Reminder that apple provides burner emails that are effectively unblockable (because they use the @icloud.com domain, at least for now[1]), for $0.99/month.
The article author attemps to make a distintion between "burners" and "aliases" but I don't believe one exists for this usecase. Let's say for the sake of argument that you think blocking burner emails provides meaningful protection (I don't, but services using such a list obviously do). From your perspective, an "alias" is the same as a "burner". Both can be easily generated in bulk by a human or bots, cannot be resolved to an identity, and cannot be compared to determine if two emails are the same person.
What kind of hide-my-email providers give you unlimited aliases that can be created in bulk?
It’s definitely against the ToS for the ones I’ve used.
One could give the same argument for blocking Gmail. You can create Gmail accounts in bulk, you can’t resolve them to an identity, and you can’t compare them to determine if they’re the same person.
The difference is that you trust Gmail to enforce their ToS, do KYC and ban people abusing their service. Should you?
Or it's a distinction without a difference to the site owner. Ever prod service I've run has seen significantly more abuse from human users using alias services, especially protonmail. I'm not surprised that some owners have chosen to block it entirely, given their resources, but I'd prefer to see it used as a signal in a more sophisticated system if possible.
The easiest and best way is to rate limit the number of signups from a domain per day. You might still get people trying to bulk signup but as the article states, most large spam operators do not really use those domains anyway. Of course there are plenty of small time scammers to make up for that lack, so to speak.
I personally use burner emails when I want an account somewhere but would prefer not linking all of my personal interests and necessities to the same few email addresses. It just seems smart.
It is frustrating to try to make it clear you are not attempting to bypass authenticity controls, especially when AI can so frustratingly create text posts that can seem realistically 'human'.
Maybe someone will come up with a better way to attempt to add privacy back without ripping it away in the name of attempting to add it.
Though, I mean, that's been the issue since the 1990s: security or privacy, hard to have both, and yet difficult to have either without the other.
"I never thought the leopards would eat MY face," sobs dude who contributed to the leopard-owned face eating industry.
There has never been a good argument for attempting to filter email addresses based on domain. Check address syntax on interactive forms purely to help users (did they fat finger something). Whatever well-formed address you've got, fire off emails and if they can receive them then it's a legit address. If you want to rate limit signups, then do so per-domain or per-mx. That is the extent of guarantee that email provides you - trying to step over that demarc point is a control delusion.
Even outright throwaway domains like mailinator.com - if a user is using this, it says more about your own requirement demanding an email address rather than the user themselves.
IDK man .. many services really just don't even want to deal with a sign up they are never going to reach. By using a disposable email, you're telling the business, I want to use your service, get value, but I don't really want you to reach me. To them, it sounds like a loss loss situation. Business are there to make money, and they offer a signup/trial/free account so they can give you access in exchange for being able to reach you.
But I do sympathize with the stupidity of marketing email madness.
Hence my response:
> Aliases are fair game .. for organization for just hiding your own email to limit tracking.. that's fair .. but bad, known disposable email generally just costs too much and is too risky for businesses.
There is no one-size fits all solution here. It comes down to what the cost of spam/fake accounts is, the level of sophistication of your adversaries, and the cost of loss of use to legitimate users blocked by your signup gates. Each site has their own weighting across these factors.
The people who want privacy and the people you want to block are using the same services and techniques. That's why web firewalls block privacy focused browsers, why TOR exit nodes are blocked from bald the internet, why email providers block new domains, and why sign-up forms block burners ("aliases" as you might also call them).
You can accept privacy enhancing measures but doing so hurts your ability to filter spam and other abuse.
I use these burner email services all the time because nobody on the internet can be trusted. Especially not the ones that try to lure you in and pop up an email registration box at the very last minute.
The "Anyone can use this to do anything they want in total anonymity and privacy" to "oh no bad people are using this to do bad stuff" pipeline is eternal.
25 comments
[ 0.25 ms ] story [ 25.6 ms ] thread[1] https://news.ycombinator.com/item?id=48559935
How do you do that with gmail addresses?
It’s definitely against the ToS for the ones I’ve used.
One could give the same argument for blocking Gmail. You can create Gmail accounts in bulk, you can’t resolve them to an identity, and you can’t compare them to determine if they’re the same person.
The difference is that you trust Gmail to enforce their ToS, do KYC and ban people abusing their service. Should you?
I personally use burner emails when I want an account somewhere but would prefer not linking all of my personal interests and necessities to the same few email addresses. It just seems smart.
It is frustrating to try to make it clear you are not attempting to bypass authenticity controls, especially when AI can so frustratingly create text posts that can seem realistically 'human'.
Maybe someone will come up with a better way to attempt to add privacy back without ripping it away in the name of attempting to add it.
Though, I mean, that's been the issue since the 1990s: security or privacy, hard to have both, and yet difficult to have either without the other.
There has never been a good argument for attempting to filter email addresses based on domain. Check address syntax on interactive forms purely to help users (did they fat finger something). Whatever well-formed address you've got, fire off emails and if they can receive them then it's a legit address. If you want to rate limit signups, then do so per-domain or per-mx. That is the extent of guarantee that email provides you - trying to step over that demarc point is a control delusion.
Even outright throwaway domains like mailinator.com - if a user is using this, it says more about your own requirement demanding an email address rather than the user themselves.
notably, micro center _was_ an issue but had to raise exception.
Turned out to be a friend that installed an app to watch soccer matches for free and in return he became a node of one of those services.
But I do sympathize with the stupidity of marketing email madness.
If you give a business a hide-my-email address, they can reach you at that address indefinitely.
Just type it out in the same comment next time, please.
You can accept privacy enhancing measures but doing so hurts your ability to filter spam and other abuse.
I use these burner email services all the time because nobody on the internet can be trusted. Especially not the ones that try to lure you in and pop up an email registration box at the very last minute.