
Show HN: IsTempMail – Detect and block disposable email addresses - clusterman
https://www.istempmail.com/
======
xvolter
This is completely ignoring the useful use cases of "disposable" emails like
privacy. I have a domain that I specifically use as a catch all, so anytime I
sign up for a website I use the domain as the username, like
news.ycombinator.com@forward.to.me.com

This helps protect me in many ways. If my email is sold or leaked, not a big
issue, I can just add that specific email to a blacklist and I never need to
get spam from it again. Or if I cancel and keep getting spam about rejoining,
blacklisted. It makes it easy to keep my spam and newsletters to a minimal.

It has the built in advantage that I can always sign up for new trials if I
want, just do thatdomain.com1@ thatdomain.com2@ and so on. Although I don't do
this often, I have had to do it for various reasons.

I've hit on occasion websites that block their domain from being in the email
address, likely a poorly implemented security check because their software
might say anyone with a "@service.com" email is an admin or something. In that
case, I enter some random crap. I never have to remember the emails, since I
can just search my email history for the address the service sent the
registration confirmation to.

However, the downside is privacy. I use my own domain, which contains my full
name, so when I sign up to some services and want to do so without giving my
name, I still rely on a disposable email service such as hidemyass.com; and I
do this for many online services. I am not a believer that everything I sign
up for needs to know my full name, address, and email - often services ask for
this information for no reason.

So attempting to block these types of services, that have valid and useful
benefits to users, simply harms your users. You can avoid spam users with a
captcha, and for trail abusers you already can't do much because @gmail.com
already allows for a lot of aliases to work like @googlemail.com, or
user.@gmail.com or u.s.e.r@gmail.com etc, or user+whatevertheywant@gmail.com

Don't harm your users with useless validations.

~~~
sadasd21asda
I disagree. I run a SaaS product and disposable emails are a bane to my
existence. I get thousands of signups a day from people all around the world
using disposable email addresses trying to milk the free tier of the product.

You have no idea the lengths people will go to.

If all you wanted to do was test a product out, create a real email address
even if it's full of bogus details.

If you won't try my product without a real address then you're a customer I
don't want and don't need.

~~~
pmoriarty
Your "free" tier isn't really free, then. As payment, you're asking for the
sacrifice of your users' privacy.

Some users may value your service so much or their privacy so little that they
may pay up, but for the rest of us it's back to the disposable email arms
race.

PS: Kudos for being open and considerate enough to defend an unpopular
position on here, though it's ironic that you did so using a disposable HN
account.

~~~
joshmanders
> Your "free" tier isn't really free, then. As payment, you're asking for the
> sacrifice of your users' privacy.

Is that what asking for an email to sign in to create an account to use a
service that probably doesn't work well without having an account is now,
invasion of privacy?

Where do we put our foots down and stop saying that everything a SaaS does is
sacrificing the user's privacy... Soon we're gonna start seeing "Whoa, asking
them to pay and input their credit card? You're asking for the sacrifice of
your user's privacy."

------
rubyn00bie
Not to be an asshole but I absolutely loathe this... these sort of things are
why I'm forced to give my email address to organizations I don't trust. This
is offensive to my sense of privacy and I wish people would stop doing it.

Too often now sites/app want a login for no benefit other than to SPAM me with
newsletters and crap I never wanted. That's why I use disposable email
addresses, you're providing me no real value, at least sight unseen, but I
must give you something I know is valuable-- my contact information.

~~~
cryptarch
I add the name of whomever I'm mailing whenever I enter my address, like
"cryptarch+microsoft@gmail.com".

If they remove the "+microsoft" portion mailing me, that email is sent to my
spambox and reported to spamcop, because I did not sign up with that address;
the address I signed up with has the +etc infix.

Eventually I figure companies will get wise to this and I'll have to set up my
own server which does the same trick with an underscore instead of the "+"
sign.

~~~
bb88
Not all email validators respect the + symbol.

~~~
jrsmith1279
With gmail you can use periods in the email address and gmail will ignore
them. i.e. bob.smith@gmail.com is the same as bobsmith@gmail.com or even
bo.bsmith@gmail.com.

~~~
SparkyMcUnicorn
I did that for a bit, but there's only so many variations and remembering
which email belongs to which service is not nearly as straight forward.

------
clusterman
I created it as a side project to stop fake registrations with disposable
email addresses, like emails from mailinator, email-fake.com, temp-mail.org,
etc.

It has a public API, no registration required, accepts up to 10 checks per
minute. A WordPress plugin and a simple PHP library are also included.

Check it out :-)

~~~
jakebasile
No offense, but why block those addresses?

~~~
joshmanders
Because some services have sensitive information and need a reliable way to
contact you. If you use my service and attach your credit card to pay for it,
and used a disposable email to sign up with and your account gets breached,
who's fault is it that I couldn't email you and let you know?

Sure if it's some throw away service that doesn't have such sensitive
information, that's fine, but there's many reasons to use such a service.

~~~
dingaling
> who's fault is it that I couldn't email you and let you know?

The user's fault; they are knowingly trading that risk for protection of their
privacy. That says a lot for how they regard the service in question.

What about rejecting ISP-issued e-mail addresses? Those are also ephemeral,
for those who use them.

What about Yahoo! / Outlook.com / Gmail addresses? in the vast majority of
cases people using those have no 'hold' on them and their accounts can be
suspended at whim.

Domain-related addresses can be lost if the registry decides to hike the
domain prices beyond affordability, such as with the 1000% increase in
Uniregistry gTLDs later this year.

Where to draw the line? All e-mail addresses are temporary.

------
tyingq
Cool. I know Microsoft has an email address classifier they use for things
like product beta signups. See these examples:

[https://flow.microsoft.com/providers/Internal.User/users/joe...](https://flow.microsoft.com/providers/Internal.User/users/joe.blow@gmail.com/getType)

[https://flow.microsoft.com/providers/Internal.User/users/joe...](https://flow.microsoft.com/providers/Internal.User/users/joe.blow@exxon.com/getType)

It classifies things like gmail, yahoo mail, hotmail as "Consumer" addresses.

So, there might be some additional markets for you if you can identify
"consumer" emails vs "business". Also, some niche areas like isEduEmail(), for
things like student discounts (fyi, not as simple as it seems at first
glance).

~~~
GordonS
Interestingly, if you try an @yandex.com address you get back a true "isViral"
property. Wonder what that means?

~~~
tyingq
Don't know, but you get "isViral" for zoho.com, amazon.com, google.com,
tencent.com, pinterest.com, and others as well.

------
mschulze
If you consider using this, please for the privacy of your users make sure to
only check the domain, not the full mail address (so not like the first two
API request examples).

~~~
clusterman
It's an API function, so it should accept any reasonable input. The WordPress
plugin checks only the domain name part, and the bulk checker does too.

------
basdp
This is such a bad idea. 99 out of a 100 times the use case for such a service
is because the developer wants to make sure it can spam a real email address.

------
maciekmm
In the past I've used this: [https://github.com/martenson/disposable-email-
domains](https://github.com/martenson/disposable-email-domains)

Gets the job done.

~~~
clusterman
I used it too, but several new domain names are added every day. It's
ineffective to manage/update your local block list.

------
josho
Kudos to the founder for trying something new.

But, I hope this doesn't take off because there are valid reasons for using
fake email addresses. E.g. I don't trust the site not to sell my email, or
leak it inadvertently through a security exposure.

------
sklivvz1971
I really don't like this service at all. It destroys value, like the ability
to be anonymous, and enables abuse by companies - the 90% use case is by
companies who use it for sending marketing junk as we all know perfectly.

------
o_____________o
I guess you don't show the domain name blacklist because that's the entire
business?

------
jpalomaki
Maybe instead of blocking disposable emails, give user a gentle notification
and explain why you would not like him to use such email address.

~~~
joshmanders
While the service mentions blocking them, this API can be used just for that.
All it does is take an email and tell you if it's a temp email. What you do
with that info after is up to you.

~~~
clusterman
+1. The WordPress plugin gives a nice warning message with a promise that the
website owner won't spam or sell the email address. After all, it's all up to
the website owner.

------
alphabettsy
I really hope this doesn't see adoption in many cases. I can see it being okay
in places where abuse is an issue, but I use different disposable email
services specifically because I don't want spam or my actual email exposed in
the endless stream of breaches.

I don't want Best Buy Rewards, etc. having my email to sell.

------
alphonsegaston
Can someone provide examples of temp mail abuse that makes this necessary? I
sometimes use these service to avoid being subscribed to ceaseless email
marketing rings or get at information (in my opinion) needlessly siloed in
things like forums.

Seems also like a user-hostile escalation in this kind of arms race that will
eventually be overcome anyway.

~~~
sklivvz1971
The only example I can think of is when using temp-mail for serious stuff.

E.g. you register an actual account with temp-mail, this makes anybody able to
reset the password.

I totally agree though that this service is user-hostile.

------
al_chemist
If you ask somebody their phone number and they give you a fake one - they
don't trust you and think you are an asshole. Same with e-mail. When you feel
you need to protect yourself from "disposable emails" then your problem is
elsewhere.

------
sgehly
I don't quite understand why this service is attempting to charge for what is
basically an email list, when email lists with more domains have been public
for quite some time.

~~~
homero
New ones pop up

------
kip_
Why is thrott.com (ThrottleHQ) on your block list?

I'd argue that those emails aren't disposable. I use ThrottleHQ to track when
service providers resell my email to other lists.

~~~
clusterman
Ones can create multiple email addresses, and disposable them in an instant.
It's just another disposable email service that is easily abused by spammers.

~~~
uzoodoo
You should block GMX too, it lets you create/delete multiple addresses per
account

[https://support.gmx.com/email/settings/aliasaddresses.html](https://support.gmx.com/email/settings/aliasaddresses.html)

------
GordonS
> Disposable Email Address (DEA) services

Is that acronym even a thing?

~~~
clusterman
I store and track "disposable email address service provider", so I want to
abbreviate that name. Anyway, I removed the "DEA provider" counter and the
acronym :-)

------
oxguy3
If you implement this on your site, it won't get me to give my real email
address; I'll just leave and not give your product a chance.

------
Veratyr
> Disposable Email Address (DEA) services are tools for spamming, fake
> registration, free trial abusing, etc. And we hate them!

Gloves are a tool for criminals! Knives are a tool for murderers! Cameras are
a tool for terrorists and pedophiles!

Like these other tools, email addresses have legitimate uses. If you find
yourself getting a lot of disposable addresses, there are other ways to ensure
you get a valid email address, like only asking for one when your users are
actually going to want to receive your emails.

------
cryptarch
Why block disposable email addresses?

------
avaer
This got me thinking of a tangential business idea: a user-hostile site
blocker.

You take a quick quiz of stuff you personally consider unacceptable from a
site (such as blocking disposable emails), and then it comes up with an
autoupdated blocklist.

Does this exist?

------
jpambrun
If I have no incentive login again, you should probably not ask my email. This
service is a nuisance just like all those sites that require an email for no
good reason.

------
fredsanford
This sucks. I hate it. VERY few "services" are worth the exposure of my real
email address. I made this mistake with yahoo, bigfoot.com and amazon.

It would not hurt my feelings if the developer of this "service" became
allergic to pizza. And if the service were to close... The allergy is
reversed, gradually.

