
Receiveee.com - disposable email address - kornnflake
https://Receiveee.com
======
vidyesh
These are the services I use quite often when I need a disposable email id /
fake inbox.

<http://mailinator.com/>

<http://10minutemail.com/10MinuteMail/index.html>

<https://www.guerrillamail.com/>

<http://www.dispostable.com/>

<http://dudmail.com/>

<http://getairmail.com/>

<http://mailcatch.com/en/disposable-email>

<http://spambox.us/>

<http://www.yopmail.com/en/>

<https://ssl.trashmail.net/>

<http://www.fakeinbox.com/>

<http://www.fakemailgenerator.com/>

<http://www.tempinbox.com/>

If I am really paranoid or just on tor then I use <http://tormail.net/>

Now adding <https://receiveee.com/>

One of the reasons why I have a list of all these disposable email services is
because some do get blocked from websites.

Eg. mailinator : I loved the service but its mostly blocked everywhere now. _(
I know there are alt domains for mailinator )_

Really appreciate all these services.

~~~
easy_rider
Thanks for the list! I will add them to our blocklist :) Our business values
e-mail destinations where we can actually incite the signed up user with
interesting offers, or new product features, instead of sending it into a
black hole.

~~~
dbingham
If I give you a blackhole e-mail address, it's because I suspect you are going
to spam me. Blocking the blackhole addresses only alienates me as a customer,
confirms my suspicion that you intend to spam me and adds one more barrier to
my trying your software or service.

------
jbellis
<http://mailinator.com/> has been around for a while, and allows you to pick
your own inbox name, as well as many alternate domains.

~~~
gm_
Note that @mailinator.com email addresses are blocked at a significant number
of sites due to its popularity. Throwaway email sites that alternate between
several different domains work best.

~~~
jonknee
Mailinator has a ton of different domains. You can check them all from
mailinator.com though.

~~~
AgentConundrum
You can't get a full list of them on mailinator.com, since it makes it easy
for a misguided website administrator to just ban the whole list.

Instead, the site will randomly show one of the alternate domains on every
page load. At one point, it would even give 'gmail.com' and other legitimate
domains as the alternate if you tried to scrape them too quickly (or rather,
they hypothetically-yet-definitely-didn't-do that).[1]

Today, the alternate domains are shown as an image[2], and even that isn't a
complete list, since other people can simply redirect mail incoming to their
domains to mailinator.com. Mailinator explicitly condones this.[3]

[1] [http://mailinator.blogspot.ca/2011/05/how-to-get-gmailcom-
ba...](http://mailinator.blogspot.ca/2011/05/how-to-get-gmailcom-banned-not-
that-i.html)

[2] <http://www.mailinator.com/get_alt_domain>

[3] [http://mailinator.blogspot.ca/2007/10/new-mailinator-
alterna...](http://mailinator.blogspot.ca/2007/10/new-mailinator-alternate-
domains.html) (end of second paragraph)

~~~
sirn
You can still ban Mailinator by simply resolving DNS (or even only MX record)
and reject if it matches 72.51.33.80.

~~~
jrockway
That will only work if you know exactly how your entire mail stack will handle
resolution and you re-implement it exactly on your frontend. Consider this
case:

Resolving not-mailinator.whatever.com returns:

    
    
        not-mailinator.whatever.com. 86400 IN MX 10 a.bad-mailserver.com
        not-mailinator.whatever.com. 86400 IN MX 10 b.bad-mailserver.com
        not-mailinator.whatever.com. 86400 IN MX 10 c.bad-mailserver.com
        not-mailinator.whatever.com. 86400 IN MX 10 d.bad-mailserver.com
        not-mailinator.whatever.com. 86400 IN MX 10 e.bad-mailserver.com
        not-mailinator.whatever.com. 86400 IN MX 10 f.bad-mailserver.com
        not-mailinator.whatever.com. 86400 IN MX 10 g.bad-mailserver.com
        not-mailinator.whatever.com. 86400 IN MX 10 h.bad-mailserver.com
        not-mailinator.whatever.com. 86400 IN MX 10 mailinator.com
    

If you choose one at random, your frontend has a 90% chance of choosing a mail
server that isn't mailinator. But when your MTA tries to send the message, it
will notice that bad-mailserver.com is offline and try the other MXes,
eventually hitting mailinator and delivering the message you tried to block.

You could put a limit on the number of MX records a domain can have, but Gmail
has 5 and so you'd only reduce the chance of success to 80%.

Then you have to consider the mechanics of DNS. How many layers of CNAME
indirection will you follow? Will you cache results? (If so, how will you
trust that the responses are valid?) How long will you wait for DNS responses?

A poor implementation of DNS lookups will use unbounded time, unbounded
bandwidth, and unbounded file descriptors. This isn't a hack you are going to
code up in an afternoon, and one mistake means your website is going to
randomly go down.

And so you have to ask: why? Why do you care if someone uses mailinator?
Spammers are just going to set up their own domain or use someone's malware'd
Windows box. And someone that wants to ignore your email is just going to have
a procmail rule auto-submit your messages to Spamcop anyway.

So you gain nothing, spend a lot of time programming, and it won't solve any
problems. In conclusion: worst idea ever.

~~~
sirn
Interesting, I know this is a bad idea, but: what if I connect directly to
SMTP servers returned from retrieving MX records then send `RCPT TO: <some-
email@mailinator.com>` and see if it passed or error with 550? My guess is
there will be another whole range of issues involving open relays and servers
that happened to not return 550 on nonexistence mailbox?

(I'm not trying to block Mailinator, just some exercise for myself.)

------
kornnflake
I used my free time during Christmas and pushed a huge update to my latest
weekend hack. It's a disposable email address service.

Some of the main features are:

* SSL only connections

* All data is stored in memory using redis to make the site blazing fast

* New mails are instantly displayed using web sockets

* Automatically clicking on common activation links

* Your inbox doesn't expire

~~~
xoail
Thanks! I will add it to my filters and make sure users dont register through
it. ;)

~~~
EwanG
Why? It seems like you are escalating a war AGAINST your users. Most folks who
use a disposable address are trying to make sure their main address doesn't
become a fount of spam. If I continue to visit your site/service, then I will
probably decide to "update" my address on my own for the convenience. Am I
really being naive?

~~~
duskwuff
You are being naive -- it really depends on the service. For trivial online
services, a disposable email might be fine, but for anything that costs money,
you're doing your users a disservice by letting them register with an email
address that they won't be checking (and which could potentially get hijacked,
if someone knew the address).

~~~
arscan
If a service prevents me from signing up with whatever email address I want, I
won't be using it. It's one thing to discourage weak passwords, as that's a
common mistake for people that don't know any better. It's another thing
altogether to deny signing up with something like this, as they clearly will
know the ramifications of doing so.

~~~
jacobn
I have a website that gives freebies (=$$$) to new signups, so allowing
throwaway accounts makes people do things like sign up for 100 accounts.

Not giving freebies is of course an option, but then there is goodwill lost on
that end instead.

It sucks both ways. At least I don't spam my users, but they of course only
trust that assertion so far and I certainly don't blame them - there seems to
have been a significant rise in email marketing in the last 6+ months -
probably some annoying YC startup or two making it much too easy for sites I
signed up for at some point but really don't want to hear from send me
email... Tsk, tsk ;)

~~~
LiveTheDream
Then just give the freebies to non-throwaway accounts. Now your users still
have a choice, and you don't lose any goodwill (obviously, explain that
throwaway accounts don't qualify).

This is on the same level as adding a CAPCHA if someone comment looks like
spam.

------
mike-cardwell
Your site seems to display any arbitrary html sent via email. So it will load
flash, javascript, honour meta redirects to other sites, etc. Try running it
through <https://emailprivacytester.com/>

E.g: <https://receiveee.com/1QQGEpdt/908>

~~~
kornnflake
Thanks for the hint! Already fixed most of these attacks and looking forward
to fix them all.

Btw: This fix only applies to new mails.

------
DanBC
This is interesting; thanks for sharing.

It's only useful until websites start filtering out the receivee domain -
that's been happening with a few disposable email addresses.

And the highlight on " We even automatically click on common activation links
for you" was a bit confusing. I was expecting a link to a page about the
pointlessness of Challenge Response.

And what I really dearly want is an anonymous way to send an email - I don't
mind having to sign up; I don't mind having to pay; but I really want a method
where sending an email to $Person means they have to work _very_ hard to get
my real identity. (This is for good, not bad, reasons. But I can see the
potential for abuse.)

~~~
Roedou
Dan, I was looking into anonymous sending options recently.

Two quick questions: \- "don't mind having to pay"; what might you be willing
to spend? $5/month? $50? 2c per email? \- "they have to work very hard to get
my real identity"; get-a-court-order hard? Or harder than that?

~~~
DanBC
get a court order hard; $5 per month.

~~~
feralmoan
Hi, I'm building something just like this called bip.io, throw away email
addresses and identity protection are a 'feature' of a wider messaging API
(its a glue platform, similar to ifttt or zapier or engineio). We're
approaching a stable beta. If you'd like to try out the service, follow us on
twitter @bipioapp and we will notify when the gates are open. Realistically
about 4-6 weeks away, just putting it out there if you're looking for
options...

(oh, and you can use whatever domain you can manage MX records for - its
preferable in fact)

------
laureny
The main challenge for these kinds of services is that they're only as useful
as they are unknown.

If they start getting popular, they either

\- start getting slammed with volumes of spam that are so high that the
creator needs to start paying some serious hosting fees to keep the service
running

\- get blacklisted

Mailinator has outlasted all its competitors because it addressed both
problems very early on. I wish receiveee best luck but I'm betting that it
won't be around in a year from now.

------
dools
For anyone wanting to stop signups from disposable email addresses I've found
this service to be really good:

<http://www.block-disposable-email.com>

has a massive database and a bounty for new additions!

We have 2 factor verification for <http://8centsms.com/> but with the advent
of disposable inbound SMS numbers via Twilio as well as disposable email
addresses we were getting a bunch of people signing up and getting the free 10
credits repeatedly.

We haven't seen the problem recur since implementing this service, though so
it seems the coverage is pretty good (/me prepares for onslaught of fake email
signups to get the 10 free SMS credits via fake Twilio numbers ... )

All we need now is a service to blacklist disposable mobile numbers!!

~~~
antr
I use disposable emails only to signup to services. I later save the email and
pwd with 1Password. I've been doing this for a long time.

The reason I do this is because many startups (and non-startups) keep abusing
on the amount of email they send you, even if I unsubscribe from their
"newsletter" they come up with other non-newsletter emails - and this is just
unbearable. I feel like being spammed most of the time.

The advantage of using disposable email is that I have access to the service,
I decide when I receive emails and it's a great way to protect my account from
being hacked (think of any recent social eng hack a la Amazon, Apple, etc.
they couln't do it without your signin email).

A handful of other colleagues do the same thing. If you blacklist users who
want to protect their privacy and want control over their inbox all you are
doing is blocking (in our case) affluent users.

~~~
Gormo
Many email services offer disposable addresses integrated with your real email
account.

Yahoo in particular has an excellent system for doing this; you can generate
disposable addresses by adding a unique string to a base name particular to
your account (but which isn't identical to your real address, as it is if you
use a '+' delimiter with Gmail). By default, all messages received at any
disposable address go to your primary inbox, but you can designate an
alternate folder for each of them. Since all of your disposable addresses are
@yahoo.com, it's impossible for admins to blacklist the domain.

Sorry if this sounds like a commercial for Yahoo Mail; I'm just very happy
with this feature and almost never resort to using Mailinator et al.

------
bredren
<https://gli.ph> Cloaked Email is more convenient than these services and can
offer you the same or better privacy.

receiveee looks great for incoming one-time emails like spam and confirmation
emails. Gliph allows two-way email, at the cost of having to create an
account.

The cloak address you generate on Gliph forwards mail to your real inbox. when
you reply it appears to come from an cloak address.

More info in ReadWrite article: [http://readwrite.com/2012/08/14/use-this-app-
to-create-anony...](http://readwrite.com/2012/08/14/use-this-app-to-create-
anonymous-disposable-email-addresses)

Gliph also sets you up with a secure picture messaging tool for iOS and
Android and a serious privacy policy.

Disclosure: I am co-founder and ceo of Gliph. Happy to answer questions.

------
StavrosK
My favorite disposable email provider, by far, is 33mail.com, mainly because
the addresses don't have to be disposable. You give a different email address
to each service, and, if you get spam, you know the culprit and can block them
right away.

Brilliant.

~~~
Alex3917
You can also just add +domain to the local-part of your email address and do
that without needing a disposable email service. Theoretically some sites may
strip them out, but I doubt that many go to the trouble.

~~~
bobcattr
That only works with gmail.

~~~
michaelhoffman
It works for many mail servers, including Gmail.

~~~
Firehed
Also any Google Apps servers. Seems like a lot of extra work to look up a
domain's MX records to figure out if it's safe to strip anything after + from
their email address, which will only serve to annoy your users anyway.

------
dragondilesh
<http://10minutemail.com/10MinuteMail/index.html>

is also quite nice.

~~~
goodlook33
Looks good. I could've sworn there was another one like this. Maybe this is
the one, or this one is a newer clone?

Like Mailinator, this is a great idea.

Kudos to these guys for putting their mail admin skills to good use.

------
josscrowcroft
Question for business owners/founders: how do you feel about people signing up
for your services with these throwaway email addresses?

On the one hand, I respect people's privacy and right to use whatever email
address they like.

On the other (more relevant) hand - I sometimes need to contact users who
violate terms and conditions that their access may be switched off (I'd never
do this without contacting them 2-3 times). Also, I might need to inform them
that something has changed which might affect their usage. My service can be
quite integral to a lot of apps, so to me that's an important feature...

Thoughts?

~~~
garrettdimon
My feelings are that trust is a two-way street. If people don't trust us with
their email address, I don't think it's fair for them to expect us to trust
them with an account on our service if they provide a fake email address.

If they are serious about evaluating our product, they can provide a real
email address. If they aren't very serious or inherently don't trust us, then
I'm willing to miss the opportunity of having them as a customer.

I respect their privacy, because we don't spam, sell, or abuse any of these
email addresses ever, but I find it hard to trust anyone with an account on
our service if they use a fake email address. Personally, when I sign up for
services, I find it helpful to gauge the company based on how they use my
email. If they automatically start sending me marketing materials the next
day, that tells me a lot, and I'll generally cancel the service and report all
of the subsequent marketing emails from them as spam. The only way to do that
effectively is if I use a real email address.

Do people use these fake inboxes for any reason other than trying to prevent
or cut down on spam? Am I overlooking some key aspect of allowing people to
use these email addresses?

~~~
LiveTheDream
Why should a potential customer be willing to trust you with their email
address? Perhaps you _are_ very respectful of their privacy, but already their
trust has been violated plenty of times by other, less honest companies. "One
bitten, twice shy" and all that.

~~~
garrettdimon
I'm not claiming that they should trust us. I'm only saying that it works both
ways, and that we as business owners have a choice about whether to trust
potential customers just as much as they have a choice about whether or not to
trust us.

It might be anachronistic, but if a potential customer wants to begin a
relationship with us with a lie, then of the two of us, I would think we have
more reason to mistrust that individual than they have to mistrust us. Their
mistrust is based on projecting bad behavior of other companies onto us
whereas our mistrust is based on them actively beginning the relationship with
a lie.

Of course, this decision may cost us some potential customers, but for now,
that's something that we're willing to accept.

------
electrotype
I used to use services like this, but now I simply have a gmail account
dedicated to hit and run emails.

I only go to this account inbox when I'm looking for a particular email. It's
full of spam and I don't care!

------
rgovind
Great tool. I would like to ask HN folks opinion on another kind of email
service. Its quiet possible that google or yahoo can boot you from their
service whenever they want...even if you don't think you violated their TOS.
Do you guys think there is room for a service in which, once you signup, you
will never be booted from the service? All data will be yours, or after you
are gone, it will belong to your descendants.

Of course, there are spam considerations here..but I think they have to be
worked out.

------
gtklocker
Some services, like Facebook, normalize the mail address (turn all letters to
lower case). Can you make sure that mails to the normalized email also reach
my inbox? (They don't now!)

~~~
danellis
That would violate at least RFC 2821, which says that the local part must be
treated as case sensitive.

~~~
Firehed
What provider doesn't violate that part of the spec? I see plenty of
sites/services that uppercase my email address for whatever clever reason they
feel is necessary; _not_ violating that part of the spec and actually making
the address case-sensitive would be a detriment to the users.

------
asimjalis
One thing I like about receiveee more than mailinator and 33mail is that you
can start using it without signing up. The user interaction is very smooth.

~~~
goodlook33
I justn looked at 33mail and they ask for a signup.

As re_todd says, mailinator asks for nothing from the user. The accounts are
created automatically.

Just send mail to some-new-account-foobarbaz@mailinator.com and an account
(user) is automatically created. No passwords. No sign in.

------
3825
I have a google apps account which runs something like
administrator@example.com I put their domain
www.suspiciousvendor.com@example.com as my email address when I sign up. I get
all emails sent to *@example.com in the google mail archive folder and I can
search if I need to

Too bad google discontinued the free option.

------
theone
This is really useful.

However I missed a link to bookmark the home page. As on going to
<https://receiveee.com/> it automatically redirects to newly created address.

It is cumbersome to manually add it to bookmark bar.

------
LandoCalrissian
<http://www.tempomail.fr/> is what I have been using for a very long time. You
can have it redirect to your normal e-mail address and there is a nice chrome
plugin for it too.

------
jsmeaton
I'm finding that the secret url is very very close to the actual email
addresses in most cases. It's fairly trivial to guess inbox addresses based on
email addresses. Is this ideal?

------
Illychnosis
This is a great idea:

"Your Private Inbox

Only you can access this inbox by returning to this web site using the same
browser or by saving the link for this page. Others are not able to read your
mail."

Props to the progger/designer.

------
RaphiePS
New emails showed up really, really fast. Consider me impressed.

Just a minor suggestion: you could wrap the email address in a link prefaced
by "mailto:" to make it super easy to test the service.

------
apathetic
I tested it from both my gmail and outlook.com account. I instantly received
the e-mail from gmail but from hotmail I never received the test e-mails I
sent.

------
tunetosuraj
It's a flawed system. If I give my email for ex: XXXXXX@receiveee.com to
someone.. They can practically view my inbox by going to receiveee.com/XXXXXX

------
surapaneni
<http://boun.cr> does this already and also allows you to pick your own email.

------
tomjen3
Does anybody else get a certificate error (it claims that it has been signed
by an unknown key).

------
wangweij
Is this service really safe? It shows me a page with URL like
<https://receiveee.com/123456WC>, and an email address of
123456XM@mailseal.de, so only the last two letters are different. Now once my
email is sent and the address made public, isn't it very easy for someone to
find out the page?

------
Cyranix
Is anyone else seeing the "site's security certificate is not trusted" warning
in Chrome?

~~~
jackbauer
saw it in firefox

------
mosselman
Nice site. Only I am afraid that I will forget the amount of 'e's at the end
:).

------
artursapek
Isn't this a great tool for spammers? It even clicks activation links for you?

------
wallzz
can't we send emails using the same service ?

------
pawannitj
love this

