Hacker News new | comments | ask | show | jobs | submit login
Ask HN: Please review my node.js fun project: Selfdestructing email aliases. (tempalias.com)
41 points by pilif on Apr 23, 2010 | hide | past | web | favorite | 31 comments

Also have a look at my blog where I link to a series of post about the creation of the service from the initial idea to the final push live:


The project took 44 hours from start to finish and it's both a nice study in node.js and of actual use for the public (I hope)

Nice series of posts, would like to see more similar articles on HN.

Well... I love to write, but I tend to be way too wordy.

I feared it was way too long all in all - which is why I bolded the IMHO more interesting posts in the announcement blog entry.

This is a very interesting system, and I can see myself using it frequently for things like throwaway email addresses for forums, required registrations, and other things.

However, I would want to know that security issues as mentioned elsewhere in the thread were addressed before hand. Especially using it for throwaways for websites, which will often involve a short term password, you don't wnat someone else to be able to create that alias and then reset my password and compromise my account.


Update: The issue is now fixed. No ID will ever be given out twice any more while still keeping the garbage collection working correctly and deleting aliases.

SETNX is great :-)

This fixes issue #7 (http://github.com/pilif/tempalias/issues/closed/#issue/7)

If you are really concerned about the privacy issues, grab the code and run it yourself somewhere, which wouldn't be a bad idea anyhow; if you're that concerned about privacy you shouldn't be relying on any external email service.

Looks pretty neat! Tried it out and took a quick look at the code. If I ever need a temp alias I will definitely use this. But, one thing I didn't find any info about anywhere.

Do you keep track of the deleted alias "keys". That is, if I create a mail and the key is m4m2 or whatever, I want to make sure that m4m2 will never ever lead to someone else (as well as not to me). If i register an account somewhere I obviously never want the mail going to the alias to end up at someone else either.

ok. This issue is fixed now - a bit of thinking has shown me that it's way easier to implement than what I have first thought of.

Thanks for reporting this and happy tempaliasing :-)

That's an interesting point. Right now I'm not keeping track of used aliases and I'm even pruning used ones after some time. You are right though. I should fix that, even though it's not likely that the same ID is given out twice.

Edit: Reported as Issue #7: http://github.com/pilif/tempalias/issues/#issue/7

Great project! I'll be using it for sure.

I noticed that on the privacy page you use plural pronouns like "our" and "we", even though it seems from this post that it's just you. I used to do that too with my personal projects. I've tried to stop, but only been half successful. So now most of the stuff I write is about half and half; which just confusing really.

yeah. I might actually have made the same mistake. I'll be going over this during the weekend.

Just a couple nitpics:

1. Redbot doesn't like some of the http headers: http://redbot.org/?uri=http://tempalias.com/ Content-type should be "text/html; charset=utf-8 ". Why the keep-alive connection?

2. It feels like the home page is rendering slowly.

Thanks for the feedback. Most of the problems are related to node-paperboy. I'll look into this and submit patches upstream.

edit: Fixed all the stuff that's not in node-paperboy (that will take a while) - mostly the compression related issues. I didn't know about redbot, otherwise I would have checked before submission. The remaining issues are reported as issue #8: http://github.com/pilif/tempalias/issues/#issue/8

502 Bad Gateway. Too much selfdestruct?

An invalid HTTP request it seems:

    Error: Parse Error
        at Stream.ondata (http:533:30)
        at IOWatcher.callback (net:357:31)
        at node.js:749:9
how the hell would I catch that one - somewhere deep inside node's HTTP library? It's restarted now.

edit: I've added an uncaughtException listener so it should at least keep going. Exception handling in asynchronous code is really hard. Above exception never even reaches my own code.

This error happend to me when I upgraded to 0.1.91. I didn't look into it, but I suspect the error is caused by/in node-memcache [http://github.com/elbart/node-memcache]

I'm not running node-memcache, but node-redis-client and this is an issue in the parser that parses incoming requests - probably malformed ones of people trying stuff out.

Incidentally, the first crash was the moment after I submitted this on reddit, but this might really be a coincidence

It reminds me of a similar service many years old, which eventually got shut down by the authorities because some very bad people was using he's service.

I can't remember the name of the guy or the service, but you should be careful such a service.

Other than that, it's really cool and useful!

well... it's hosted in switzerland which usually has friendly authorities in such matters. Additionally, I'm not logging anything.

But it's a fun project after all - the second I get an official complaint, it's gone.

In the mean time, my next step would be to implement a bookmarklet that fills out any field on any form on any webpage so that you don't even have to manually go back to the tempalias.com site.

This is great. I've used a few temporary email address websites in the past but they all seemed to have very flaky web interfaces for actually reading the email messages.

exactly. They make you watch their ads.

Thankfully, I don't need the money I could suck out of such a service due to a very nice day-job, so I can actually provide the service I consider to be optimal without constantly thinking about a bottom-line.

This also means that I will be able to improve this even more by, say, providing a bookmarklet so that you don't even have to come back after creating your first alias.

Didn't have much time to actually check it out, but the "What is this good for?" link on the front page doesn't seem to be working for me (Chrome Dev Channel on Win7).

yeah. it's the same link as about. I fixed it just now.

I had to change the ajax/hash based url schema to match Google's proposal here: http://googlewebmastercentral.blogspot.com/2009/10/proposal-... and I seem to have overlooked that one link.

Feels like a less anonymous version of mailinator.com. Forwarding to my own email is a very useful feature if I'm not so concerned with privacy.

Have a look at my privacy page (http://tempalias.com/#!/privacy). Do you find something that's not to your liking? Are there still concerns left? I'd gladly update the privacy page.

Also, the code is open. If you want, you can even register your own domain and run thing thing yourself.

The crux of the privacy concern is that it doesn't matter what you write on your privacy page as people have no way to make sure you live up to it. If I wanted an email address that couldn't be traced to me, then this sort of service will never suffice. Then again I don't imagine that is your target market or intended use.

edit: I just want to add that I think it looks really useful for all those cases when privacy is a lesser concern, and I've bookmarked the site for future use.

Well... this is not as much about hiding your address as it is about making sure that you don't get spammed much later after registering for a site.

Still: I am not logging alias resolution. The SMTP-Server is not logging a thing. Insofar, if authorities would ask me to give them data, I plain couldn't if the alias has expired by then.

If the alias is still valid, then of course, I would have to comply, but see my first point.

So now it's gone.

Why does it matter if someone reported you? Was your ISP threatening to shut you down?

they were. But this was a bad coincidence - I just now got an email for a SPAMHAUS request from 2006 where I was not in fact even a customer from that ISP.

This was an overreaction of mine, but the machine is a VM my company has gladly provided for me, so I wanted to err on the safe side.

next project for you -> make this a firefox / chrome / IE extension that auto-generates fake email aliases into any sign-up / login email field, and some way to track what's been done to with the fake emails you used.

I'm getting "502 Bad Gateway"?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact