
Mailhero – a more permanent temporary email - MasterYoda
https://mailhero.io/
======
guptaneil
Sounds awesome, would love to try it. Spent 5 minutes trying to sign up, but
every variation of usernames that I tried were taken. This normally wouldn't
be an issue to complain about, except that in order to test whether a username
is available or not, I have to enter the username, password, and captcha every
time.

Please please please tell me whether or not a username is taken as a type it
before I go further.

~~~
trickster_
Yes, my bad! I did not expect my site to get hacker news'ed while I was
sleeping and I hadn't scaled up the web server for that... You can try again
now. :)

The really good news is that all mails are always buffered on another server,
so even if the whole thing was to go down, all mails will reach its
destination in a timely manner.

------
gdiepen
I have been running a similar service for myself on my own exim mailserver for
a couple of years now and very happy with it. Provided explanation on how to
achieve this on my blog [https://www.guidodiepen.nl/2013/02/catch-almost-all-
in-exim-...](https://www.guidodiepen.nl/2013/02/catch-almost-all-in-exim-only-
address-with-specific-pattern/) Whenever an address is receiving too much
spam, I just blacklist it at the server level, ensuring I don't have to filter
it anymore in my mail client since the server won't even accept it.

Have to say that it is always funny when a person asks for my email address
and it confuses them when the address part before the @ sign contains their
company name :) Often get the question whether I also work at the company or
so.

~~~
mortenlarsen
I have run a server with a similar setup for many years. And some people get
really confused. It can be quite funny sometimes.

The best moment was my SO explaining to someone on the phone, why the email
address included their company name.

Paraphrasing: If you get hacked or sell my email I will know it was you. So
don't sell it, and make sure you stay on top of your security.

I used to contact companies by email after they leaked my throwaway email
address, but I don't any more, because some got angry and others were just
confused.

~~~
logician76
Yeah I lost my preorder for PS4 over that issue, K-mart just cancelled my
preorder because they thought my email address was suspicious. mind you this
was at the time when you'd have to wait months for the machine to be in stock
again. I spoke on the phone with their manager and there was nothing they said
they could do about it. So I've never shopped there since.

------
trickster_
Another thing I am working on for Mailhero is to start publicly listing
sites/organizations that have leaked mail addresses. This list currently
includes Coca Cola, Adobe, Neteller and others.

~~~
gingerlime
You can add box.net to the list. I used a one-off email address on their
service and it got leaked. They were at least honest enough to confirm it did
indeed happen to them:

    
    
       We were recently informed by a handful of users that they had received spam email at the address associated exclusively with their Box account. We scoured our own systems and checked every possible scenario, and didn't find any evidence of our systems being compromised. Thanks to information sent to us by our customers, we were able to pin down that a third-party email service we used to send our newsletter to select users in February, March and April had been compromised.
       
       No other information beyond email addresses were ever exposed to this vendor.
       
       We sincerely apologize for the inconvenience this has caused our users. We continue to be committed to your privacy and keeping their confidential information safe. As a result of this issue, we're leaving this particular service provider immediately and consolidating all of our customer communication efforts within a single vendor with more robust security practices.

------
aembleton
This looks really good. I've just seen this message though when I verified my
email address: "Do not give out your bare-naked mailhero address
(xxx@mailhero.io). Always make sure you add something before the dot,
otherwise you can't stop the mails from arriving!"

If anyone from Mailhero is here - why don't you block the bare-naked emails?
If this becomes popular then marketeers can just search for @mailhero.io
addresses and strip off any string followed by a dot so that they can spam
you.

~~~
biot
On the same note, they can just construct <random chars>.user@mailhero.io and
email sent there will be forwarded to you as if that's the custom email
address you sent out.

------
findjashua
With gmail, you can create a custom email for each service, like so:
youremail+service@gmail.com

Later on, if the service doesn't let you unsubscribe, or sells your email to
other spammers, you can just set a filter to trash emails sent to
youremail+service@gmail.com

~~~
kenshaw
Anyone with half a clue that is doing heavy marketing via email, knows to
strip the stuff after the +. BTW, the + is part of the email specification,
and technically any email server _not_ supporting it is broken.

~~~
inopinatus
Although '+' is an acceptable symbol, there's actually nothing in the RFCs
that mandates sub-addressing behaviour. The closest you'll get is RFC5233 that
defines it for the Sieve filtering language. So although very common, sub-
address behaviour is not a standards requirement and should not be presumed.

By "heavy marketing" I presume you mean spammers. If not, be warned, sub-
address stripping will mean nondelivery in some cases and could trigger
blacklisting via honeypots.

------
kijin
If this becomes popular, what stops spammers from figuring out that the part
before the last dot in the username can be anything?

A lot of shady folks already know about Gmail's plus-addressing trick. If I
were a spammer and I found that foobar.username@mailhero.io didn't work, I
would just try bazbaz.username@mailhero.io.

Perhaps you could set up the system to only accept aliases that have been
explicitly configured. But that would make Mailhero a bit inconvenient for
regular users, since they would have to add an alias before using it
elsewhere.

Another possibility would be to add a big button in the dashboard that
automatically generates a plausible address (e.g.
barack.hillary.trump@mailhero.io) with no connection whatsoever to your
regular username or other aliases. No need for the user to decide what alias
to use, and no way for a spammer to figure out a working alias.

~~~
raihansaputra
i think an easy way is to send a notification email for every new sub-email
"registered". No email gets forwarded until the new sub-email is verified.

------
alanh
Love the anecdotes at the bottom. I’ll add two of my own:

\- Sent myself a photo from a Southern Californian theme park that starts with
"D" and ends with a fireworks show, using a custom email address: No third-
party spam, but my god their "unsubscribe" links (NOT that I ever subscribed)
just don’t work, I got a promotion for everything vaguely Disney-related for a
year until I blocked the address completely. Whoops, gave this one away!

\- Signed up for a famous freemium file-syncing service whose name also starts
with "D" using a custom email address, never used for anything else; that
ended up in the hands of spammers.

~~~
Jaruzel
> Signed up for a famous freemium file-syncing service whose name also starts
> with "D" using a custom email address, never used for anything else; that
> ended up in the hands of spammers.

Wasn't just me then. I /know/ I never used that particular address for
anything else as it was specific to the D___Box service. Yet within 2 months,
started getting lots of spam on it. I don't recall that company getting data
breached, so totally unclear how that happened.

~~~
alanh
I’ve been working on the assumption that a massive breach did happen, but was
never announced (perhaps not even discovered internally).

------
nmalaguti
I used to use a service like this called endjunk.com. A few years ago it shut
down without warning and I found I couldn't receive emails or update my
username for several services.

I tried rolling my own for a while, but it was painful to make sure my mail
server was always up to date and patched. I also had issues with forwarded
mail being marked as spam by my email provider.

If this service becomes popular and starts forwarding lots of spam, it can
result in the entire domain being blacklisted, especially since users never
send replies to these addresses.

Don't rely on free mail services to get mail you might care about some day.

~~~
alanh
Yep. Well, that’s why I feel pretty good about using my own domains +
Fastmail!

------
Jaruzel
Like many of you, I've rolled my own interpretation of this solution. I've got
a self-written MTA that supports any recipient prefixes on emails that are
sent to @domain.com. It then firstly checks the RCPT TO: address (the _real_
TO address) against the email aliases assigned to all my users in the Active
Directory/Exchange Server. Once that check is passed, it then runs the email
through some custom blacklisting rules, and then finally runs the email
through SpamAssassin. If the email gets past that, then it gets delivered into
the users inbox.

In Active Directory, the proxyAddresses attribute is used to stack up custom
<something>@domain.com addresses for each user, which allows for many aliases
per inbox. It does require management on the users part - they have to add an
alias if want to use it, but that's done via a webform, so easy to do.
Likewise they can yank an alias if it's been leaked and gets abused.

This solution has been running for over 5 years now, and it works very very
well. The only downside is having to manually add new custom blacklist rules
due to the adaptive nature of the spammers.

~~~
gradschool
I'm thinking of doing something similar and hope to learn from your
experience. I have two questions. (1) Was it easier to write your own MTA than
to use the milter interface to Postfix or other mature MTAs that support it?
(2) How would you set up the MUA to use the right alias in the return address
when users reply to a message instead of leaking their real email address?
(e.g., Would you need another lookup table somewhere that maps
(user,recipient) pairs to user aliases?)

------
nicois
You need to trust your mail relay to not go offline or you lose the ability to
reset your password etc.

Worse would be if someone used the relay to intercept a password reset and pwn
you.

Better to implement filters on Gmail or whatever, server side with the +
suffix.

------
schneems
I made something almost exactly like this 6 years ago. Called whyspam.me

Good luck.

~~~
schneems
Almost forgot I open sourced it when I took it down.
[https://github.com/schneems/WhySpam](https://github.com/schneems/WhySpam)

~~~
mhw
The domain has now been taken over by scammers, so it might be worth removing
the links from the github project.

------
winterswift
Signup seems to be broken? I've tried a few 'random' (keyboard-mashing)
usernames to no avail. As guptaneil pointed out, some immediate form feedback
on username availability would be very helpful as well.

------
gingerlime
Love this idea, and the copywriting on the page is absolutely brilliant!

I hand-rolled my own solution a while back on my own server, simply creating a
random forwarder and "tagging" it with a description, so I can always go back
and lookup what fw839kopa4 was for... It's a ugly hack, but works.

My ugly hack has the added benefit of not accepting just any email address,
but only those I explicitly defined. On the flip side, I have to run this
small script and can't just give out citibank.myname@mydomain.com to anyone on
the fly.

~~~
trickster_
Thank you for the compliment about the copywriting! I did try to put effort
into explaining what Mailhero actually does and to make sure that I explained
why I made it instead of pretending to be somebody else. :)

------
ricg
Is there a service that lets me _send_ mail from such an email address as
well?

Let's say I use this for my Amazon account amzn.myusername@mailhero.io and I
need to get in touch with Amazon customer support. For verification they
require me to actually send an email _from_ amzn.myusername@mailhero.io.

Or another case: as soon as I have to actually send an email to a service I
signed up for and use my real email address, that is then known to the service
and could potentially be leaked.

~~~
trickster_
I am going to add that functionality soon. You will, of course, have to click
the recaptcha for each message send... I hope everybody understands why. :)

------
MasterYoda
What it is...

Create a new uniqe mailhero email when you sign up to a new service etc.
Mailhero will keep forward those emails to your real one until you choose not
to.

So if that email ends up in a spamming list and you get starting to get alot
of unwanted email from different spammers that could be hard to block you
could just stop the forwarding.

So it works like a temporary email but is more permanent at the same time. And
dont stop working after like 24h like many other temporary email services.

(Sorry for a shitty title)

~~~
phyzome
Looks similar to [https://www.spamgourmet.com/](https://www.spamgourmet.com/)
which I used to use back in the day... and I guess is still a thing!

~~~
FreezerburnV
You mentioned it before I could! I'm somewhat amazed that site is still
ticking, but I'm happy it is. I should make use of it more often... It even
has some really nice features like being able to send email from your
temporary address and more manual management of each temporary address you
create. I highly recommend checking it out, even if the website looks old and
strange, it's solid.

EDIT: Oh, and you can download the code for it and run it yourself if you
want. Fantastic.

------
sacul
A feature like this is automatically baked in to my Fastmail account.
"myemail@mydomain.com" can become "banks@myemail.mydomain.com", and all that
email automatically goes to a folder called "banks".
[https://www.fastmail.com/help/receive/addressing.html](https://www.fastmail.com/help/receive/addressing.html)

~~~
asjfkdlf
You can do it with google apps too, but it's a little more difficult. Login
into an account and setup an alias.

There is a limit to the number of aliases, but you can just create more
accounts with aliases that forward to your email.

------
Gaelan
Spammers are going to figure out how to manipulate these if it gains any
traction; if I were a spammer, I would just send each email from a different
MH email address with the same username.

See also Throttle[0], which does a similar thing using a browser extension to
generate random emails addresses.

[0]: [https://throttlehq.com](https://throttlehq.com)

~~~
oh_sigh
You can maintain a whitelist on your real email client with only allowed
forwarding addresses from mailhero. mark everything else as spam

------
throwanem
Spammers often strip dot aliases in my experience. This doesn't seem like
doing anything to solve that problem. I mean, if citigroup.joe gets dot-
stripped, then citigroup@mailhero.io gets that spam instead of joe, but odds
are joe will just end up getting somebody else's spam anyway, so it's not
really much of a win unless you're careful to pick a username that won't be
used as an alias, and then you have the problem of having to give out
addresses like citigroup.rkcj92o8I@mailhero.io.

Not seeing the value prop over Mailinator.

~~~
dijit
Would they be stripped? The traditional alias separator is a '+'
(dijit+hackernews@google.com) and periods are part of email names, thus the
address itself: (jan.harasym@google.com)

~~~
throwanem
Well, I've gotten spam that had it stripped; the name was a bogus one that I
gave out in combination with a specific dot-aliased address, but the address
in the To: header was without the alias. I can't say how often it happens, but
with major mail providers (including Google, IIRC) widely known to support
arbitrary dot aliases for throwaway addressing, it seems like a reasonable
ploy from the spammer's point of view.

~~~
dijit
Google definitely do not support dot aliasing, I've had email addresses for
gmail with dots in them and so has my mother. Thats dangerous if you allow
people to sign up for email addresses with dots and then use that as an alias
seperator. So dangerous I would argue they wouldn't do it.

------
theaustinseven
I think the best part about this is that it makes it easy to see who is
selling your email. That can bring some accountability to these services that
collect your email, and supposedly never use it.

~~~
dingaling
> That can bring some accountability to these services that collect your
> email, and supposedly never use it.

In my experience, though, they deny everything when you follow-up.

At one point I started receiving third-party spam to
santander_currentacct@[domain]. I contacted Santander, my bank, to ask how
that e-mail address had leaked. They insisted that I must have used it
elsewhere since their systems were watertight.

I changed it to something like santander_dontspamme@ and sure enough after a
few months the spam started. This time Santander didn't even reply to my
complaints.

I subsequently moved my current accounts to another bank, leaving £0.01 in
several Santander accounts just to keep them open.

------
twhb
Two concerns:

What about 33Mail? Is this not the same thing with the tag shifted?

What if this becomes popular? Spammers can write a special case for
@mailhero.io addresses that strips or changes the prefix. If you block those
avenues, it just turns into a much easier password guessing game: the user has
dozens of passwords, and they're all one common word, lowercase.

------
wiradikusuma
Since I have Google Apps (eg bla.com), I just turn on "catch-all email"
settings, and whenever I join a service, I'll use "servicename@bla.com" (eg
paypal@bla.com).

Interestingly, sometimes I receive spam from AnotherService sent to
OriginalService@bla.com. From there you can see which services sell their data
to 3rd party.

------
crazydiamond
I have been using gishpuppy for several years. It actually works. It's a free
service, you create an email for any website that asks for one. There are
addons/extension for firefox and perhaps other browsers, too.

[http://www.gishpuppy.com/](http://www.gishpuppy.com/)

------
nfirvine
How is this different/better than Gmail's address+spammer@gmail.com?

~~~
ceejayoz
Spammers know to take off the +spammer part.

~~~
jalami
Also some websites won't let you put + in the address despite it being a valid
character per protocol. Crippling email sign ups for one company, astonishing.

Fastmail has subdomain addressing. eg. hackernews@myemail.fastmail.com which
is a lot harder to detect.

~~~
JonathonW
I like Yahoo's approach-- they do their disposable email aliases like this:

basename-spammerspecificsuffix@yahoo.com

Where basename is user-chosen (and not necessarily related to the real email
address), and the suffix has to be registered ahead of time (so a spammer
can't just start randomly generating suffixes to avoid filters).

------
ryandetzel
Great idea but what happens when the site runs out of funds and shuts down?
Now you have all of your email bouncing and no way to know and/or fix it
easily?

~~~
trickster_
I can recommend reading the About-page...!

[https://mailhero.io/about](https://mailhero.io/about)

------
raihansaputra
What would it do if people would just strip the prefixes before the dot just
for mailhero? Would the email still gets forwarded? Should I shut down the
account?

~~~
aembleton
It suggests that that is exactly what could happen: "Do not give out your
bare-naked mailhero address (xxx@mailhero.io). Always make sure you add
something before the dot, otherwise you can't stop the mails from arriving!"

Seems like that should be a simple fix for them.

------
sanity31415
Very similar to [http://33mail.com/](http://33mail.com/), which has been
around for over 5 years.

------
newman314
Why can't it just be some random hash? For me, a key benefit of a disposable
mail account is not to have any identifiers including username.

~~~
barbs
You could make your username be some random hash?

~~~
wtbob
> You could make your username be some random hash?

Why not?
285e5c0452918bf77370c4a013317be4cf5e1ff690cc33a7346e837f59cdca58@foobarbaz.invalid
is, I believe, a valid email address. If that's too long, you can always
truncate it.

~~~
Akkuma
You could simply use something like base64 on a username you regularly use as
the hash.

------
JackPoach
Interesting concept. There have been a number of times when 10 minutes that
others typically give hasn't been enough for me.

------
ruffrey
Cool idea. I run mailsac.com and it kind of does this. Do you have a business
model? Times be tough in the temporary email niche

------
DanitaBaires
I do this using two Gmail adresses one set up to forward to another with
filters.

------
homero
Very cool. Right now I'm using 33mail with a custom domain

