Hacker News new | past | comments | ask | show | jobs | submit login
Throttle – Control who can send you email (throttlehq.com)
34 points by metabren on Jan 12, 2016 | hide | past | favorite | 36 comments

This is just anonymizing of addresses. Through your throttle account, connected to a convenient browser extension, you can conveniently generate throwaway addresses which forward to the real inbox. These addresses can be shut down and since they are unique, they identify misuse.

Anonymizing isn't new. For instance Craigslist generates an anonymized e-mail address through which people interested in your ad can contact you. (Of course, if you reply to it, then you reveal your real address.)

People who run their own mail domains do this kind of thing on their own.

I have the following system: the local part of the e-mail address has a four digit security code. If I give such an e-mail address to some vendor, it serves two purposes: the address bypasses spam checks, so I'm sure to get the e-mail. (Usually transactional e-mails are important and not easy to re-send.) Secondly, I can change the code to shut down senders who abuse the the address.

Some banks offer throwaway one-time-use credit card numbers linked to your real credit card. That is very similar to this.

"Of course, if you reply to it, then you reveal your real address"

Do you ?

I am pretty sure it redirects everything through the CL email proxy and the only way for them to know your real email address is for you to give it to them (or they guess it from your "Name" which the CL relay copies from your email).

My bad! Sorry!

CL performs a decent, two-way anonymization. When you reply to a listing's anonymized e-mail, your own e-mail address is anonymized (just not your name, which I think comes from your From: header or SMTP envelope address? In any case, you control that).

Furthermore, the originating SMTP paths are mutually concealed by CL. You don't see how the mail arrived into CL, just how it came from CL to you; i.e. it's completely remailed.

Lastly, even the Message-ID is rewritten. The originator's message ID could contain clues about the mail domain and such; CL replaces it with their own.

Quite probably, they strip away the signatures from bodies as well; those could inadvertently leak identity bits.

[Source: I searched my inbox for some CL interactions, several years old, and examined the headers.]


The concept isn't new but the usability is. This was very hard for normal people to do until very recently.

Seems fairly similar to sneakemail[0] (which I have been using for more than a decade), but with more polish. Looks like Throttle's basic service doesn't handle attachments or replying (sneakemail does), which is unfortunate.

0. https://sneakemail.com/

I discovered that when you delete your email address for a week almost all the spam and newsletters disappear. I don't know exactly how it works, but it does. So every couple years I just completely disable my email address for ten days, or whatever, while on vacation.

Everyone who sends email has to be very careful about upsetting email service providers, because they'll mark your messages as spam if they suspect you of misbehavior. Email providers use many metrics, and one of them is the number of bounced emails.

It doesn't take much to be marked as a bad actor, so companies will quickly remove you from their lists if you're jeopardizing their ability to get into the inboxes of their other users.

Source: I've worked at a couple of companies that used email as a significant part of their strategy to keep in touch with users.

Very true. I've used SendGrid and Mandrill for transactional email services and bounces count against your account's reputation.

Most of them will require warming up the account/IP you're sending the emails from in order to increase the quota of emails you can send per hour/day.

I don't know how spammers work, but legit mailing list software/providers will remove an address after a number of soft or hard bounces.

Takes about 5 pages until you get to the little price tag. I wonder how many abandonments they will get. Personally I like seeing the price up front.

And you pay for a year up front at $48! That's surprising.

This product seems like a good candidate for a free trial period. Users will become invested to some degree during the trial and may be reluctant to stop using it.

This has me stopped cold right now. I'd love to check out the dashboard, get a feel for the controls, and see how the digest format fits into my workflow. Right now my options are to abandon or charge ~$50 and ask kindly for a refund if I don't like the service.

There is a pricing link at the top of the page.

Sounds great but I'm nervous to trust personal communications with a company that seems to be so new – what if they fold? I lose all the emails I might be getting sent. Without information about who's behind this, I probably won't sign up

Not only are they new, they're missing a bit of polish on the site. I'd like to know how it works but the "how it works" link doesn't go anywhere. Their browser extension also failed to install for me.

I like the idea but given the obvious problems and the fact that they want four bucks a month and no trial, I'm inclined to avoid. Shame because I would use something like this.

e: seems like "how it works" is meant to link to the video

I love the concept. In fact, it's somewhat similar to the manual, ad-hoc scheme I've been using for years. It's always interesting to see exactly who is leaking your email address to spammers (whether intentionally or otherwise).

Edit: It does have the slight downside to making some human conversations awkward. "Just to confirm, the email address we have for you is... wait, what?"

I like the browser plugin here which lets you generate these e-mails easily.

An open source version would really be handy for people who host their own domains.

I could use a FireFox extension which lets me click next to some e-mail field to generate an address by talking to some web shim on my server at home, which generates the alias and binds it to my e-mail address via /etc/aliases, and restarts Exim.

The generated e-mail could actually be a cookie which contains not only some random ID but an encoded version of the domain name of the site against whose page it was generated. So later, when that address is being abused, you can tell where it came from without looking up any association in any file or database.

The video on the landing page doesn't play properly and surprise surprise it's Vimeo. People need to stop using Vimeo, they have incredibly bad service.

I have had problems with Vimeo for years now across multiple desktops, multiple browsers, multiple mobile devices in multiple locations (across Europe and Australia). It happens on both popular videos and videos in the long tail which aren't being linked to at that moment by popular sites. It happens on free Vimeo accounts and on premium Vimeo accounts. I give Vimeo a pass when YouTube HD videos aren't working either but most of the time YouTube HD videos are working just fine on these connections and it's just Vimeo can't stream video reliably.

In this case the video wasn't even full motion, the background is static and the keyframes and audio should have been a large slice of the bandwidth. But it was stuttering at the start and now even after letting it load in the background on a 70Mbps connection while typing this comment it's still stalling near the end of the video. What are the Vimeo alternatives besides YouTube?

Am I missing something? Why not just create a filter that permanently deletes or marks emails from a certain sender as spam?

That doesn't catch the cases where the sender uses a different From: address, or shares your email address with third parties.

Ah, I see. Looks promising then!

Because that is a spam-fighting approach that, by itself, last worked well in 1993.

I was thinking about similar service. What would be different is that I would give user subdomain and redirect all incoming traffic on SMTP SSL port to connected client. I would give access for user to get SSL cert from Let's Encrypt.

All this would give something better than promise that I would not look at private emails, but I would have to build client application that would be SMTP server inside. Handling LE automatically and all other seemingly unrelated things.

Main use would be to use generated by application unique addresses for registration purposes.

I don't know who wants to send me e-mail.

No idea how it works (can't watch a video where I am and it isn't explained anywhere else), but it does seem to consolidate a few useful features that I currently get elsewhere:

-Combine mass mailings in to a single daily digest email (Unrollme)

-Find out who tries to sell your email address (Using email+website@gmail.com)

To achieve the same cheaply and without lockin, simply have your own domain with a catch-all email forwarding to your real email address. Then always give out your email address for a specific site as <site>@yourdomain.com.

Yes, but this is a pain to administer. Do you have some nice tools for generating these addresses and putting them into effect in the back-end which underlies your domain, without having to whip out an SSH client, logging in to some server, editing files and re-starting services?

I have my own "yourdomain.com". I pay to keep it registered and keep a server running also. Most people don't have this; their mail domain is "gmail.com" or whatever. Sure, a lot of problems could be solved if everyone just had their own domain!

Speaking of "gmail.com"; I'm surprised Google doesn't just make this a feature of gmail. It would be fairly trivial for them to implement for the benefit of all gmail users.

It's already a feature of gmail. Just add "+whatever" to the username and it will still route to you, e.g. use "john+sketchysite.com@gmail.com" when you sign up at sketchysite.com.

Occasionally you'll run into a form with broken email validation that won't let you use a + character, but I've been doing this for years and it works the vast majority of the time.

Because this is implemented by a major, very popular e-mail provider, it effectively reveals your real e-mail address to spammers, who can just look for this pattern in any address in the '@gmail.com' domain and strip away the + part. It will keep only the "honest" bulk mailers out of your inbox, not hard-core spammers.

This type of thing can work, but only for a small-time service provider whose plaintext encoding scheme is not widely known. (Security thorugh obscurity.) Even the hard-core spammers won't sift through millions of e-mail addresses to crack some plain text scheme that is used by two or three of them.

Also, you need the option to permanently destroy one of these, so that you never see mail from it again. No filtering bullshit. Google should control the exact set of anonymized addressees attached to your account. When you destroy any one of them, any further attempt to send to it should result in a non-delivery notice (SMTP bounce).

I have been running this setup for years without any administration. Email forwarding tends to be included from your domain registrar so no server is necessary. You don't need a tool to generate the addresses as you can make them up as you go along.

What do you mean you can just make them up as you go along?

Suppose I have two users in my domain: bob@mydomain, alice@mydomain.

How can alice just make up a new @mydomain address which goes to alice@mydomain? Okay, that part is simple: we can have an entire space of these generated by a rule, like gmail's addr+whatever@gmail.com.

But then how does alice invalidate such an address that is misused?

I want it so that any address that is not valid generates an SMTP bounce; I don't want an infinite space of aliases that map to an address to all be considered valid, but a specific set, controlled by the user. When an element is removed from that set, then further attempts to send to it generate SMTP bounces.

Furthermore, I want it to be completely anonymized, just like Throttle are doing, as in:

   <random-chars>@mydomain -> alice@mydomain
The text "alice" doesn't appear in the plaintext anywhere, and cannot be reversed out of the local part.


To solve one of these problems, what we can do is assign to each user some random identifier of fixed length, from which further addresses can be generated. For instance alice@mydomain also gets "xZa3f@mydomain" when the account is created. To this local part, arbitrary characters can be appended: "xZa3f4abPspamming.dickheads.com@mydomain" such that this still routes to alice@mydomain. Doesn't handle the SMTP-level invalidation requirement though.

If it's my own domain (probably not unusual among the HN crowd), I would sign up to e.g. kazinator.com by 'inventing' an email address kazinator@mydomain.com, which is forwarded to my gmail through a catch-all email forwarding setup with my domain registrar. Emails to kazinator@mydomain.com now arrives to my gmail and hence it's easy to block email (e.g. spam) arriving to this email address as well as knowing who leaked my email address to third parties.

As people have pointed out, it now seems possible to use the + functionality of gmail which I was not aware of, but the above setup avoids the issue of forms not accepting + in a valid email address.

This only works with a catch-all email forwarding as I mentioned, so if you want bounce on non-valid addresses it will not work, but like I said it has served me very well.

gmail actually is set up to handle this. You can append +<text> to an address to create a targeted one-off (so if your address is me@gmail.com, you could do me+site1spam@gmail.com) Of course you then have to set up a filter on the gmail side to label it/send it to spam if intrusive.

The problem with this solution is that many email harvesting widgets incorrectly see +xyz as invalid, even though it satisfies the rfc just fine.

It's been around forever but a basic free way to mask your email address is Spam Gourmet https://www.spamgourmet.com/index.pl

Great, but they seem not to have plans to create recyclable emails for person-to-person communication, which is sad.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact