
Show HN: NBox – Sign up anywhere without giving your email address - bdav24
https://nbox.notif.me
======
talove
I've had a catch-all for *@mydomain.com forward to my primary email address
for 10+ years. In that time I signed up for services and websites with
[domain]@mydomain.com thinking I'd catch all those dirty scoundrels selling my
email address and have an easy way to filter unwanted mail.

But you know what really happened? I wound up with hard to remember email
logins and caught less than a handful of services sharing my email address
without my permission.

It wasn't worth it.

~~~
Sohcahtoa82
I did that, too. Used a catch-all and just subbed to things with a new e-mail
address, relying on the catch-all to put it all into one box.

Big mistake.

First off, I got FLOODED with e-mail bounce-back spam because spammers send
e-mail with forged From: headers and I'd get all the errors.

Second, I discovered that nobody is actually selling my e-mail address except
for one gaming forum I used years ago. Not even Facebook has sold my e-mail
address.

Third, I've run into issues when replying to e-mails. I filed a support ticket
with a company once, where the e-mail address I had registered with them was
company@mydommain.com. They responded via e-mail, and when I replied to said
e-mail, their ticket system rejected it since the From: address was my main
address of myname@mydomain.com.

Now that I want to just switch to a single e-mail account with gmail, I find
myself needing to try to find every e-mail address I've used @mydomain.com and
changing them with the website. Meh...not worth it.

~~~
pmontra
You could have solved the second problem by storing the email with the login
and password in a password manager. Maybe they were not a thing yet when you
started this experiment.

The third problem is more serious. I use Thunderbird. I googled and there are
a couple of addons that makes it easy to edit the from address without having
to create new Thunderbird identities.

[https://github.com/absorb-it/Virtual-Identity](https://github.com/absorb-
it/Virtual-Identity)

[https://freeshell.de//~kaosmos/index-
en.html#editsender](https://freeshell.de//~kaosmos/index-en.html#editsender)

Both are somewhat unsafe, one because of the site certificate, the other
because of the download site.

The first problem looks like a showstopper tough.

~~~
garaetjjte
Why you need addons for it? Thunderbird allows to change From address by
default. ("customize address" in identity combobox)

~~~
pmontra
I never noticed that, thanks. I googled and found it's there since Thunderbird
45, April 12, 2016.

------
bigtunacan
I think this is a good idea, but pretty poorly executed again.

Another user commented that you could just register your own domain and do
this; that's great for the average hacker news reader, but not so great for
the average Joe so a service like this (if done correctly) would be pretty
convenient.

Things that jump out right away as bad about this NBox.

1) It just auto generates an email for me. That's going to be a pain in the
ass to remember.

2) Wait; how do I login? I literally don't understand how to login to this app
short of going to the site and I get auto logged in by the Chrome extension?

3) Why do I even need a Chrome extension to get my email; where is the
password protection so I can login from a different device or god forbid my
computer crashes?

4) Not every service asking for an email address is a web service. If I sit
down for dinner at an Applebees and order a meal a server is going to tell me
the appetizer is free if I just provide my email address... and I want that
free appetizer minus the side of spam...

As someone else noted mailhero.io is basically the same service as this, but
it's big flaw is that the real email address is exposed since it's always
included in the provided email address.

spam.u.later@mailhero.io (ah; real address is later@mailhero.io) Also; many
other email services (including GMail can do the samething as mailhero using +
addressing and adding rules.

~~~
maccard
Agree with all your points except your last. Many websites and services will
disallow email addresses with + in them (and they're normally he ones I don't
trust, like insurance comparison ones)

~~~
aaronrenoir
If you are running your own mail server (the open web is not yet dead) you can
change the `recipient_delimiter` to another character. Mine is setup with a
period. misc.ycombinator@domain.com

~~~
eddyg
This is definitely a pro-tip! Using a dot instead is a great idea and much
less likely to be "auto-removed" by a smart harvester that strips "+"
extensions.

------
_Marak_
As an alternative, you could register a domain with a catch-all email address
and simply register for new services on the fly using a unique string for each
site. Have the catch-all forward to your main email account.

For example, I would sign-up for HN using hackernews@marak.com and for Reddit
using reddit@marak.com

Simple and effective.

~~~
eriknstr
Been there done that. If you catch all e-mail you will also get a lot of spam
to random addresses like say sven@marak.com, lollerskates95@marak.com and so
on and so forth. So then you need spam filtering anyway, or you need to
configure which addresses are valid.

I still host my own e-mail but I no longer do catch-all. There are only a few
sites and services I care about. For those I have trusted them with my e-mail
address. For all others I use 3rd-party throwaway mail services.

I get less spam now than I did with catch-all.

~~~
e12e
If you host your own domain you'll likely need spam filtering for abuse@ or at
least postmaster@ (or ignore RFCs, like most unfortunately do..).

~~~
eriknstr
I forward abuse@, security@, postmaster@, hostmaster@, webmaster@, info@ and
dns-admin@ for my main domain, and actually mostly don't get any spam to any
of them except from dns-admin@, which I have listed as contact in WHOIS for
some of my domains.

------
bdav24
Hi, I'm David, one of the developers of nBox.

nBox generates for you an email address for each site, for free.

\- Effortlessly thanks to our browser extensions

\- Addresses are anonymous and private

\- Delete the addresses you don't want any more

\- Be notified according to your preferences on each email

I'm looking to share the service. Any feedback is very welcome.

Thanks!

~~~
slg
My hesitation in signing up for any of these unifying products is the
potential lock in. If I start using your service and eventually have dozens of
sites directed through you, what happens when the product disappears?

My question is therefore how do you plan to fund this indefinitely if it is
"Just Free, Forever" and is unlimited? You say it is part of promoting your
brand, but it looks like that brand (or at least the domain) has been around
for less than a year, so not much history. If it isn't you company's main
product, what is to stop you from deciding the costs of providing this becomes
too expensive for the promotion it is giving you?

~~~
bdav24
Hi slg, that's a valid concern, here is a copy-paste of an answer I wrote
earlier:

I tried to answer it there:
[https://www.producthunt.com/posts/nbox/comments/483328](https://www.producthunt.com/posts/nbox/comments/483328)

~~~
slg
I guess that is a fair answer. Thanks for responding.

------
jswny
So how is this different from something like Mailinator.com? In my opinion, I
can't see a use case in which I'd care enough to have my temporary email
private. If I cared enough I'd just use my real email.

~~~
jacobwg
If I had to guess, requiring that each email address be tied to an individual
person would allow NBox to stay off "temporary email address" blacklists. It's
a privacy service essentially, not an anonymity service. Same reason why
credit card masking services are legal, but Visa/MC/etc wouldn't allow a mass-
shared CC number.

~~~
alkonaut
But a throwaway gmail account works the same yes?

~~~
Ajedi32
Gmail accounts sometimes require you to give a phone number in order to
register a new account. Not to mention creating a new email address with this
looks way easier than signing up for another Gmail account.

------
ionelmarcu
A link to the chrome extension on the landing page would be quite useful
(Otherwise visitors need to go to the chrome web store and search for it...and
some of them are too lazy to do it). But otherwise I really like the idea.
I'll give it a try ;)

P.S. here's the link for the extension:
[https://chrome.google.com/webstore/detail/nbox-your-
registra...](https://chrome.google.com/webstore/detail/nbox-your-
registrations-d/gjffheoeedkincollmimgklbckindfkk)

~~~
tenryuu
thanks ported it to Edge and Firefox [https://github.com/Scrxtchy/nbox-
everywhereElse](https://github.com/Scrxtchy/nbox-everywhereElse)

~~~
bdav24
Hi tenryuu, you're right extensions can be ported more easily than before,
thanks for your contribution!

The Firefox extension was following the validation process, it's now
published: [https://addons.mozilla.org/en-
US/firefox/addon/nbox/](https://addons.mozilla.org/en-US/firefox/addon/nbox/)

------
kchr
Why does it feel like I am the only one using plus sign (+) feature supported
by SMTP standards?

[http://www.faqs.org/faqs/mail/addressing/index.html](http://www.faqs.org/faqs/mail/addressing/index.html)

TL;DR - Most SMTP servers support delivering mail to addresses like
foo+bar@email.com, in which case it will be received by foo@email.com. You can
specify whatever string of alphanum chars you'd like after the plus sign.

~~~
ghusbands
I've hit enough sites that refuse to accept a + in email addresses that I gave
up using it, on the basis that I couldn't remember whether or not I was using
it, per site. Standard it may be, but so many sites have bad email address
validation.

------
alkonaut
How does it work? I mean how does it generate addresses that aren't blocked by
the a services (like mailinator and similar throwaway email sites)? Does it
use thousands of random domains?

~~~
bdav24
Hi alkonaut, the domain is unique at the moment. Some services might block our
addresses some day, but that would be a mistake because nBox is not a
disposable email service.

------
hota_mazi
Most of these new email services overlook a few very important details which
guarantee that they will probably not be around in a year:

1\. You need to have multiple domains. If your solution is just one host name
and your service becomes popular, it will become blacklisted in a matter of
months.

2\. The volume of spam you'll receive is huge. Really huge. Even if your
service is only moderately successful. It costs money to keep such a service
running.

~~~
bdav24
Hi hota_mazi, I won't say that we can think up of everything but we have these
two points in mind.

------
ajnin
Presumably if I don't want to receive spam emails I'm also unlikely to allow a
website to send me notifications. I'm unlikely as well to install an extension
for a very specific service I'm not going to use very often. Extensions are a
privacy concern and consume memory needlessly.

If I'm willing to give a fake registration email I probably don't care about
privacy and this is just for throwaway anyway. I'm not going to give any
personal info to a website I don't trust with my email in the first place.

I also don't understand how this is not going to be blacklisted like any other
anti-spam email service.

Maybe I'm not the target for this product bu this seems to bring nothing new
in a slightly more annoying way.

~~~
slg
> Extensions are a privacy concern and consume memory needlessly.

This is somewhat tangential to your points, but I see this type of comment a
lot. Chrome extensions are just renamed zip files that contain all the JS,
HTML, and CSS for their extensions. It is easy to take a look at the source
code if you have any privacy doubts. The author might try to obfuscate the JS,
but it should be trivial to see if there are outgoing connections being made.
Google also makes it simple to disable extensions with a couple clicks if you
want to keep particular extensions disabled except when you are actively using
them.

------
StavrosK
I've been using 33mail.com for years for this. I just give it an address like
"hackernews@username.33mail.com" and it forwards email. If hackernews ever
starts spamming, 33mail gives me a link to block it.

I love that service, it's saved me countless headaches.

~~~
bdav24
Hi StavrosK, yes 33mail (and others) propose almost the same service. Two
slight differences though:

\- email are less guessable with nBox

\- if 33mail gets hacked, spammers will get your email address

------
JadeNB
The FAQ says that it's not a disposeable-e-mail-generator, but the description
of what it does makes it seem like that's exactly what it is. (Maybe it means
that it doesn't generate _random_ e-mail addresses from a shared pool?)

I've been a satisfied user of SpamGourmet (www.spamgourmet.com) for years, and
the only (argueable) downside I've seen is how upset customer-service
representatives get upset while reading my address. How does your service
compare?

~~~
bdav24
Hi JadeBN, you're right spamgourmet is very similar to nBox. Here are a few
differences:

\- With spamgourmet the addresses are designed to expire after X emails, so
it's intended for services you don't care about. \- Once I know one
spamgourmet address, I can try to guess other addresses of yours. \- We don't
ask for your personal email. If spamgourmet gets hacked, spammers will get
your information.

~~~
JadeNB
Thank you for the reply; I think that this is a useful description of the
advantages of your service. Just for purposes of completely accurate
comparison, though:

> \- With spamgourmet the addresses are designed to expire after X emails, so
> it's intended for services you don't care about.

This is configureable; it can be turned off entirely (allowing a trusted
sender to send an unlimited number of e-mails to an address), or the allowance
can be 'refreshed' (so that, after, say, 5 e-mails sent to an address, you can
allow 5 more as a further probation).

------
mgberlin
So if you shut down I no longer receive any emails I have signed up for?

~~~
bdav24
Hi mgberlin, that's a valid concern, I tried to answer it there:
[https://www.producthunt.com/posts/nbox#comment-483412](https://www.producthunt.com/posts/nbox#comment-483412)

Edit:
[https://www.producthunt.com/posts/nbox/comments/483328](https://www.producthunt.com/posts/nbox/comments/483328)

~~~
huhtenberg
Working link -
[https://www.producthunt.com/posts/nbox/comments/483328](https://www.producthunt.com/posts/nbox/comments/483328)

~~~
bdav24
Thanks, my link only works for me...

------
markwakeford
So a lot of systems these days use email password recovery, is this not just
adding another attack vector ?.

> bdav24: Hi water42, don't ever trust anyone with your data, governments and
> big companies get hacked every day. Our angle: we don't ask for any personal
> information

You will be able to route/read all of an individuals inbound mail ?

~~~
bdav24
Hi markwakeford, that's something we're currently working on. All devices that
access the account will have to be validated on the previous device(s) and
will be displayed.

That said, for targetted attacks we won't be able to do better than Google and
others, the risk is never 0.

> You will be able to route/read all of an individuals inbound mail ?

You mean to handle the load? We can scale at any time if we need to, but our
current setup can already handle a lot.

------
iliketosleep
I am trying to understand this. Appears to offer bulk accounts that are easy
to create and permanent, targeting the market that sits between a) regular
email addresses, which are permanent but a pain to sign up for, needing phone
verification, etc. and b) throwaway accounts that are easy to create but
cannot be kept long-term.

This seems like an interesting idea if they own a whole bunch of different
domains, but they don't specify this, and my attempt to sign up for an address
failed. (open firefox -> click create my nBox -> click Sign up for a service
(i type [https://facebook.com](https://facebook.com)) -> receive message
saying "To create your nBox Allow the notifications" -> No simple info about
how to do this is given, so I give up)

~~~
bdav24
Hi iliketosleep, to allow the notifications a small window should appear at
the top of the page. But not all browsers have implemented this feature. What
device and browser do you use?

~~~
iliketosleep
I'm using the latest version of firefox on win7. Upon further investigation, I
think I know what happened now. There's a tiny box at the left of the address
bar that enables me to unblock notifications for the site. Which means I must
have automatically pressed the "disallow" button before even reading anything
(a reflex response!). If I was you, I'd have an option to see a screenshot
showing how to unblock notifications. It's always the stupid little things
that can make a very big difference.

~~~
bdav24
Ok, I'm glad it works. Thanks for the feedback, we'll try to add that
somewhere.

------
ianai
I need this for cell #s

Having said that, I plan on using this.

------
synicalx
This is a good idea but creating a new address for each site seems to be
overcomplicating a simple problem. I just have
"mynormalemailalias_spam@domain" which is used for sign ups, if I ever need to
log into a site I've signed up with using that address it's easy to remember
the login details and/or reset my password.

~~~
bdav24
Hi synicalx, I used that method for many years too, but with time the emails
end up piling up. That's manageable of course, but it feels nice to control
exactly who owns your information.

------
mccolin
This seems like it's _almost_ "1Password for Email Addresses," which would be
pretty great: go to site, hit key combination, have random/saved email
inserted into login boxes. Combining that with email forwarding to my real
email address _that I can turn on and off_ is pretty powerful.

~~~
bdav24
Hi mccolin, thanks for the support! :)

------
cdubzzz
Why is it _required_ to enable notifications from the nbox site in order to
generate an address?

~~~
bdav24
Hi cdubzzz, no it's not required.

~~~
cdubzzz
Here is what I see after I click "GENERATE AN ADDRESS" > "Generate an address
for any other reason": [http://imgur.com/ktTssbB](http://imgur.com/ktTssbB)

If I click "Not Now", the prompt goes away and nothing happens. Perhaps I am
misunderstanding how the service works?

~~~
bdav24
Ho sorry you're right, technically accepting webpushes is not required, but
it's part of the tunnel for now. We're currently changing that, but it's not
finished yet.

~~~
cottsak
You'll need to fix that. As other have pointed out: If I'm not a fan of spam
then I'm likely not a fan of desktop notifications either.

------
imhoguy
In my experience spamers use mostly email addreses publicly exposed (web
sites, usenet, forums) and stolen address books (viruses, malware) - you can't
do much about the second if that happens to your recipients.

~~~
bdav24
Hi imhoguy, spammers also happen to buy leaked data sometimes to better target
people. Anyway, spam is one thing we address, but that's not the main point.
It's more about control of your privacy.

------
suhith
These days many services ask for a phone number for 2FA just to sign up, it'd
be great to have a tool that gave you multiple numbers on demand so you don't
have to give out your phone number.

~~~
Psilidae
I've been considering just buying a few prepaid SIM cards just for services
like this. I'd love some throwaway phone number/ SMS-forwarding services, but
most get blacklisted within a few months because spammers immediately jump all
over them.

------
nkkollaw
If the service is down or I want to stop using it I'm totally screwed, though.

Usually if I forget the password to a service they can send me a reset link,
what would my options be with NBox?

~~~
bdav24
Hi nkkollaw, we're very careful to limit possible downtime, and there is a
system of retry for incoming emails, so we should not lose some.

We're currently working on the "account creation" part of nBox.

------
dmitrygr
This has existed and been free for 22 years already:
[http://www.mytrashmail.com/](http://www.mytrashmail.com/)

~~~
bdav24
Hi dmitrygr, the idea is not new, but the link you gave is for disposable
email addresses, which are public. That's a different use-case from nBox,
where the addresses are private.

~~~
dmitrygr
use a uuid - it is as private as imaginable - you'll never guess mine

~~~
bdav24
Yes, that gives you some privacy of course, but I still think it's a different
use-case: with disposable email services, you're usually not notified when you
receive an email, and checking all the addresses must be a pain. I'd use them
for services I really don't care about and nBox for wanted and semi-wanted
emails.

------
monista
I tried to "Create my nbox" (or "Generate an address") and it sent me to
Chrome addons site. Is it Chrome-only web service?

~~~
bdav24
Hi monista, nBox is heavily based on Chrome at the moment, but a Firefox
extension is coming and mobile apps may follow.

------
sashk
How is this different from, let's say mailhero.io?

~~~
bdav24
Hi sashk, mailhero is very similar. One difference I see: email addresses are
not guessable with nBox.

------
ikeboy
1\. Great idea. It's been done by Blur from Abine.com which I've been using
for years.

2\. Possibly offer the ability to self host this?

~~~
bdav24
Hi ikeboy, you're right the idea is not new. We don't plan to offer this
possibility for the moment, but who knows, maybe one day.

------
midnitewarrior
So what's it like when NBox goes under and you can't recover your password on
any of your sites?

~~~
bdav24
Hi midnitewarrior, here is a post where I try to answer that (valid) concern:
[https://www.producthunt.com/posts/nbox/comments/483328](https://www.producthunt.com/posts/nbox/comments/483328)

~~~
midnitewarrior
Yes, that is your intention, but when funding gets pulled, investors rarely
like spending more money on letting things "unwind", they have not company or
brand to protect, so consumers' concerns take a back seat to investors.

The other problem with this is that there is now a middle man in my security
chain. If you get hacked, potentially all of my accounts can be hacked. If you
have a rogue employee, same thing. If you have a flaw in your security, I too
am at risk from a centralized source.

------
jv22222
Curious as to how they get ramen profitable off of this? Anyone got any ideas?

~~~
bdav24
Hi jv22222, we don't get ramen off of this project. We plan to add paying
functionalities some day if they make sense.

------
pzht
Randomly saw this, a typo on the first slider image - Navigate :)

------
graphememes
These get banned quickly, just a heads up

------
grenran
So wait, so instead of giving your email address, you're giving another email
address? That's just like email addresses with extra steps.

~~~
bdav24
Exactly! And it brings a lot of benefits.

------
irrational
The first thing I saw was "naviguate". Um, no, if you can't even manage to run
a spell checker I don't think I can trust you.

~~~
bdav24
Hi irrational, that's fixed now, thanks. We're not native English speaker, so
mistakes can slip through.

------
water42
how do i know i can trust the security and privacy of this?

~~~
bdav24
Hi water42, don't ever trust anyone with your data, governments and big
companies get hacked every day. Our angle: we don't ask for any personal
information.

------
gkfasdfasdf
s/additionnal/additional/

------
highstarter
It's a neat concept and useful especially for heavy internet users.

