I love these kind of writeups about services which are like plumbing for the web. If it wasn't for mailinator, managing my inbox would be a chore. I use it all the time, although there is a panoply of others to use and I suffer from disposable inbox fatigue (just as bad as suffering from an overflowing inbox).
One of the more under appreciated features of Mailinator is the fact that they’ll take any mail sent their way, regardless of the email address domain. This means that, if @mailinator.com is blocked for a given site, you can use any number of aliases for it and still get through (my personal favorite is @devnullmail.com), or you can even set up an MX record pointing at Mailinator and effectively use a custom domain.
Using mail.mailinator.com as MX records are something that almost all tools check to ban disposable email addresses. The only real thing that works for them is to renew their domain pool as fast as they can. In our service in https://apility.io we check for MX records of very well known DEPs, and also we crawl the web to try to keep an up to date list of these domains.
This is one of the most pointless anti-abuse measures you could implement, since a Gmail account can be created in about 20 seconds with no identifying information.
I've created 3 new Gmail accounts in the last year and I've never been forced to enter my phone number. Either it's a myth or the rule magically never applies to me.
Lots of Google rules don't apply to specific, known-to-google "mes".
Google knows who you are by your devices, IP addresses, browser signatures, cookies, and other metrics. They don't need to verify your identity anymore, in fact they could probably tell you things about yourself that you don't even know.
I'm going to guess it's the latter. I'm unable to log into some of my existing gmail pseudonymous aliases because google refuses to let me log in without providing a phone number (ostensibly for my own security, IIRC to enable 2fa, even though it doesn't make any sense).
An existing email account is something worth protecting. It's OK to allow a few extra false negatives while signing up, compare to accessing an existing account.
Wouldn't it be up to me to decide if I want to enable 2fa?
Provided Google has a lot of info about me, they can probably tie those accounts to me anyway, but I'd rather not formally associate them with my public identity.
There's some sort of complex formula that determines whether you need to provide a phone number, based on how many accounts have been recently created from your device, IP, etc.
IIRC, and my memory of it is faint, they don't seem to require a phone number if they can otherwise identify you. For example, try it via a VPN or Tor.
Some people use DEA to abuse of trial services of SaaS, for example. They register again and again after the trial has expired. These users consume resources but they never effectively become customers. Some companies ban users using DEA, anonymous proxies, TOR, VPNs... or even Free Email addresses (the conversion rate comparing a user registered with his or her company email and a Free Email (gmail, hotmail, protonmail...) is much higher).
You effectively have unlimited (not infinite) e-mail addresses with Gmail and many other e-mail providers by using the + sign. E.g. fibers+HN@gmail.com
I am well aware of that feature gmail has and have abused it in the past with many websites, but the parent said that some SaaS platforms block gmail altogether. It seems like a shoddy fix if you can get a really cheap domain and essentially do the same to register accounts.
Yeah, its like putting extra locks on the front door while the back door is wide open. However, most people would try the front door first.
A lot of domains have that feature btw. Gmail's specific feature is with the dots functioning as catch-all [1] (though Facebook apparently has the very same feature).
Except sites that mistakenly disallowed the + symbol.
Also, it's very easy to mechanically identify all such users because of the + symbol, which, if you are trying to prevent your real email address from revealed means it's not that useful...
Regarding the former, my ISP allows me to set forwarding email address. I could temporarily use these until X date or until they receive (a lot of) spam. Though all spam gets filtered anyway.
Regarding the latter, when they email you directly without the + you can be very strict. You could even apply whitelisting.
Actually I do. I bought a domain of my shortened initials and this domain catches all the emails sent to it. Every entity gets a custom address: bank@my-in.com, ikea@..., Etc.
I use Fastmail's subdomain addressing [1] to sign up for services in a very similar manner. I'm certainly sympathetic to bad services abusing the privilege of having your email address. My contention is that while this is the purported benefit of mailinator.com, in reality many people use it to abuse services.
In other words, there's a big difference between using ikea@ and saastrial1@, saastrial2@, saastrial3@,.. and so on to keep signing up for trials with the same SaaS provider.
It's really a shame when online services make overly broad generalizations like this. I use disposable email addresses for all of my services, because they are the most effective way I've found to manage spam. (They also have the side benefit of a little added security when someone hacks Site A's account database and tries to use the email addresses to log in to Site B.) When a potential provider tries to coerce me in to exposing my keeper address, it signals to me that they (a) put their own convenience before my security, and (b) don't have a particularly good understanding of the internet. For both those reasons, I take my business elsewhere.
Even worse are the sites that happily accept disposable email addresses and claim to send a verification message, but never actually send it. This wastes my time with rummaging through spam filters and polling my inbox, wastes their time when I contact support to find out wtf is going on, and is generally just (c) a terrible experience.
Your modus operandus means you cannot share your e-mail address whereas my spam filter is so good that the amount of false positives and false negatives is negligible.
> (They also have the side benefit of a little added security when someone hacks Site A's account database and tries to use the email addresses to log in to Site
Using a password manager plus randomly generated, complex passwords mitigates that problem entirely insofar that your accounts can be used on different websites.
Both our solutions do not mitigate the doxing issue. A way to deal with that is removing your personal details whenever they're unnecessary (e.g. changing/removing them after you ordered something). Artifacts might still remain though, and faking them is probably illegal. It can lead to issues as well. My mother always gives a fake DOB akin to her own when she doesn't trust it, or gives a slight variant of her name. Then she knows something is wrong. Pretty clever, esp before this century.
> Of course I can. I don't know what you're getting at.
I was referring to it as an adaptation of the way I do it.
Your way of doing it is introducing another hop/point of failure and either adds a subscription, or having your addressed e-mail public.
> Doesn't solve the spam problem (which is what we're discussing here and the focus of my comment), and introduces its own problems.
I don't have a spam problem. Get an ISP or mail provider with some decent filters. Mine's been stopping spam since the '00 or something. Sometimes the spammers caught up, but only very temporary. I don't have a spam problem. I use the + to figure out how people (ie. marketeers/bots) got my e-mail address.
Also, a password manager does not introduce any meaningful problems.
> They register again and again after the trial has expired
This is great! You have users who are using your product, how could you not be happy? Find out why they are not converting, perhaps your offer isn't that great for their demographic? Note that even if they didn't pay to your service, they may be your biggest fans who may recommend your product to other people. DEA users are usually tech-savvy types, they are also the kind of people who are the early adopters when it comes to tech (since they were able to figure out how a DEA works & how to use one), and are probably the ones who normal people go to get advice. Don't forget that even if not a paying customer, they are still a customer in the sense that they could review your service or refer others through word of mouth! If you're blocking DEA services, it may end up costing you more.
That's a whole lot of "what ifs". I'd rather just block people that are consuming resources and potentially affecting service levels for actual customers (or people that will actually convert). The situation you paint might be true of a very small percentage. But more often than not it's just people that want to use something without paying for it.
So don't let people use your services without paying! A trial is only a trial if it locks or stops the user from using it after a trial period. Freemium models that limits number of uses aren't a trial.
The trial does stop the user from using it after a trial period. If you want to fault anything, it's using an email address to equate to a user. Fine. I'm guilty as charged. But, it's pretty common. Most legitimate users of a service want as frictionless a setup as possible.
Ultimately, my solution was to start requiring a credit card at sign-up. Shockingly, not a single mailinator.com address was used from that point forward and my conversion rate barely changed. But, it sucks I had to do that. There were people that legitimately wanted to try the service out that were put off by requiring a credit card so early. I personally hate providing a credit card for a service I haven't even tried yet.
I appreciate your reply, but I think it's an entirely toxic mentality. My business model isn't freemium because you could game the trial process (and violate the terms of service). And I shouldn't have to grossly restrict the trial to deal with mailinator.com sign-ups. Say what you will about mailinator.com, but it was hands-down the largest source of abuse of my CI-like service. Everyone else played by the rules and enjoyed a liberal trial to get familiar with product.
Tons of trolls use disposable email addresses to register multiple accounts for forums and similar to harass others. I block most of the popular mailinator domains for my larger public forums (200k+ users).
As I mentioned elsewhere in the thread, I never understood why they don't just obfuscate the MX names.
A service like yours would certainly have no trouble noticing the fact that the MXes all have the same IP address as Mailinator, but, right now, anyone can just do a lookup and simple string comparison themselves, without paying.
Congratulations, you are contributing to making the internet a worse place for everyone. How did you come to work for a company that's this blatantly abusive?
Non spammers send from a consistent pool of IPs and domains that don’t send crap. By contrast, spammers either send high volumes of crap from a small set of IPs and domains, or they spread a single content pattern over a wide diversity of IPs and domains that do not have a good track record.
So long as you can keep track of literally billions of counters in real time, you can effectively combat spammers.
Except they're not. The vast amount of spam comes from a few IP blocks who are so-called "liberal" in their spam policy. That is to say, they're spam paradises and earn their money from those shady customers while the vast majority of the world blocks these. Not via police force, mind you, but via network/sys admin force.
The rest of the spam is done using compromised computers but once that's done the ISP of that provider gets quickly noticed and either the ISP blocks that customer or they themselves get blocked wholly due to their inaction. So they choose eggs for their money (as the Dutch saying goes).
The theory says it's easy to be delisted, but some very large Telcos have given up and they don't try to be delisted anymore. This task can be very time consuming and they only focus on prefixes of their static pool or business services. For example, prefixes of Telefónica de España have been included in Spamhaus Zen for a while: https://www.spamhaus.org/zen/.
Mailinator is a hack to workaround the spam flood. But for trustable business, the anonymity of the disposable addresses is a big problem because it is not possible to start a marketing process (if you register for a trial, for example, you should be "paying" with your email to let the company start a marketing process. Marketing for a service you have registered is not spam...). More and more companies deny registration from Disposable Email Addresses. Because these users are worthless.
Spam is a plague that hurts good users and trustable business.
>if you register for a trial, for example, you should be "paying" with your email to let the company start a marketing process.
Sympathetic customer fallacy. Figuring out how to get new paying customers through the door is not the problem of everyone who considers trying your product. Expectations that trial users should "pay" by taking on the burden of having to tell your marketing department to go away if they aren't interested enough to buy it on their own initiative is reality denial. Obviously people aren't going to do that, and spending effort trying to "disposable-email-proof" your trial system is a bottomless pit into which you will pour money for all eternity. People are actually paying money to the disposable email companies to have them actively combat you. You will never complete that project and you will never be able to stop spending on it.
Ideally your trial is persuasive enough to have a steady trickle of people decide to buy the full product, but not so generous they feel that they'll get the full experience by cycling disposable email addresses. Finding that balance is the responsibility of your business, no one else will change their behavior to do it for you. If you can't find it, maybe that's a sign that you've made a product that maps poorly to sustaining a business. One might call this the "bittorrent inc" strategic mistake.
One of the things that I think people have a hard time grasping is that for a lot of software, the marginal cost of a user is approximately zero. People get stuck in a scarcity mindset and get really upset at the notion of freeloaders getting away with something.
This is in sharp contrast to the abundance mindset you see in most open-source software. How many people are Linux freeloaders or Mozilla freeloaders or Gnu freeloaders? Hundreds of millions, and once you count devices, maybe billions. But as long as those outfits can pay the bills, they don't care.
The funny part to me is that so many people trapped in scarcity thinking only care about getting paid, not paying others. How many of those people trying to capture every dollar of generated value are using open-source tools in what they're selling without giving back? Most of them, I'm sure.
This is a fantastic summary, thank you! I use disposeable mails all the time, and any company that refuses to accept them either gets a bogus hotmail account or (more likely) loses a chance to show me what they've built. Otoh, if I want their messages I will leave an address willingly - not my main address of course, but an alias.
Calling something a “fallacy” is the fallacy fallacy: a mistaken believe in the authority of a made-up concept.
In this case, certain norms of conduct in business do exist, and they do often serve all market participants, and businesses have every right, and often succeed, in enforcing them.
I’m not sure about the specific example here, as I happen to live in a jurisdiction where it’s illegal to follow up on a trial subscription with endless marketing emails. But, as just one example, cancelling an appointment you can’t kept us not just “sympathetic”. It’s basic manners, it improves life for everyone (including you), and nobody would be surprised that not following the norm could get you banned.
> In this case, certain norms of conduct in business do exist
Rejected. You don't get to declare norms by fiat, sorry.
>It’s basic manners, it improves life for everyone (including you), and nobody would be surprised that not following the norm could get you banned.
Manners are for humans to humans. I don't feel the need to be polite to a trial subscription system. It's a piece of software, it won't feel bad if I don't respond to its mails later on.
> Marketing for a service you have registered is not spam
From a legal standpoint, this is broadly true, but I'd say from a user's perspective, this is only very narrowly true.
For example, if I'm receiving an advertisement for a product that I "freely" trialed but subsequently rejected, I perceive it as spam.
Reputable companies provide an "unsubscribe" feature that actually works, but it's impossible to determine a priori which companies those are, and, more importantly, if they'll still be that way when that first e-mail arrives.
Really, the most trustworthy behavior would be to assume I'm consenting to precisely one follow-up email regarding my free trial, rather than an open-ended subscription. Until that's either industry standard or regulated (in a way where individuals can easily recover money damages), then I'm still using disposables at first contact.
> More and more companies deny registration from Disposable Email Addresses. Because these users are worthless.
Encountering a company like that, I assume they believe the second assertion to be true because the sole value of the users is as advertising eyeballs due to the product trial itself demonstrating no value. In that case, I don't bother.
I will, however, usually make at least a modest effort to try a few non-Mailinator disposables.
Although Mailinator has alternate domains, they've made themselves very easy to block, because a simple DNS query reveals the MX to be mail.mailinator.com. Just one more level of obfuscation (e.g. making the MX for streetwisemail.com be mail.streetwisemail.com and just have the same IP as mail.mailinator.com) strikes me as a good Pareto-principled step.
> For example, if I'm receiving an advertisement for a product that I "freely" trialed but subsequently rejected, I perceive it as spam.
Agreed. I understand that marketing people perceive getting an email address once as permanent consent to basically anything. But I think this is pathological. People who behave like this in any other context are obviously abusive. That even includes some marketing contexts. If you try a free sample at Costco, nobody follows you around the store badgering you until you explicitly tell them to leave you alone.
> ... an advertisement for a product that I "freely" trialed but subsequently rejected, I perceive it as spam.
I get lots of email about things I don't want -- vendor spam from AWS conferences, etc. I even call it "spam" when I talk about it. However, it feels _really disingenuous_ to also want it to be classified as spam. Sure, it's unwanted, but _I did sign up for it_. That's pretty much an implicit agreement when you go to a trade show. ("Let us spam you, and get a T-shirt!" "oo, that one has an awesome looking octopus [evident.io], okay!") In almost every case, their service isn't right for me. I'm happy to tell them that at the booth, and explain why I don't feel we need your Enterprise Scale Thingamabob.
When I get those emails three months later that I don't want, I don't feel comfortable marking as spam. I'd much prefer to unsubscribe.
The trade show situation, however, is entirely different, however, because the whole thing is purely about marketing. There's no trial product whose real value could be substituted for that marketing.
That said, I'm having trouble with this seeming contradiction:
> Sure, it's unwanted, but _I did sign up for it_.
Maybe "want" is too strong a word, but you certainly knew you were willing to tolerate it when you did sign up for it.
Conversely, when I'm at a trade show, because I find those emails truly unwanted (and actually intolerable from vendors in whom I have no interest), if I've registered with a real e-mail address, I don't share it just for the octopus t-shirt.
Some e-mail clients have plugins to make it very convenient to parse the unsubscribe link and do the rest of the dirty work when you click unsubscribe from within your client.
However the danger is that some of these are fake, and you might not remember what you signed up for. Then, the spammer knows that you clicked that link. They may learn to know your IP address, dox you further, etc. Or, worse, they can attempt to breach the security of your computer via your browser (0-day or otherwise).
A way to deal with this is using the + sign. Whenever you share your e-mail address knowingly, add the + sign with the address name sans (cc)TLD. Whenever someone e-mails you without the + sign they either harvested that address or they got it from you directly. So when you receive a spam e-mail you'd like to unsubscribe from not addressed to your + e-mail address, don't unsubscribe. You never signed up for it in the first place.
Just mark it as spam. If they aren't spamming the internet at large, they won't get blocked at large, and your local bayesian filters will block them from you.
I don't think that works that way with giant services like Gmail.
I routinely see marketing e-mail that I want to see erroneously auto-sent to Spam by Gmail. Since this has even happened for infrequent explicit-opt-in lists, I have to conclude there's no such thing as a "local" filter there.
It seems Gmail does globally filter some campaigns if enough users (or enough of the right users) mark them as spam, but that doesn't mean they don't also have local account-level spam filters. A way to test it would be to mark Amazon or LinkedIn's spam as spam and see if Gmail starts automatically filtering it for that account. They definitely don't filter it globally.
Even the success of such an experiment as you describe (which I believe I've previously run, unsucessfully, i.e. it took more than one mark-as-spam of a popular, otherwise-legit sender to get it reliably in my Spam folder) wouldn't convince me that there exist any such local, per-account or even per-domain (unless I'm paying for the Postini service) filters.
It would merely be evidence that there's a datum of "spam: From:LinkedIn To:mmt" going into the global filter database and that matching both From and To is sufficiently strong evidence to that global filter.
Huh? "To:mmt" would be a local filter (or a localized signal in the filter - implementation detail). At least, hopefully nobody else is receiving email addressed to you.
If you start marking someone's emails as spam and their emails start automatically landing in your spambox but not everyone else's, then obviously they do have localized filtering. They almost certainly do because some people actually like to receive "newsletters" and junk mail to clip the coupons or whatever.
> "To:mmt" would be a local filter (or a localized signal in the filter - implementation detail)
You imply that this distinction doesn't matter, but I assert that it matters very much.
The difference is that a local filter can reasonably be expected to exclude any remote (to my domain, for example) "localized signal" when making a decision, whereas to a global filter, there's no such thing as "remote".
Looked at another way, imagine mmt.example.com with 10 users and mcbits.example.com with 800 users are both served by gmail (and we're the first two early adopters). Then imagine none of my users ever mark From:LinkedIn mail as spam (and maybe even mark it as ham in some way), whereas 25% of your users mark From:LinkedIn as spam and the rest merely ignore it (never marking it as ham, though perhaps reading it, mark-as-read-ing it and/or labeling/archiving it either manually or with a filter).
With two local filters, I would expect my users never to have to search their Spam folder for message from LinkedIn. With a global filter, I would expect the relatively small quantity of relatively weak data indicating From:LinkeIn is ham (which happens to be associated with "localized signal" of instances of "From:@mmt.example.com") to be overwhelmed by more numerous strong signals from your users that "From:LinkedIn" is spam and for my users to have to check the Spam folder for messages from LinkedIn at some point.
The latter is what I have observed actually happens.
There's little doubt that they have global filtering informed by user flagging. The question is whether they also have localized filtering for items where users may disagree on what's spam. If so, I would expect email from LinkedIn to be far more likely to be automatically marked spam for those 25% of users who have previously marked those emails as spam. That seems to be what happens, at least from what I've heard. (Gmail is essentially my spambox already, so I don't bother to flag individual items.)
That doesn't preclude the global filters from also occasionally binning some of LinkedIn's email when the global spam score is so high that the local ham score fails to override it. And the same thing could happen whether they implement it as a hierarchy of filters or just one filter with localized signals.
I'm still failing to understand the distinction you're trying to make with a local filter, if it exists only in addition to, and is generally overridden by the global filter.
> I would expect email from LinkedIn to be far more likely to be automatically marked spam for those 25% of users who have previously marked those emails as spam.
This is true regardless of whether or not the filter is global or local, though. That 25% provides the majority behavior for both a local filter and a global filter.
> That doesn't preclude the global filters from also occasionally binning some of LinkedIn's email when the global spam score is so high that the local ham score fails to override it.
It does preclude it, because with a truly local filter, those people are a majority (unanimous, even). Even occasional miscategorization as spam would be completely unexpected. It's only when the filter is global do they end up subject to tyranny-of-the-majority behavior.
> (if you register for a trial, for example, you should be "paying" with your email to let the company start a marketing process. Marketing for a service you have registered is not spam...)
Mail people don’t want to receive is spam. You do not have a right to send anyone anything they don’t want. If your business model depends on that it’s going to fail.
> if you register for a trial, for example, you should be "paying" with your email to let the company start a marketing process.
I know where you are coming from, but I don't think I've ever heard it said this way. Do you have any resources that talk about free trials or fremium in these terms?
Is the value in that email mostly in the ability to market to the individual behind it, or is the value only in its ability to be sold and/or cross-advertised to?
Personally I would say that any user who didn't sign up is "worthless" (given the context you are using here), whether they gave you a disposable email address or not.
