32 comments

[ 1.0 ms ] story [ 74.5 ms ] thread
Interesting tool. Would be great if you could send from here as well, after all that is 50% of email.

Loved the examples you gave on the about us page, well said.

Sending might be a problem because of massive spam abuse and maybe getting blacklisted in consequence. What do you think?
I think you could make it not worth it for spammers fairly easily-- only allow sending to one recipient, captchas, rate limiting by IP etc.
hm yea, nice idea.. i already thought of such solutions. maybe i gonna realize it.
These 3 examples are easy to work around using zombies. Even whitelisting only people who have already written to you can be attacked.
so, from your point of view, are there any better ways to prevent automated spamming ?
Look into how Cloudflare handles detecting abuse of bulk automated http requests (hint: browser trickery). RBLs will help, as well as basic rate limiting. You can also do heuristics on the rate of mails going out from multiple users in similar ways and impose a timeout on users when you detect something 'feels spammy'. Basically you just want to make it so annoying to send spam that they'll use someone else's service. You can also use obfuscation techniques to make it difficult for spammers to determine the method to use to automate requests.
Being able to reply would be good. Supporting sending other than replying will waste your time. The spammers will exhaust whatever rate limits you configure and try to get around the limits, and although the result may not be much spam, the work will take much of your time.
I don't think there's anything wrong with offering this as a receipt-only email.
Occasionally someone asks you to reply. Generally "click here to ack receipt of this mail" but sometimes "please reply to this mail to confirm that the email address works".
What's the difference between this and say Mailinator [0]?

[0]: http://mailinator.com/

the fact that ATM mailinator is banned from mostly anywhere it's enough for me...
The @mailinator.com addresses are frequently banned, but not the stockpile of aliases, e.g. @notmailinator.com.
You can just point your own domain at their mx.
Though there are several services that offer this same thing, it's always good to have more available should they be needed.

Since the concept is not really novel, why don't you tell us about the implementation? What's running on the backend?

Sure! It's just a postfix + mysql + php implementation. I got the domain some weeks ago and now wanted to use it in a designated manner. So I set up this site as a private project.
Hmm, I use inboxalias.com which has persistent disposable anonymous email. Is tempmail better? if so, how?
>Collection and use of customer information

>Every access to our website and each download of a file on this website are logged. The storage serves internal system-related and statistical purposes. The following data is logged: name of the file, date and time of access, data volume transferred, notification of successful download, web browser and requesting domain. In addition, the IP addresses of the requesting computers are logged.

While I'm sure you have your reasons for this, a service like this naturally attracts users who value privacy and anonymity. Ever thought about adding a warrant canary of some kind?

This refers to default apache log files. IP address is needed for spam (abuse) prevention / captcha activation (e.g. too many new accounts per time). A warrant canary is a great idea, thanks... I will add it.
Semi-OT. Having a b2c startup I have mixed feelings on this kind of services.

I totally value privacy (and security) and I support the existence of services like this one, even thought -as a user- I don't completely understand the difference between creating a random gmail address. The user's pain is usually related to change the address (i.e., notify all my friends), so a service like this one should actually resolve that pain specifically, IMO.

On the other hand, I also think this creates a mess with other businesses. Users register to services using username+password that they inevitably forget. If you just put the signup with Facebook + Twitter + Google, they complain that you're requiring a social account. Even if they don't complain, the sign up with Google and later they try to sign in with Facebook. In short, the email is the only way to come back via password reset. But what if they can no longer access the email they used to sign up?

One of the advantages of Mailinator and 33mail (two other services in this space) is that they allow you to receive email at your aliases for as long as you want, so they don't preclude password recovery. I think this service is somewhat hamstrung by the limited period when the temporary address is accessible.
There is no limit after registering the address. The idea was to cover temporary needs as well as providing the posibility to use it persistently.
Bug: Mails are opened by clicking on its 'subject', this results in invisible links for mails without a subject. You should consider to replace empty strings with something like '[no subject]'