90 comments

[ 2.9 ms ] story [ 160 ms ] thread
What it is...

Create a new uniqe mailhero email when you sign up to a new service etc. Mailhero will keep forward those emails to your real one until you choose not to.

So if that email ends up in a spamming list and you get starting to get alot of unwanted email from different spammers that could be hard to block you could just stop the forwarding.

So it works like a temporary email but is more permanent at the same time. And dont stop working after like 24h like many other temporary email services.

(Sorry for a shitty title)

Looks similar to https://www.spamgourmet.com/ which I used to use back in the day... and I guess is still a thing!
You mentioned it before I could! I'm somewhat amazed that site is still ticking, but I'm happy it is. I should make use of it more often... It even has some really nice features like being able to send email from your temporary address and more manual management of each temporary address you create. I highly recommend checking it out, even if the website looks old and strange, it's solid.

EDIT: Oh, and you can download the code for it and run it yourself if you want. Fantastic.

Everything old is new again... still use SG everywhere that doesn't filter it, I'm actually kind of glad the kidz have never heard of it because a surprising number of newer sites don't.
How is this different/better than Gmail's address+spammer@gmail.com?
Spammers know to take off the +spammer part.
Also some websites won't let you put + in the address despite it being a valid character per protocol. Crippling email sign ups for one company, astonishing.

Fastmail has subdomain addressing. eg. hackernews@myemail.fastmail.com which is a lot harder to detect.

I like Yahoo's approach-- they do their disposable email aliases like this:

basename-spammerspecificsuffix@yahoo.com

Where basename is user-chosen (and not necessarily related to the real email address), and the suffix has to be registered ahead of time (so a spammer can't just start randomly generating suffixes to avoid filters).

Couldn't spammers just start sending to (rand).username@mailhero ?
Also you have to maintain the rules filtering out all the +spammers indefinitely. Presumably with this service or something like it, whenever you wanted to you could just create an entire fresh id. (As well as the ability to turn off specific addresses as they describe.)
If this becomes popular, what stops spammers from figuring out that the part before the last dot in the username can be anything?

A lot of shady folks already know about Gmail's plus-addressing trick. If I were a spammer and I found that foobar.username@mailhero.io didn't work, I would just try bazbaz.username@mailhero.io.

Perhaps you could set up the system to only accept aliases that have been explicitly configured. But that would make Mailhero a bit inconvenient for regular users, since they would have to add an alias before using it elsewhere.

Another possibility would be to add a big button in the dashboard that automatically generates a plausible address (e.g. barack.hillary.trump@mailhero.io) with no connection whatsoever to your regular username or other aliases. No need for the user to decide what alias to use, and no way for a spammer to figure out a working alias.

i think an easy way is to send a notification email for every new sub-email "registered". No email gets forwarded until the new sub-email is verified.
Sounds awesome, would love to try it. Spent 5 minutes trying to sign up, but every variation of usernames that I tried were taken. This normally wouldn't be an issue to complain about, except that in order to test whether a username is available or not, I have to enter the username, password, and captcha every time.

Please please please tell me whether or not a username is taken as a type it before I go further.

Same awful experience here. Sounds great, was terrible.
I also had every username I tried come up as taken. Even ones I found on main stream sites.
I'm having a similar experience. I have a username that is NEVER taken... Not even on Gmail, and yet it was not available. I sense that the form is wrong, or maybe it's not accepting new users right now.
yeah, total fail. Every variation of my fairly uncommon name including random numbers at the end of my full name.
Yes, my bad! I did not expect my site to get hacker news'ed while I was sleeping and I hadn't scaled up the web server for that... You can try again now. :)

The really good news is that all mails are always buffered on another server, so even if the whole thing was to go down, all mails will reach its destination in a timely manner.

Signup seems to be broken? I've tried a few 'random' (keyboard-mashing) usernames to no avail. As guptaneil pointed out, some immediate form feedback on username availability would be very helpful as well.
I made something almost exactly like this 6 years ago. Called whyspam.me

Good luck.

I feel like this kind of service would be used for nefarious means pretty regularly, and subsequently the people trying to track that kind of activity would be knocking on the door quite often. Did you find that to be an issue?

Once upon a time I considered a similar service that could be abused and ultimately chose not to go ahead because it simply "isn't my problem" to deal with those two groups of people. I wanted no part in it, for good or evil, even as an unbiased conduit.

This here is unfortunately why services like these are a bad idea. If you don't control the MX pointer you need to accept that these mails can be lost. A lot of mail providers seems to support the + syntax and similarly so MTA's like postfix. I would suggest you direct your attention there instead.
I have been using gishpuppy for several years. It actually works. It's a free service, you create an email for any website that asks for one. There are addons/extension for firefox and perhaps other browsers, too.

http://www.gishpuppy.com/

Why can't it just be some random hash? For me, a key benefit of a disposable mail account is not to have any identifiers including username.
You could make your username be some random hash?
> You could make your username be some random hash?

Why not? 285e5c0452918bf77370c4a013317be4cf5e1ff690cc33a7346e837f59cdca58@foobarbaz.invalid is, I believe, a valid email address. If that's too long, you can always truncate it.

You could simply use something like base64 on a username you regularly use as the hash.
Cool idea. I run mailsac.com and it kind of does this. Do you have a business model? Times be tough in the temporary email niche
I think the best part about this is that it makes it easy to see who is selling your email. That can bring some accountability to these services that collect your email, and supposedly never use it.
> That can bring some accountability to these services that collect your email, and supposedly never use it.

In my experience, though, they deny everything when you follow-up.

At one point I started receiving third-party spam to santander_currentacct@[domain]. I contacted Santander, my bank, to ask how that e-mail address had leaked. They insisted that I must have used it elsewhere since their systems were watertight.

I changed it to something like santander_dontspamme@ and sure enough after a few months the spam started. This time Santander didn't even reply to my complaints.

I subsequently moved my current accounts to another bank, leaving £0.01 in several Santander accounts just to keep them open.

With gmail, you can create a custom email for each service, like so: youremail+service@gmail.com

Later on, if the service doesn't let you unsubscribe, or sells your email to other spammers, you can just set a filter to trash emails sent to youremail+service@gmail.com

Anyone with half a clue that is doing heavy marketing via email, knows to strip the stuff after the +. BTW, the + is part of the email specification, and technically any email server not supporting it is broken.
Additionally, either through malice or mistake many email forms disallow + signs entirely.
Although '+' is an acceptable symbol, there's actually nothing in the RFCs that mandates sub-addressing behaviour. The closest you'll get is RFC5233 that defines it for the Sieve filtering language. So although very common, sub-address behaviour is not a standards requirement and should not be presumed.

By "heavy marketing" I presume you mean spammers. If not, be warned, sub-address stripping will mean nondelivery in some cases and could trigger blacklisting via honeypots.

I've been doing something similar, except with a Google Apps catch-all address.

Unfortunately, a lot of spammers use BCC, so AFAIK for those emails there's no way to figure out which email address was compromised, and thus no easy way to filter them out en masse.

The easiest way is to filter based on the "Delivered-To" header (click on "view original" to see all headers).

No amount of BCC'ing affects that header because it is set by gmail itself, not by the emitter.

Wow. This is amazing.

Time to go back and look through all my spam and filter them all. =)

I only wish I kept more of them around...

With gmail, my process with unwanted emails is:

1) Locate and click the "Unsubscribe" link. Usually, that is it.

2) If there is no "Unsubscribe" link, or if it requires more than one subsequent click, then "Report Spam"

3) ... if I get an email after unsubscribing, "Report Spam" straight away

The "unsubscribe" link is just as likely to be malicous as any other link in an unwanted email. For this reason, I skip your set #1.
The main problem with this is that many services won't allow your mail address to have a + in it.
(comment deleted)
You need to trust your mail relay to not go offline or you lose the ability to reset your password etc.

Worse would be if someone used the relay to intercept a password reset and pwn you.

Better to implement filters on Gmail or whatever, server side with the + suffix.

Spammers are going to figure out how to manipulate these if it gains any traction; if I were a spammer, I would just send each email from a different MH email address with the same username.

See also Throttle[0], which does a similar thing using a browser extension to generate random emails addresses.

[0]: https://throttlehq.com

You can maintain a whitelist on your real email client with only allowed forwarding addresses from mailhero. mark everything else as spam
What would it do if people would just strip the prefixes before the dot just for mailhero? Would the email still gets forwarded? Should I shut down the account?
It suggests that that is exactly what could happen: "Do not give out your bare-naked mailhero address (xxx@mailhero.io). Always make sure you add something before the dot, otherwise you can't stop the mails from arriving!"

Seems like that should be a simple fix for them.

Since I have Google Apps (eg bla.com), I just turn on "catch-all email" settings, and whenever I join a service, I'll use "servicename@bla.com" (eg paypal@bla.com).

Interestingly, sometimes I receive spam from AnotherService sent to OriginalService@bla.com. From there you can see which services sell their data to 3rd party.

I have been running a similar service for myself on my own exim mailserver for a couple of years now and very happy with it. Provided explanation on how to achieve this on my blog https://www.guidodiepen.nl/2013/02/catch-almost-all-in-exim-... Whenever an address is receiving too much spam, I just blacklist it at the server level, ensuring I don't have to filter it anymore in my mail client since the server won't even accept it.

Have to say that it is always funny when a person asks for my email address and it confuses them when the address part before the @ sign contains their company name :) Often get the question whether I also work at the company or so.

That was a nice tutorial! I did something similar too before creating Mailhero.

And regarding the confusion about stuff before the @-sign: I have gotten "Wow, you work here?!" a million times too... :)

Ditto, I get that a lot too. That pregnant pause on the other end of the line after you get as far as <companyname>@...

What I have discovered as well, is that gmail/hotmail/yahoo addresses are so ubiquitous, that call centre staff get very confused when your email address doesn't end in one of the 'big three' domain names.

Also don't get me started on the problems I've had trying to explain that yes, .io is a valid domain ending for an email address...

I have run a server with a similar setup for many years. And some people get really confused. It can be quite funny sometimes.

The best moment was my SO explaining to someone on the phone, why the email address included their company name.

Paraphrasing: If you get hacked or sell my email I will know it was you. So don't sell it, and make sure you stay on top of your security.

I used to contact companies by email after they leaked my throwaway email address, but I don't any more, because some got angry and others were just confused.

Yeah I lost my preorder for PS4 over that issue, K-mart just cancelled my preorder because they thought my email address was suspicious. mind you this was at the time when you'd have to wait months for the machine to be in stock again. I spoke on the phone with their manager and there was nothing they said they could do about it. So I've never shopped there since.
Another thing I am working on for Mailhero is to start publicly listing sites/organizations that have leaked mail addresses. This list currently includes Coca Cola, Adobe, Neteller and others.
You can add box.net to the list. I used a one-off email address on their service and it got leaked. They were at least honest enough to confirm it did indeed happen to them:

   We were recently informed by a handful of users that they had received spam email at the address associated exclusively with their Box account. We scoured our own systems and checked every possible scenario, and didn't find any evidence of our systems being compromised. Thanks to information sent to us by our customers, we were able to pin down that a third-party email service we used to send our newsletter to select users in February, March and April had been compromised.
   
   No other information beyond email addresses were ever exposed to this vendor.
   
   We sincerely apologize for the inconvenience this has caused our users. We continue to be committed to your privacy and keeping their confidential information safe. As a result of this issue, we're leaving this particular service provider immediately and consolidating all of our customer communication efforts within a single vendor with more robust security practices.
Like many of you, I've rolled my own interpretation of this solution. I've got a self-written MTA that supports any recipient prefixes on emails that are sent to @domain.com. It then firstly checks the RCPT TO: address (the _real_ TO address) against the email aliases assigned to all my users in the Active Directory/Exchange Server. Once that check is passed, it then runs the email through some custom blacklisting rules, and then finally runs the email through SpamAssassin. If the email gets past that, then it gets delivered into the users inbox.

In Active Directory, the proxyAddresses attribute is used to stack up custom <something>@domain.com addresses for each user, which allows for many aliases per inbox. It does require management on the users part - they have to add an alias if want to use it, but that's done via a webform, so easy to do. Likewise they can yank an alias if it's been leaked and gets abused.

This solution has been running for over 5 years now, and it works very very well. The only downside is having to manually add new custom blacklist rules due to the adaptive nature of the spammers.

>The only downside is having to manually add new custom blacklist rules due to the adaptive nature of the spammers.

I wouldn't really call that a downside until AI is here.

Impressive work!

I'm thinking of doing something similar and hope to learn from your experience. I have two questions. (1) Was it easier to write your own MTA than to use the milter interface to Postfix or other mature MTAs that support it? (2) How would you set up the MUA to use the right alias in the return address when users reply to a message instead of leaking their real email address? (e.g., Would you need another lookup table somewhere that maps (user,recipient) pairs to user aliases?)
Interesting concept. There have been a number of times when 10 minutes that others typically give hasn't been enough for me.
Love the anecdotes at the bottom. I’ll add two of my own:

- Sent myself a photo from a Southern Californian theme park that starts with "D" and ends with a fireworks show, using a custom email address: No third-party spam, but my god their "unsubscribe" links (NOT that I ever subscribed) just don’t work, I got a promotion for everything vaguely Disney-related for a year until I blocked the address completely. Whoops, gave this one away!

- Signed up for a famous freemium file-syncing service whose name also starts with "D" using a custom email address, never used for anything else; that ended up in the hands of spammers.

> Signed up for a famous freemium file-syncing service whose name also starts with "D" using a custom email address, never used for anything else; that ended up in the hands of spammers.

Wasn't just me then. I /know/ I never used that particular address for anything else as it was specific to the D___Box service. Yet within 2 months, started getting lots of spam on it. I don't recall that company getting data breached, so totally unclear how that happened.

I’ve been working on the assumption that a massive breach did happen, but was never announced (perhaps not even discovered internally).
The same happened to the address that I gave to the D-freemium file-syncing service... Never used that address anywhere else.
Very cool. Right now I'm using 33mail with a custom domain
Is there a service that lets me send mail from such an email address as well?

Let's say I use this for my Amazon account amzn.myusername@mailhero.io and I need to get in touch with Amazon customer support. For verification they require me to actually send an email from amzn.myusername@mailhero.io.

Or another case: as soon as I have to actually send an email to a service I signed up for and use my real email address, that is then known to the service and could potentially be leaked.

I am going to add that functionality soon. You will, of course, have to click the recaptcha for each message send... I hope everybody understands why. :)
You could use gmail to send email from these addresses. Gmail requires you to verify that you own the email ids, which should be possible to do with the way mailhero works.
Sounds like an effective (if slightly underhand) way to monetize. If paying up is the only way to retrieve an account someone cares about...
This looks really good. I've just seen this message though when I verified my email address: "Do not give out your bare-naked mailhero address (xxx@mailhero.io). Always make sure you add something before the dot, otherwise you can't stop the mails from arriving!"

If anyone from Mailhero is here - why don't you block the bare-naked emails? If this becomes popular then marketeers can just search for @mailhero.io addresses and strip off any string followed by a dot so that they can spam you.

It would be easy enough to just prepend something random to the bare email's anyway, or to replace the random bit with every e-mail sent. So you can still spam mailhero users.
On the same note, they can just construct <random chars>.user@mailhero.io and email sent there will be forwarded to you as if that's the custom email address you sent out.
Additionally, with Inbox one can flag stuff as lower priority or delay delivery of a bundle
Love this idea, and the copywriting on the page is absolutely brilliant!

I hand-rolled my own solution a while back on my own server, simply creating a random forwarder and "tagging" it with a description, so I can always go back and lookup what fw839kopa4 was for... It's a ugly hack, but works.

My ugly hack has the added benefit of not accepting just any email address, but only those I explicitly defined. On the flip side, I have to run this small script and can't just give out citibank.myname@mydomain.com to anyone on the fly.

Thank you for the compliment about the copywriting! I did try to put effort into explaining what Mailhero actually does and to make sure that I explained why I made it instead of pretending to be somebody else. :)