126 comments

[ 3.0 ms ] story [ 151 ms ] thread
I used my free time during Christmas and pushed a huge update to my latest weekend hack. It's a disposable email address service.

Some of the main features are:

* SSL only connections

* All data is stored in memory using redis to make the site blazing fast

* New mails are instantly displayed using web sockets

* Automatically clicking on common activation links

* Your inbox doesn't expire

Thanks! I will add it to my filters and make sure users dont register through it. ;)
Gonna add new domains form time to time :p
mailinator does this too.
Why? It seems like you are escalating a war AGAINST your users. Most folks who use a disposable address are trying to make sure their main address doesn't become a fount of spam. If I continue to visit your site/service, then I will probably decide to "update" my address on my own for the convenience. Am I really being naive?
You are being naive -- it really depends on the service. For trivial online services, a disposable email might be fine, but for anything that costs money, you're doing your users a disservice by letting them register with an email address that they won't be checking (and which could potentially get hijacked, if someone knew the address).
If a service prevents me from signing up with whatever email address I want, I won't be using it. It's one thing to discourage weak passwords, as that's a common mistake for people that don't know any better. It's another thing altogether to deny signing up with something like this, as they clearly will know the ramifications of doing so.
I have a website that gives freebies (=$$$) to new signups, so allowing throwaway accounts makes people do things like sign up for 100 accounts.

Not giving freebies is of course an option, but then there is goodwill lost on that end instead.

It sucks both ways. At least I don't spam my users, but they of course only trust that assertion so far and I certainly don't blame them - there seems to have been a significant rise in email marketing in the last 6+ months - probably some annoying YC startup or two making it much too easy for sites I signed up for at some point but really don't want to hear from send me email... Tsk, tsk ;)

Then just give the freebies to non-throwaway accounts. Now your users still have a choice, and you don't lose any goodwill (obviously, explain that throwaway accounts don't qualify).

This is on the same level as adding a CAPCHA if someone comment looks like spam.

You might not be naive, but you are probably mistaking the value of allowing sophisticated users to try in this way versus the value of getting an email that you can send weekly updates to.
Using Websockets is a nice touch. However I haven't gotten my tests to work yet. Tried from my Gmail, and also manually SMTPing in.
Taking a look into it. My first thought is that some DNS servers are not updated yet :(
The string in my URL is different but very similar to the string in the email address. Curious. 1QdVfTRH vs 1QdVfTS1
That's not your mailaddress in the URL. It's like a password to access the inbox later :)
Hmm... But why should the 'password' URL be so similar to the mail address. Doesn't this mean that if I know your mail address, I can fairly easily guess the secret URL to let me see that inbox?

(Granted that in the most common use case, if I know the email address, I probably know what's in the inbox, since I am likely the person who sent the message. But still, why not make these 2 different random strings?)

A couple more examples: 1QjYwHNM vs 1QjYwHOc 1Qk07A9x vs 1Qk07A9X

Yeah, the developer is going to want to fix that quick smart. At a complete guess they are two strings being generated in quick succession from the same seed, and they both happen to be very close. End result is that I can guess your email.
Also email addresses are in really tight set and easily guessable. So that system should be fixed in general. Not just for address / password issue. But also getting proper address distribution.
Addresses and URLs seem to be timestamp strings that change every microsecond, with the URL code being generated just before the email address. This makes it trivial to read someone's mail if you know their address.

You can verify this by repeatedly clicking 'Delete this address', which issues you a new mail box. The address string can be thought of as a number that is always incrementing, with the 'digits' drawn from [0-9a-zA-Z]. (So base 62.)

The URL number is always (sample size ~100) just a little smaller than the email number, but not by a consistent amount. Often about 20-30 steps away, but sometimes as much as 600 steps away (depending on server load?).

The number seems to be generated by a clock rather than a counter, since the rate at which the counter increases is very steady. The 5th digit from the right increments every 15 seconds, suggesting that there are (62^4)/15 ~= 0.99 million unique strings per second. Maybe the counter is just using the time in microseconds, and converting it to a string?

Issues raised:

1 - If I know your address, I can now guess the 'secret' URL to read your mail in a trivial number of guesses (certainly less than 1000). There doesn't seem to be any throttling of attempts on server side (I was able to manually cycle through ~30 invalid URLs fairly quickly).

2 - Email addresses 'leak' the time that they were created. (Not a clear security risk, but could be problematic in some cases)

3 - As Sami_Lehtinen says, addresses are guessable based on signup time, but given that these are disposable addresses, I'm not sure that's a big problem (who cares if a spammer guesses it). Also, even if there is a new user signing up every second, the success rate for guesses will be 1E-6.

Thanks for the hint! I already took a look into it. There are indeed only 676 options to guess the secret in many cases. We do block brute force attacks, but given that there are only 676 possibilities, you could just run the brute force tool at a very low speed.
Thanks, it looks very useful. However, if I want to reuse an address several times, it would be nice to be able to delete individual messages once I've read them.
http://mailinator.com/ has been around for a while, and allows you to pick your own inbox name, as well as many alternate domains.
As well as guerilla mail: https://www.guerrillamail.com/

Given some of the other comments in the thread below, it seems like the more of these you have, the more likely one of them will work.

Mailinator also has a neat one-way alias, so if you want to use MyName@mailinator.com you can have email sent to an alias mailinator generates like 321randomfoo@mailinator.com. That way, the people (spammers) that get the alias can't even check your inbox, which is still under MyName. http://mailinator.blogspot.com/2008/03/introducing-alternate...
Note that @mailinator.com email addresses are blocked at a significant number of sites due to its popularity. Throwaway email sites that alternate between several different domains work best.
Mailinator has a ton of different domains. You can check them all from mailinator.com though.
You can even donate a domain or have your own "private" mailinator domain by simply pointing the MX record for a domain or subdomain you control to their server.
I've always wondered why a site that blocks mailinator sites wouldn't just do an MX lookup on any domain you put in and check for mailinator redirects.
Probably because it's harder than /@mailinator.com$/i. And the determined will always succeed anyway, so why go to great lengths?
How much effort are you willing to expend to fight users who insist on giving you a throwaway account?
(comment deleted)
You can't get a full list of them on mailinator.com, since it makes it easy for a misguided website administrator to just ban the whole list.

Instead, the site will randomly show one of the alternate domains on every page load. At one point, it would even give 'gmail.com' and other legitimate domains as the alternate if you tried to scrape them too quickly (or rather, they hypothetically-yet-definitely-didn't-do that).[1]

Today, the alternate domains are shown as an image[2], and even that isn't a complete list, since other people can simply redirect mail incoming to their domains to mailinator.com. Mailinator explicitly condones this.[3]

[1] http://mailinator.blogspot.ca/2011/05/how-to-get-gmailcom-ba...

[2] http://www.mailinator.com/get_alt_domain

[3] http://mailinator.blogspot.ca/2007/10/new-mailinator-alterna... (end of second paragraph)

You can still ban Mailinator by simply resolving DNS (or even only MX record) and reject if it matches 72.51.33.80.
That will only work if you know exactly how your entire mail stack will handle resolution and you re-implement it exactly on your frontend. Consider this case:

Resolving not-mailinator.whatever.com returns:

    not-mailinator.whatever.com. 86400 IN MX 10 a.bad-mailserver.com
    not-mailinator.whatever.com. 86400 IN MX 10 b.bad-mailserver.com
    not-mailinator.whatever.com. 86400 IN MX 10 c.bad-mailserver.com
    not-mailinator.whatever.com. 86400 IN MX 10 d.bad-mailserver.com
    not-mailinator.whatever.com. 86400 IN MX 10 e.bad-mailserver.com
    not-mailinator.whatever.com. 86400 IN MX 10 f.bad-mailserver.com
    not-mailinator.whatever.com. 86400 IN MX 10 g.bad-mailserver.com
    not-mailinator.whatever.com. 86400 IN MX 10 h.bad-mailserver.com
    not-mailinator.whatever.com. 86400 IN MX 10 mailinator.com
If you choose one at random, your frontend has a 90% chance of choosing a mail server that isn't mailinator. But when your MTA tries to send the message, it will notice that bad-mailserver.com is offline and try the other MXes, eventually hitting mailinator and delivering the message you tried to block.

You could put a limit on the number of MX records a domain can have, but Gmail has 5 and so you'd only reduce the chance of success to 80%.

Then you have to consider the mechanics of DNS. How many layers of CNAME indirection will you follow? Will you cache results? (If so, how will you trust that the responses are valid?) How long will you wait for DNS responses?

A poor implementation of DNS lookups will use unbounded time, unbounded bandwidth, and unbounded file descriptors. This isn't a hack you are going to code up in an afternoon, and one mistake means your website is going to randomly go down.

And so you have to ask: why? Why do you care if someone uses mailinator? Spammers are just going to set up their own domain or use someone's malware'd Windows box. And someone that wants to ignore your email is just going to have a procmail rule auto-submit your messages to Spamcop anyway.

So you gain nothing, spend a lot of time programming, and it won't solve any problems. In conclusion: worst idea ever.

Interesting, I know this is a bad idea, but: what if I connect directly to SMTP servers returned from retrieving MX records then send `RCPT TO: <some-email@mailinator.com>` and see if it passed or error with 550? My guess is there will be another whole range of issues involving open relays and servers that happened to not return 550 on nonexistence mailbox?

(I'm not trying to block Mailinator, just some exercise for myself.)

My favorite disposable email provider, by far, is 33mail.com, mainly because the addresses don't have to be disposable. You give a different email address to each service, and, if you get spam, you know the culprit and can block them right away.

Brilliant.

You can also just add +domain to the local-part of your email address and do that without needing a disposable email service. Theoretically some sites may strip them out, but I doubt that many go to the trouble.
That only works with gmail.
It does work on gmail, but is definitely not gmail specific. Used to do that trick on my college email account.
It works for many mail servers, including Gmail.
Also any Google Apps servers. Seems like a lot of extra work to look up a domain's MX records to figure out if it's safe to strip anything after + from their email address, which will only serve to annoy your users anyway.
which others? doesn't do it on sendmail or postfix
Please do note that there's quite a few services that do not recognize '+' as a valid character for who knows reasons. I don't know why though.
Thanks for the tip. I always forget about these because the domains they use are usually too silly (they should just let us use raw IP addresses); and also because I use email so infrequently. Mailinator seems the only one I remember. There's another disposable email provider... I can't remember the name... the accounts are time-limited. Truthfully, it's an email forwarder; they ask for a personal email address. (Maybe you could forward to another disposable email provider.) You can choose to have the account last hours or days. I know I've seen it mentioned on HN.
Yahoo! Mail has such a feature, which I use and love. They do call it "disposable addresses", because you dump them when they start bringing spam.
One thing I like about receiveee more than mailinator and 33mail is that you can start using it without signing up. The user interaction is very smooth.
mailinator does not require signup
I've been using mailinator for 3-4 years and have never had to sign up.
I justn looked at 33mail and they ask for a signup.

As re_todd says, mailinator asks for nothing from the user. The accounts are created automatically.

Just send mail to some-new-account-foobarbaz@mailinator.com and an account (user) is automatically created. No passwords. No sign in.

New emails showed up really, really fast. Consider me impressed.

Just a minor suggestion: you could wrap the email address in a link prefaced by "mailto:" to make it super easy to test the service.

This is interesting; thanks for sharing.

It's only useful until websites start filtering out the receivee domain - that's been happening with a few disposable email addresses.

And the highlight on " We even automatically click on common activation links for you" was a bit confusing. I was expecting a link to a page about the pointlessness of Challenge Response.

And what I really dearly want is an anonymous way to send an email - I don't mind having to sign up; I don't mind having to pay; but I really want a method where sending an email to $Person means they have to work very hard to get my real identity. (This is for good, not bad, reasons. But I can see the potential for abuse.)

Does Mixmeister work still?
Regarding your last point: possibly technical ignorance on my part, but is there some reason signing up for, say, a gmail account doesn't suffice?
A gmail account is tied to your identity, an absolute pain to sign up for, and requires your mobile number.
They don't require mobile numbers, and setting up a throwaway gmail takes about a minute, not tied to your identity at all. You don't even have to click and activation link, if you pass the CAPTCHA.

That being said, they certainly have IP logs, so make sure to enable Tor.

They've enforced mobile numbers for quite a while now, though I suspect that might be country dependant. I can't sign up for an account without one, through my normal or torified IP (I tried several).

http://i.imgur.com/l9diG.png

US based, for me, the form element appears, also with country code pre-filled, but it is not required. Further down there is a CAPTCHA that you can elect to complete or tick a box for phone verification. Strange that it's country dependent!
I have not been able to register a gmail address without a mobile number for about four years.
You can still do it, you just have to do the captcha thing.

Here, I created one just now, for you:

login/pass: blah44141@gmail.com/mypass125

What country was your/your exit IP in?
You're very kind, thank you. But you are still incorrect. I cannot register a gmail myself without entering a phone number. Your "workaround" of a captcha does not exist when I try. Others are talking about country restrictions - I live in Canada, if it makes a difference.
Dan, I was looking into anonymous sending options recently.

Two quick questions: - "don't mind having to pay"; what might you be willing to spend? $5/month? $50? 2c per email? - "they have to work very hard to get my real identity"; get-a-court-order hard? Or harder than that?

get a court order hard; $5 per month.
Hi, I'm building something just like this called bip.io, throw away email addresses and identity protection are a 'feature' of a wider messaging API (its a glue platform, similar to ifttt or zapier or engineio). We're approaching a stable beta. If you'd like to try out the service, follow us on twitter @bipioapp and we will notify when the gates are open. Realistically about 4-6 weeks away, just putting it out there if you're looking for options...

(oh, and you can use whatever domain you can manage MX records for - its preferable in fact)

Isn't this a great tool for spammers? It even clicks activation links for you?
This is a great idea:

"Your Private Inbox

Only you can access this inbox by returning to this web site using the same browser or by saving the link for this page. Others are not able to read your mail."

Props to the progger/designer.

Some services, like Facebook, normalize the mail address (turn all letters to lower case). Can you make sure that mails to the normalized email also reach my inbox? (They don't now!)
That would violate at least RFC 2821, which says that the local part must be treated as case sensitive.
What provider doesn't violate that part of the spec? I see plenty of sites/services that uppercase my email address for whatever clever reason they feel is necessary; not violating that part of the spec and actually making the address case-sensitive would be a detriment to the users.
Is anyone else seeing the "site's security certificate is not trusted" warning in Chrome?
(comment deleted)
I'm finding that the secret url is very very close to the actual email addresses in most cases. It's fairly trivial to guess inbox addresses based on email addresses. Is this ideal?
This is really useful.

However I missed a link to bookmark the home page. As on going to https://receiveee.com/ it automatically redirects to newly created address.

It is cumbersome to manually add it to bookmark bar.

The main challenge for these kinds of services is that they're only as useful as they are unknown.

If they start getting popular, they either

- start getting slammed with volumes of spam that are so high that the creator needs to start paying some serious hosting fees to keep the service running

- get blacklisted

Mailinator has outlasted all its competitors because it addressed both problems very early on. I wish receiveee best luck but I'm betting that it won't be around in a year from now.

Great tool. I would like to ask HN folks opinion on another kind of email service. Its quiet possible that google or yahoo can boot you from their service whenever they want...even if you don't think you violated their TOS. Do you guys think there is room for a service in which, once you signup, you will never be booted from the service? All data will be yours, or after you are gone, it will belong to your descendants.

Of course, there are spam considerations here..but I think they have to be worked out.

These are the services I use quite often when I need a disposable email id / fake inbox.

http://mailinator.com/

http://10minutemail.com/10MinuteMail/index.html

https://www.guerrillamail.com/

http://www.dispostable.com/

http://dudmail.com/

http://getairmail.com/

http://mailcatch.com/en/disposable-email

http://spambox.us/

http://www.yopmail.com/en/

https://ssl.trashmail.net/

http://www.fakeinbox.com/

http://www.fakemailgenerator.com/

http://www.tempinbox.com/

If I am really paranoid or just on tor then I use http://tormail.net/

Now adding https://receiveee.com/

One of the reasons why I have a list of all these disposable email services is because some do get blocked from websites.

Eg. mailinator : I loved the service but its mostly blocked everywhere now. ( I know there are alt domains for mailinator )

Really appreciate all these services.

Which is your favorite? This is a great list, but hard to pick out the best from just reading all of these sites.
Thanks for the list! I will add them to our blocklist :) Our business values e-mail destinations where we can actually incite the signed up user with interesting offers, or new product features, instead of sending it into a black hole.
It seems like you should recognize that a user does not want interesting offers when they submit a black hole address to you. Or maybe that's what you're saying you do?
If I give you a blackhole e-mail address, it's because I suspect you are going to spam me. Blocking the blackhole addresses only alienates me as a customer, confirms my suspicion that you intend to spam me and adds one more barrier to my trying your software or service.
Sounds like exactly the kind of spammy business people use these blackhole addresses to avoid!

> Our business values e-mail destinations where we can actually incite the signed up user with interesting offers

I get several hundred of these "interesting offers" every day.

incite the signed up user with interesting offers

I’ll bet they’re just fascinating.

By removing customer's choice to use a blackhole email, I suspect you are much more likely to lose them as a customer, rather than gain a happy customer with a valid email.

If they do go the latter route and give you a real email address, it is really so valuable to you? More likely, your interesting offers will get tagged with the "spam" flag, or auto-deleted by a filter.

Thanks for the notice. Now I'll add your business to my blacklist of enterprises which I'll never do business with.
So that makes you a spammer. Tell us about your business name, so that we can add it to our blacklist too ;).
From the looks of the replies here, you have quite a knack for 'inciting'.

Whether the offers you send out to users are enticing or not remains to be seen.

What happens in that case is people just type in RandomDictionaryWord at majoremailprovider.com and then the person who really is at that address gets the pleasure of your interesting offers, even though that person probably never heard of you.

(My old gmail account gets Pizza Hut order confirmations from some guy in Texas. About every other week.)

https://gli.ph Cloaked Email is more convenient than these services and can offer you the same or better privacy.

receiveee looks great for incoming one-time emails like spam and confirmation emails. Gliph allows two-way email, at the cost of having to create an account.

The cloak address you generate on Gliph forwards mail to your real inbox. when you reply it appears to come from an cloak address.

More info in ReadWrite article: http://readwrite.com/2012/08/14/use-this-app-to-create-anony...

Gliph also sets you up with a secure picture messaging tool for iOS and Android and a serious privacy policy.

Disclosure: I am co-founder and ceo of Gliph. Happy to answer questions.

Does anybody else get a certificate error (it claims that it has been signed by an unknown key).
I tested it from both my gmail and outlook.com account. I instantly received the e-mail from gmail but from hotmail I never received the test e-mails I sent.
can't we send emails using the same service ?
For anyone wanting to stop signups from disposable email addresses I've found this service to be really good:

http://www.block-disposable-email.com

has a massive database and a bounty for new additions!

We have 2 factor verification for http://8centsms.com/ but with the advent of disposable inbound SMS numbers via Twilio as well as disposable email addresses we were getting a bunch of people signing up and getting the free 10 credits repeatedly.

We haven't seen the problem recur since implementing this service, though so it seems the coverage is pretty good (/me prepares for onslaught of fake email signups to get the 10 free SMS credits via fake Twilio numbers ... )

All we need now is a service to blacklist disposable mobile numbers!!

I use disposable emails only to signup to services. I later save the email and pwd with 1Password. I've been doing this for a long time.

The reason I do this is because many startups (and non-startups) keep abusing on the amount of email they send you, even if I unsubscribe from their "newsletter" they come up with other non-newsletter emails - and this is just unbearable. I feel like being spammed most of the time.

The advantage of using disposable email is that I have access to the service, I decide when I receive emails and it's a great way to protect my account from being hacked (think of any recent social eng hack a la Amazon, Apple, etc. they couln't do it without your signin email).

A handful of other colleagues do the same thing. If you blacklist users who want to protect their privacy and want control over their inbox all you are doing is blocking (in our case) affluent users.

Many email services offer disposable addresses integrated with your real email account.

Yahoo in particular has an excellent system for doing this; you can generate disposable addresses by adding a unique string to a base name particular to your account (but which isn't identical to your real address, as it is if you use a '+' delimiter with Gmail). By default, all messages received at any disposable address go to your primary inbox, but you can designate an alternate folder for each of them. Since all of your disposable addresses are @yahoo.com, it's impossible for admins to blacklist the domain.

Sorry if this sounds like a commercial for Yahoo Mail; I'm just very happy with this feature and almost never resort to using Mailinator et al.

(comment deleted)
DEA users are most likely long time internet users who care about their privacy and have learned to protect their email. At the same time, they have enough interest to register and try your stuff - so let them be... If the site requires users to enter an email address for freebies, savvy users will eventually find a way around it, as you suggested. You might also be blocking the early adopters. Eg. bloggers who want to review your stuff, etc!
I used to use services like this, but now I simply have a gmail account dedicated to hit and run emails.

I only go to this account inbox when I'm looking for a particular email. It's full of spam and I don't care!