin for it too.
I'm finding that the secret url is very very close to the actual email addresses in most cases. It's fairly trivial to guess inbox addresses based on email addresses. Is this ideal?
Only you can access this inbox by returning to this web site using the same browser or by saving the link for this page. Others are not able to read your mail."
I tested it from both my gmail and outlook.com account. I instantly received the e-mail from gmail but from hotmail I never received the test e-mails I sent.
Is this service really safe? It shows me a page with URL like https://receiveee.com/123456WC, and an email address of 123456XM@mailseal.de, so only the last two letters are different. Now once my email is sent and the address made public, isn't it very easy for someone to find out the page?
http://mailinator.com/
http://10minutemail.com/10MinuteMail/index.html
https://www.guerrillamail.com/
http://www.dispostable.com/
http://dudmail.com/
http://getairmail.com/
http://mailcatch.com/en/disposable-email
http://spambox.us/
http://www.yopmail.com/en/
https://ssl.trashmail.net/
http://www.fakeinbox.com/
http://www.fakemailgenerator.com/
http://www.tempinbox.com/
If I am really paranoid or just on tor then I use http://tormail.net/
Now adding https://receiveee.com/
One of the reasons why I have a list of all these disposable email services is because some do get blocked from websites.
Eg. mailinator : I loved the service but its mostly blocked everywhere now. ( I know there are alt domains for mailinator )
Really appreciate all these services.