Show HN: An ad free temporary mail service
I've now revamped the UI, added more domains and created an extension that shows your inbox in your browser (it only asks for permission to read from TemporaryMail.com and not all sites like the other extensions), it's also free from ads (paying the service out of pocket and perhaps adding an upgrade feature later on).
What makes this site a bit more unique is that I wrote the email parser from scratch following the RFC (took me 2 months and tons of testing) so it should display all incoming emails exactly as they are displayed in your favorite email client.
The site itself: https://TemporaryMail.com
Firefox Extension: https://addons.mozilla.org/en-US/firefox/addon/temporary-ema...
Chrome Extension: https://chromewebstore.google.com/detail/temporarymailcom-a-...
Edge Extension: https://microsoftedge.microsoft.com/addons/detail/temporarym...
Opera Extension: https://addons.opera.com/en/extensions/details/temporarymail...
Please give me your worst and criticize it to oblivion as I want to improve it. Also thinking about adding an API for it so let me know your thoughts on that too.
PS
I launched this back at the end of December 2020 and posted here on HN and it didn't get much traction.
95 comments
[ 3.0 ms ] story [ 125 ms ] threadIt started with me getting annoyed with SHEIN as they sent out spam to me and their unsubscribe link was set to localhost (127.0.0.1 - they are still using this last I checked) and in the same time period I found a suitable domain at an auction so I thought I'd give this a go.
Regardless, I appreciate your efforts to help the community. I wish you good health and success.
I will take a closer look at this and see if it's possible to improve it in some way.
Thanks for the kind words also and the same to you! =)
How great would it be if you could combine the benefits of such services?
I appreciate your time.
SL: https://simplelogin.io/
AD: https://addy.io/
DDG: https://duckduckgo.com/email/
I quote a section that corresponds to my situation
>Email is everyone’s primary trust anchor online
>If a user loses access to an online account, most services have an account recovery mechanism that will let the user back in. Usually, this works by sending an email to the user with a one-time password.
>If an attacker compromises a user’s email account, they can use the same mechanism to gain control of the user’s account on any service that uses the email account as a trust root. In practice, that’s most of the user’s online accounts. Unfortunately, two-factor authentication only offers limited protection. It is opt-in and usually uses a phone number, which is easily hijacked.
>If account recovery emails were encrypted, the trust anchor would instead be the encryption key. Since the encryption key is stored on the user’s computer, this would defeat this type of attack.
Nobody will send PGP encrypted email to an alias email address. The email alias will route emails using PGP to your inbox.
> Sender (without PGP) -> Alias (with PGP) -> mailbox
I'll look into this now that it makes more sense, thanks for the advice!
Many temp mail domains are blacklisted. only way to get around is rotating the domain name everyday.
I will give it a try.
I'm however thinking about creating a paid service with a low price (maybe like $2/month) just to filter out the majority of the bots and then using that money to get a lot of domains.
And they also don't allow you to view all the active domains which helps against getting blacklisted quickly
(Kinda like a penguin is technically a bird.)
I have to admit that they have improved though as earlier they were all using the same MX records, now at least each domain has its own.
Something like private aliases attached to a real account you actually have adds privacy, but retains accountability. (You can create aliases on Proton, Fastmail, Outlook, etc. but they are attached to your real account so abuse is manageable.) A service rotating temporary domains to avoid services blocking them is a malicious attacker, and should be treated as such.
If you want to block a malicious attacker, then you can use a captcha.
A serious malicious attacker wouldn't have a problem paying a few dollars to buy a domain, creating a catch-all address and if he wants to take it one step further he can even have it look like a legitimate email service.
Disposable services are ad blockers for emails.
I certainly agree people shouldn't be asked to provide an email if it's unnecessary, but again for the issue of bots, scams, and fraud, you generally need some sort of unique relatively hard to get many of identifier to prevent people making tons of accounts on any service which either allows posting content or costs money to provide service. Email is generally okay for this.
Ultimately disposable email providers who continue to believe domain rotation is anything but an attack will force a far worse outcome, which I've already seen some major sites do: Only accept registration from Gmail, Outlook, and Yahoo accounts. (The Verge is one example where I know I had to register with a Gmail account and open a support ticket to change my email to my real email because they figured out the best way to avoid abusers on disposable email was to allowlist major providers.)
What is the difference between the two though?
This kind of reasoning is why people can't run their own email servers anymore and instead have to rely on the big services.
>If you know the space, you'll be aware CAPTCHAs are trivially defeated today, regardless of the provider.
They are a lot more reliable than an email which is basically just a domain that anyone can buy and setup within mere minutes giving them access to endless email addresses.
>you generally need some sort of unique relatively hard to get many of identifier
Why not use phone numbers instead if the issue is truly important to them? This would cost spammers and bots way more money than emails.
Perhaps it's due to the fact that they won't be able to use the phone number to send their spam (or they could I guess, but it would cost them some money).
If you have a hundred aliases on say, Fastmail, and someone reports one of them, Fastmail can investigate the abuse you are involved in and can suspend your account. But the places you are using those aliases have no way to identify the main account of an alias, they can only report the alias, and Fastmail, the company providing your core service, is the only one that has the ability to deanonymize that relationship. Most of the services who allow these excess aliases are paid services or have identity checks, so other service providers can trust they will do a reasonable job to prevent abuse.
Meanwhile, if you bother to investigate how your service is being used, the percentage of users using it to abuse other sites will inevitably approach 100%. As bot spammers realize you're another set of free email addresses they can stack up, they'll swarm to each new domain you rotate to. If you are as privacy focused as you say, you'll have no tools at your disposable to regulate this either, they have plenty of IP addresses to work with, mostly compromised devices on residential IPs that are part of botnets, that will look like real users from a cursory glance.
> This kind of reasoning is why people can't run their own email servers anymore and instead have to rely on the big services.
That's why it's so fundamental that you understand rotating your domains is abuse, and it hurts the email ecosystem. Every time someone like you thinks this is okay, you make more service providers lock down what email domains they accept, punishing folks like me who just want their own domain on their email. Because disposable mail services do this, we all get punished for your bad behavior.
> Why not use phone numbers instead
Well, that's what a lot of major providers do. Gmail makes it much harder to get going without a phone number these days, mostly for that reason. I certainly don't want to have to give my phone number to every site I sign up with, but if that is, in your opinion better for privacy, by all means, enjoy the fruits of you screwing over email for this.
What if the Fastmail account is simply just using their free 30 day trial, how will they track the user then?
My point is that the malicious user will still have a way, while the legitimate user is punished by having to pay a fee to the email provider.
> Every time someone like you thinks this is okay, you make more service providers lock down what email domains they accept, punishing folks like me who just want their own domain on their email.
How about no one gets punished and service providers verify phone numbers instead of emails and we get to keep our inboxes clean?
(Trials usually both restrict features like this and require valid payment info is already entered, having websites all ask for people's phone numbers is way more privacy-invasive than asking for their email, and of course... you can keep your inbox clean without disposable email.)
I've given this some thought over the years so I know where I stand morally. As I've mentioned several times already, the issue lies in the service provider for forcing the user to give up their email address, in the majority of cases it will end up with you receiving spam from many different sources as your address will be sold, leaked and more.
>good luck
Thanks for the motivation!
> Make sure your cloud service allows what you're doing, make sure you have cost controls in place, and make sure you already have a relationship with a good lawyer.
Yeah, it's an expensive service to run (if you want to run it properly at least), but as long as it helps users and I see people sending in positive comments through the contact form, it will give me the motivation to continue.
A close friend of mine is a lawyer also so the day it becomes illegal to receive emails, I'll have to give him a call.
>Trials usually both restrict features like this and require valid payment info is already entered
That's good at least, but what I'm trying to say is that anything can be abused, the same way that the
>having websites all ask for people's phone numbers is way more privacy-invasive
It costs sites way more to send out texts than it does to send out an email, I'm sure that if we were to look at the overall amount of spam one receives in their lifetime, then we would see a great decrease. It's also a lot easier to stop spam coming from phone numbers as they are all registered and regulated compared to emails that aren't.
> you can keep your inbox clean without disposable email
You can also walk to the destination without taking a car, you can get fit without going to the gym and you can cook a meal without a recipe, but it won't be as convenient.
---
I'm starting to sound like a broken record as I'm just repeating myself, but to summarize things, we are both on the same page as our goals are to stop spam to users and abuse of services. The majority of the times an email address shouldn't even be needed and when it comes to sites where spam is more prevalent (e.g you mentioned The Verge), then they could simply verify your phone, payment details and a ton of other measures (captchas, checking IPs, rate-limiting, etc).
There are plenty of scammer bots/accounts that get around this just fine.
CAPTCHAs also can be unreliable with false positives and false negatives and other problems (although some CAPTCHAs are worse than others). "CAPTCHAs are trivially defeated today, regardless of the provider" is just one more thing, that makes even more worthless.
> Why not use phone numbers instead if the issue is truly important to them?
Even telephone numbers you might not have, or might be shared with someone else (more likely to have shared telephone numbers than with email).
It's one somewhat irritating tool in the toolbox, but honestly abuse-enabling services like disposable mail providers really just need to be taken down. We need to stop giving free help to criminals. Privacy is vitally important, but that should look more like a web of trust, not a fog of anonymity. No, every site shouldn't know your phone number, but they should be able to assume that your email provider does or knows enough about you to be confident you are a real person they can transact with.
- Be hooked to a bunch of paid plans for stuff that's currently free.
- At the mercy of all the big providers that could one day just decide to turn our account off without a reason.
- Receive more spam than we currently do as all service providers would have our email addresses. Although these would all be aliases, we would have to spend a decent amount of time organizing folders, identifying which aliases that are receiving the spam and turning these off without losing access to the account.
I referred to your other points in detail here also: https://news.ycombinator.com/item?id=40968143
I really enjoy that you challenge my views on this though as we both have the same goal of stopping abuse on online services, while at the same time preserving user privacy. Your plan would work if all service providers were honest and didn't abuse your trust, my plan currently works and I'm no longer getting emails from politicians asking for donations.
This had me genuinely concerned when a lot of the superfuous account bans were happening on Twitter and Facebook around the 2020 election cycle. Retweeting a joke could knock you off, and I'd been using Twitter as a 2FA for many/most sites where it was offered at the time.
Now, I'm much more inclined to choose email/password options. I've also been using a wildcard domain for most new things. Ex: site@mydomain, etc for every site, store, etc I use.
Imagine having to tell someone that you can't access your accounts because you retweeted something that wasn't deemed acceptable.
Perhaps if we're lucky we will advance to having the big corps create a social credit system for us as well, ha!
On the latter bit... not sure if I completely disagree with that take as well. As much as I also dislike SSO for other reasons, it is nice as at least some level of validation.
Best of luck with the service also!
The only reason the service provider requires your email address is to access your data.
There's barely and load on the server to generate the names and it only happens once for the new users so it wouldn't be worth putting that load on the client just for that one time, especially not with the traffic it's currently getting (currently around 1k users/day).
I'm curious about the privacy policy. The title says that you don't have ads, but there's tons of discussion about sharing information with ad partners.
The difference here is though that there's nothing of value.
If I wanted to use this for malicious intent, then I think the most valuable thing I could get away with would be a 5% discount coupon.
I like that you bring this stuff up though as it could perhaps be good to mention this on the site down at the FAQ so people don't think I'm doing something shady with the service since there are no ads.
Or spinning up hundreds of accounts on a website so you can perform card testing. Or creating accounts so you can put all of the inventory for an e-commerce site into carts to reserve it for yourself. Or running sneakerbots. Or any other malicious intent where the victim is the website operator.
In this day and age I don't understand why they wouldn't be able to just use a headless browser instead of doing it manually - has labor really become this cheap?
You can get all the stuff you mentioned for a fraction of the time and money it would cost to create a disposable email service and then you would also only target the service you wanted instead of sitting around and hoping that a user creates an account at the site you're looking for.
The real value would in the reputation and history of the account (e.g a popular account on a social media site or community) and this isn't a thing that someone would use a disposable email service for as they wouldn't want to risk losing access to the account.
But as a developer of these sites I've used the majority to check my own domains and the most reliable one I've found is https://www.ipqualityscore.com/
I strongly recommend that you take another look at your signup process though and don't require users to give up their email addresses, instead make it optional and present an alternative like a captcha.
Feel free to share a link to your service as I'd love to check it out and best of luck running it also!
A separate use case is when there's a free download that's email-gated, rather than account-gated. Examples would be Gumroad, certain 3D print platforms and such. I'd rather not wind up having my email just be added to some marketing list.
I've been thinking about open sourcing it if anyone would want it, but right now the site has way too little attention for it to get any traction. It's a really neat script though and it's also just one file and supports all the different kind of emails (with/without boundaries, base64 emails, attachments and some other stuff).
The majority of the work was done through testing lots of emails and I must have sent at least a thousands emails to myself from different providers and sites.
I've deleted the bookmarks in an attempt to reduce the PTSD it caused, but I think the main one I visited was RFC 1341 as I had some difficulties understanding the boundaries and encoding.
What was really tricky is getting it to work with all the different types as some emails didn't have boundaries while others had them, some were encoded entirely in base64, some partially, some of them were just plaintext, others were HTML while some were mixed or even offered multiple versions depending on what the email client supported.
Best thing is honestly to try it out and just pick a random address and send a really tricky email to it, would love to see you break the parser and telling me so I can improve it.
> Enable JavaScript and cookies to continue
It's not privacy conscious. Privacy conscious would mean A) does not use Cloudflare as a CDN B) does not require JavaScript C) does not discriminate against Tor users.
There are a few services like this already, which I'm not going to spoil for cred on HN, but my rating of this site as of now is 0/10, unusable in the literal sense.
B) That would make the UX horrible.
C) I had Tor enabled in the beginning, but when I got complaints from people on Tor doing really shady stuff with it I had to disable it.
For B, simply support both. This site is popular enough for there to be no risk sharing: Guerrilla Mail.
I understand what you mean, but it has to apply to the use-case. If the service I was running was to support journalists, then I would agree with you, but taking these measures would help promote spam as users would be able to get around the rate-limiting that I've set.
For example, the platform approach? Allow people to easily set up a temporary email service with their own domain. That would go around the problem needing changing domains all the time. You could make it easy for people to search and buy their temp email domain through you.
Or if that is too much, work, allow people to self-host your service by open sourcing it and creating Docker compose configurations etc.
I would personally also write a spec for one-click account delete link that can be recognized automatically, sent with the email. If that takes traction, then it would benefit everybody. It just might, as it benefits the service provider the most.
I will definitely look into these solutions and although I've seen some of them around, there could maybe be a way to implement a better alternative that's both easy to use and safe so it doesn't get abused.
I think it's cool idea though and I might give this a shot, thanks for the idea and if I do implement this then feel free to contact me through the form and I'll set "lifetime" account up for you!
If the article's solution were open-source, would be interested in seeing the UI/UX. I also looked into WildDuck with great interest but the lack of good UI/UX is mostly what held me back. If I didn't have to work for a living, and was less lazy, I might have written something.