
Show HN: Startup with no website - GuerillaClick@gmail.com - eralpb
Hey there, there are lot of disposable email services, but as I was thinking I realized 95% of the time, I don&#x27;t care about my inbox. I just want to &quot;verify my email&quot;.<p>That&#x27;s why I created a startup with no website, it&#x27;s called guerillaclick@gmail.com, it&#x27;s a credible domain (you don&#x27;t say) and it will click on any &quot;verify&quot; links you send it to it.<p>You can use aliases to get around of duplicate emails in the target system, so like<p>guerillaclick+eralp@gmail.com
guerillaclick+sdfaskdma@gmail.com
guerillaclick+111@gmail.com<p>so choose an alias and start using the service!<p>I will provide a website to see the inbox of your alias. (maybe for services who send your pw in the email, but then you might be better off using other established servers.)<p>Gmail API is a bit slow so it might take 30 seconds for email to be received on my end, keep in mind while testing!<p>Best,
======
nine_k
This is delightfully crazy.

Give some random guys with no website your registration record somewhere,
allow them to verify your registration as theirs, and then impersonate you,
reset passwords, see any communications, possibly log in as yourself and do
anything. All this with no recourse.

Nigerian spammers moan from envy for such a brilliant self-propelled
gullibility filter.

~~~
Semaphor
I have first.last@gmail.com and I've had people play poker and lottery and
sign up for dating websites with my e-mail address. I've also received
confidential information from insurance and building construction companies.

It's hilarious.

~~~
colechristensen
At this point I feel like I've shared a life with some of the others at this
point. There are several people who share my name who continually give out my
address. I get school closings, invites to pie socials at churches, family
pictures, conservative newsletters, and much more.

Once I was told about "my" enlistment in the reserves of some armed service.
That one I replied to and got a very polite response from someone with a
little bit of rank.

~~~
ian0
ha! Same here. I was sent notifications from a military application once
(seemed to be some SAP style system). I responded to a CCd email and they
politely responded and corrected the address.

The others are more mundane. Mailing lists with dirty jokes from a group of
american dentist friends. School notifications from a guy in the UK. Random
baby pics.

Im not sure if there are lots of people with the same name who occasionally
get their mail wrong. Or a few people with the same name who constantly do. It
just seems weird though. Surely if you had a non firstname.lastname@gmail
address you would take extra care to add in the extra padding.

~~~
vsl
People are stupid when not paying attentions.

I had customers who entered an undeliverable=invalid gmail address because
they were confused about who hosts their email. Used foo@hotmail.com, entered
foo@gmail.com. A few years back, I wouldn’t have thought this possible.

------
ReadyPlayerNone
Interesting, I've a few questions as food for thought.

\- Is it allowed under GMail's TOS?

\- Have you considered the security implications of having what is presumably
a server somewhere in your name clicking on any link that's sent to it?

\- You say startup - do you have monetization plans? Putting adverts on the
associated website perhaps?

~~~
dkoston
Google TOS is pretty broad. However, one of the main factors here is that
export controls could quickly come into play. Since Google is US-based,
providing this service for those in embargoed countries could get you shut
down quickly.

They also have a "don't misuse our services" clause and I'm sure this would
count as misuse if found.

~~~
simonebrunozzi
Let me answer this: from what I know, and broadly speaking, this service is
both illegal and not allowed by ToS.

~~~
jake_the_third
> this service is both illegal

.. in your country. Saying something is illegal without mentioning
jurisdiction is meaningless.

> not allowed by ToS

The service being signed up to, perhaps. But it isn't clear to me that it's
banned by gmail's tos especially since he's using the service APIs normally.

------
alpb
Why do you call this a "startup"? It's a nice hack for sure but I'm not sure
if it's has a prospect of being a business.

~~~
bdcravens
Because overwhelmingly the HN crowd thinks building an app is building a
startup.

~~~
judge2020
The product is a big part of a business, so if you have one, all you need is a
business partner and VC's to create a multi-million dollar company.

~~~
jressey
Yes those are trivial things that are simply an afterthought. The app ain't
shit, it's how well the business can execute.

~~~
ravenstine
Not enough people realize how true that is.

I've worked for companies that made pretty awful products, but they sure knew
how to sell 'em.

------
reaperducer
_guerillaclick+eralp@gmail.com guerillaclick+sdfaskdma@gmail.com
guerillaclick+111@gmail.com_

Unfortunately, more and more services are rejecting + e-mail addresses. Either
ignoring them, or flagging them as an error.

While it's perfectly within the RFC, companies are catching on to the trick.

(3M, I'm looking at you!)

~~~
kidsil
Gmail gives you another option - separate using dots.

g.uerillaclick@gmail.com

The number of options is of course limited but it's still recognized as a
separate address while still coming into the same inbox

~~~
dsl
I've built a few registration systems and always normalize email addresses
(remove local part, de-dot gmail addresses) at signup and login.

It helps users who keep trying bobjones@gmail.com when they signed up with
bob.jones@gmail.com. Also is pretty good at preventing mass signups using
tricks like this.

~~~
jake_the_third
How do you know where the local part starts? Google uses '+' but nothing stops
you from using '-' as a delimiter if you're running your own servers.

Also, how do you deal with spam filters that are designed to spam anything
without a local part? Or is this only done to "well-known" domains like
gmail.com?

~~~
apexalpha
>if you're running your own servers.

This is enough of a threshold probably.

------
dimensi0nal
When Google inevitably shuts this down can you opensource the link clicking
program?

~~~
eralpb
I will open source whenever I have time, I just did it last night and decided
to share.

------
swongel
You can use Mailinator to do this already, you can see all of their inboxes on
their website and you can use all of their domains to bypass domain
restrictions. For example I might use somethingsilly@bobmail.info and it will
be redirected to
[https://www.mailinator.com/v3/index.jsp?zone=public&query=so...](https://www.mailinator.com/v3/index.jsp?zone=public&query=somethingsilly)

~~~
kodablah
> You can use Mailinator to do this already

While I'm a fan of Mailinator and their approach, I think the feature OP has
about auto-clicking verify is unique. But yes, to do this right, you need the
multi-domain approach of Mailinator instead of just aliases. Maybe Mailinator
has an API or supports POP/IMAP that would make this possible, I haven't
checked.

~~~
bionoid
Last I checked it appeared like Mailinator's POP3 support was completely
removed, and API access requires a subscription. It was priced __way above
__what I was willing to pay (I think $150 /mo)

~~~
close04
Also Mailinator is banned by multiple sites and I feel like that number is
increasing (anecdata). Which means it's getting less and less useful for the
purpose of "burner" email addresses.

~~~
cenal
You can point your own domain to mailinator mx records for free.

Don’t have a domain to throw spam at? Pick a sub domain and use that.

~~~
close04
I used Mailinator as the quick solution to access some one time resources on
websites that forced me to register. It was the simplicity of the throwaway
email that made it attractive to me. But when it's blocked on a website I
usually wouldn't want to bother with c more complicated setup. If the effort
is justified then I can probably use a regular email address. Other people
might have different use cases.

~~~
CapacitorSet
Pointing your MX records to Mailinator is a one-time small effort, then it's
just a matter to sending mail to whatever@yourdomain.com.

~~~
close04
I'm not sure if my use case was clear or perhaps I don't understand what the
scenario you present does.

Say I want to comment on a news article and need to register. I don't want
random-newspaper.com to have anything directly related to my person, including
anything @mydomain.com. So I quickly punch in random-email@mailinator.com to
register and once I'm done I can either forget the site and email ever existed
or keep using it since it's non critical and losing access to it doesn't
matter.

Ideally I would have different email addresses for every site so I can keep
those identities separated and free of any personal information. Last time I
used it like this was probably a decade ago because since then more and more
sites starting rejecting @mailinator.com addresses. I found another such
solution that I have been using for the past years but this is also going the
same way (not a big issue yet).

------
O_H_E
Just make sure that account is not associated with any of your real data (even
IP). There have been horror stories at /r/TIFU about people getting their
personal accounts suspended and the whole enterprise account with them.

If Google gets angry about you, your life MIGHT be ruined –partially–

~~~
metahost
Turns out those r/TIFU stories were fake. A Googler from the GSuite support
debunked the claim. [0]

[0]:
[https://amp.reddit.com/r/google/comments/8l231x/google_banne...](https://amp.reddit.com/r/google/comments/8l231x/google_banned_an_entire_company_gsuite_accounts/)

------
tnr23
what about the gmail receive limit? its 60 emails per minute or about 80k per
day

if you hit 1 minute over 60 you get blocked 24h

~~~
programbreeding
That seems like it would be incredibly easy to DoS someone.

~~~
ttul
Indeed it is.

~~~
greycol
Why you could easily advertise an email on a tech news aggregate site asking
people to use it to sign up for sites that may send you unwanted emails. You
wouldn't even need to set up a webpage. That's if you didn't want to sort out
a more direct method.

------
siruncledrew
Did you get the idea from GuerrillaMail?

[https://www.guerrillamail.com/](https://www.guerrillamail.com/)

~~~
protomikron
More and more services recognize disposable e-mail domains and don't allow
such addresses. Obviously they can't block the gmail.com domain.

I like the idea, but it probably is against Google's TOS, so there's that ...

~~~
godot
Theoretically if this guerillaclick@gmail gets popular, I'm sure services can
just specifically block guerillaclick+anything@gmail right?

------
kodablah
If something like this becomes popular, one might expect sites concerned about
non-human verification to add a captcha to their verification page before the
account is considered verified.

~~~
herogreen
Or: ask the user to use the same browser and check that cookies match /
"sanitize" gmail adresses

------
eXorus84
Good luck for your startup with no website. It's very simple and clever.

I started my startup with a website to do a disposable emails service:
mailcare.io It's also available in open source.

------
rcfox
I've always wanted sort of the opposite. I'd sign up to a website, and they
wouldn't ask for a password. To login, they would email a link to click and
I'd be logged in for however long that cookie lasted. Why don't sites do that?

(Is email still considered slow? I remember having wait times in the hours
back in the 90s, but I'm not sure I've ever waited anywhere near a minute in
the past decade.)

~~~
Brozilean
> I've always wanted sort of the opposite. I'd sign up to a website, and they
> wouldn't ask for a password. To login, they would email a link to click and
> I'd be logged in for however long that cookie lasted. Why don't sites do
> that?

> (Is email still considered slow? I remember having wait times in the hours
> back in the 90s, but I'm not sure I've ever waited anywhere near a minute in
> the past decade.)

Tumblr does this at the moment. It asks for either email click or a
traditional username/password setup.

------
lifeformed
Isn't it spelled with two R's? "Guerrilla"? I didn't even notice at first, and
was going to say that it's a hard to spell word for something you have to
manually type in. Now I notice even the service itself is misspelled! Or is it
just this announcement of it that's misspelled?

------
ArtWomb
Nowadays, most require SMS confirmation that "You are indeed a human". And
thus a mobile phone number. Have often considered wiring up something in
Twilio so I can create multiple accounts, etc. But am too lazy to put in the
effort. Perfectly willing to trade privacy for convenience in most cases ;)

~~~
dewey
I wouldn’t say “most”. The sites where you have to verify are probably more
sensitive and not something you’d verify with this service or a throwaway
email anyway.

------
rkagerer
How well will this scale? I know GSuite Gmail accounts are limited to 3600
emails per hour, among other limits.

------
megaman8
What's awesome here, is that he/she's created a solution to a problem that
almost everyone has. It might need a little work, as shown by other comments.
but the core idea is a good workaround for sites that force you to give a bad
email address to get at the content.

~~~
giarc
Is it a problem though for legit sign ups? I find the problem is that when you
click the link in your email, you now have 2 tabs open. One with a verified
login and one without.

------
aogl
A lot of services don't allow +uniqueSection in email addresses anymore; just
bear in mind..

~~~
ixwt
Because it's a gmail address, you can put as many . as you want anywhere in
the name. Gmail strips them out when determining the email address.

~~~
williamdclt
Not as useful as `firstnamelastname+twitter@gmail.com` for example :/

~~~
floatingatoll
Not as readable, but each inter-character spot is a bit, and if you have 11
bits, you can represent 2^11 addresses.

EDIT: Assumes Zero or One periods per bit-gap; if you can chain them, the
sky’s the limit.

~~~
ixwt
I just tested it with a bunch of periods. I got rejected with just two periods
adjacent, and with quite a few more periods adjacent. So only bits. Looks like
it can be used for filtering too.

~~~
dimensi0nal
Dots cannot appear consecutively in the local-part unless quoted.

------
apexalpha
A bit weird to call it a startup but a clever idea!

Maybe Mailinator could implement this autoclicking.

------
mandeepj
Good thought. At the same time, it's a feature; not a startup. Sorry.

~~~
sodafountan
A feature of what?

If this guy can convince people to send him their registration codes and
somehow monetize it he's in business.

------
timmit
it is a geek idea! i like it.

you still get a website? ``` I will provide a website to see the inbox of your
alias. (maybe for services who send your pw in the email, but then you might
be better off using other established servers.)

Gmail API is a bit slow so it might take 30 seconds for email to be received
on my end, keep in mind while testing! ```

just wondering does it break gmail's terms?

------
desireco42
If you are not making money off of it, why would you call it a startup. It
really is a project of yours.

Thank you for making this though.

------
anant90
Request for feature: Chrome extension: a shortcut fills in
guerillaclick+<random_hash>@gmail.com

~~~
eralpb
great idea, which also warns about the websites it won't work on.

some require session authentication, so bot needs to login and THEN verify.

------
iazid
Can something similar be done with phone number verification ?

------
aboutruby
Seems like the perfect one to get one's account stolen

~~~
TeMPOraL
Throwaway/shared e-mail addresses are not for accounts you care about, they're
for working around stupid requirements to register "for free" to access a
resource you need.

------
rajeshmr
Doesn't mailinator (mailinator.com) already do this ?

~~~
joewrong
some sites prevent mailinator accounts on signup

~~~
Liquix
Truth. All ephemeral/temporary/one-time mailboxes suffer from the same issue -
once enough people start using it, the website owners take notice and it's
blacklisted.

It'd be nice if you could create temporary <insert reputable domain here>
accounts on the fly. User provides a captcha solve, your service uses this to
create a random account & log in, user can view inbox or click 'open all
links'. This wouldn't work with gmail because of SMS verification but would
probably work on other domains and circumvents the above problem.

------
hernantz
there are alternatives like [http://10minutemail.com](http://10minutemail.com)

------
ReedJessen
Wow. This is a sneaky idea. I love it.

------
bobjordan
Thanks, just spent five minutes modding my webapp to disallow email aliases.

~~~
tobyhinloopen
I will call support to notify them my e-mail (with a + in it) isn't working,
like I have done before. No I don't have another e-mail address. Yes, this is
really my e-mail address.

~~~
kodablah
To be fair, I would assume/hope the implementation is gmail specific and just
truncs the + part only when doing uniqueness validation. Granted its
effectiveness is small.

~~~
__ryan__
This would not account for emails which have a custom subdomain but are still
hosted by gmail, which will behave the same way as gmail with respect to the
"+" sign (I've seen many universities do this).

------
ClassyJacket
Interesting idea!

------
asimjalis
Beautiful.

------
fxfan
Don't worry about providing website.

------
eralpb
For future awesomeness please follow @eralpbayraktar on Twitter :)

Thanks!

