Hacker News new | past | comments | ask | show | jobs | submit login
Show HN: Startup with no website - GuerillaClick@gmail.com
288 points by eralpb on Feb 6, 2019 | hide | past | web | favorite | 184 comments
Hey there, there are lot of disposable email services, but as I was thinking I realized 95% of the time, I don't care about my inbox. I just want to "verify my email".

That's why I created a startup with no website, it's called guerillaclick@gmail.com, it's a credible domain (you don't say) and it will click on any "verify" links you send it to it.

You can use aliases to get around of duplicate emails in the target system, so like

guerillaclick+eralp@gmail.com guerillaclick+sdfaskdma@gmail.com guerillaclick+111@gmail.com

so choose an alias and start using the service!

I will provide a website to see the inbox of your alias. (maybe for services who send your pw in the email, but then you might be better off using other established servers.)

Gmail API is a bit slow so it might take 30 seconds for email to be received on my end, keep in mind while testing!


This is delightfully crazy.

Give some random guys with no website your registration record somewhere, allow them to verify your registration as theirs, and then impersonate you, reset passwords, see any communications, possibly log in as yourself and do anything. All this with no recourse.

Nigerian spammers moan from envy for such a brilliant self-propelled gullibility filter.

I have first.last@gmail.com and I've had people play poker and lottery and sign up for dating websites with my e-mail address. I've also received confidential information from insurance and building construction companies.

It's hilarious.

At this point I feel like I've shared a life with some of the others at this point. There are several people who share my name who continually give out my address. I get school closings, invites to pie socials at churches, family pictures, conservative newsletters, and much more.

Once I was told about "my" enlistment in the reserves of some armed service. That one I replied to and got a very polite response from someone with a little bit of rank.

ha! Same here. I was sent notifications from a military application once (seemed to be some SAP style system). I responded to a CCd email and they politely responded and corrected the address.

The others are more mundane. Mailing lists with dirty jokes from a group of american dentist friends. School notifications from a guy in the UK. Random baby pics.

Im not sure if there are lots of people with the same name who occasionally get their mail wrong. Or a few people with the same name who constantly do. It just seems weird though. Surely if you had a non firstname.lastname@gmail address you would take extra care to add in the extra padding.

People are stupid when not paying attentions.

I had customers who entered an undeliverable=invalid gmail address because they were confused about who hosts their email. Used foo@hotmail.com, entered foo@gmail.com. A few years back, I wouldn’t have thought this possible.

Me too-- a lot of receipts from Home Depot, little league, real estate documents (many times), scans from signing up for gym membership (which had a lot of PII in it, I called the guy), emails from a church elders group.

Once I got an advanced copy of remarks the UK Prime Minister was going to make the next day at the 2008 Jeddah global energy summit.

Same here. I've also received legal and tax documents, invitations to bachelor parties, draft scripts for motion pictures, medical records and offers to buy my multi-million dollar house in Florida (hint, I don't have one, but somebody with the same name does).

OnStar, some similar VW service, lots of phone contracts, legitimate job offers. I texted a guy once and asked him if he enjoyed his chipotle burrito.

It's bizarre. The people using "fake" gmail addresses don't seem to realize it is used by somebody else. They are lucky I'm not malicious.

Edit: mine is a first name and a number

I'm about 99.99% certain they are not using fake addresses but they simply don't properly know their own address.

Same. I once set up a google group to forward mail to the others. Limited usefulness.

World-class was the lady who sent me pics of herself in lingerie. Not too revealing and I deleted them immediately and replied to warn her. She nearly died of embarrassment.

I'm pretty sure there are spam lists who sign me up to products, probably for some kind of referral. I join all sorts of junk.

Compounded by Google making "first.last@" = "firstlast@"

Next Gmail account is going to be a guid.

A while back when Yahoo released inactive email addresses, I grabbed moore@yahoo.com. It was a nightmare. The account would receive 10,000+ emails a day. The inbox was full of insurance claims, social security numbers, mortgage applications, pay stubs, and more. In the end, I deleted the account since I didn't want the possible liability of the account.

I have tons of this. I really hope the gmail team is working on it. I don't get spam anymore, I get someone with a name similar, but not quite mine's receipt, dealership tune up reminders, directTV announcements, information about going back to get their RN, etc.

Like none of it is spam exactly, just a lot of wrong numbers.

I had a coworker who had the same name as a coworker in Phoenix as (we are in Boston). He kept getting invites to meetings out there because the online email was also a scheduling tool (notes). He was getting annoyed dealing with them. I suggested flying to Phoenix to go to one of these meetings...

I bribed an exchange admin or two and got [firstname]@[really big company].com. This company had a lot of consumer facing stuff, and some of which required an email address. Employees of the company would just put in [customers first name]@[the company].com when they didn't have an email address.

That was fun.

(Firstinitial)lastname@ Gmail checking in.

So much misdirected email. Try to sign up for something? Reset password change info to not theirs.

It's amazing what people send rather blindly.

I thought I was the only one (with a firstlast@gmail.com) that kept getting confidential info from/for construction companies, dentists, and some Canadian woman.

Me too, why do you think this happens? I get emails from people who send it to my exact email, I am not sure why they think this is their email (sorry don't want to disclose my email... but it might be in profile :) ).

XKCD has a comic about that experience: https://www.xkcd.com/1279

Me too! One of the others with the same name signed up for a dating website (match.com IIRC) a few years ago and they sent enough information that I was able to improve his odds and help a bit with his decision making.

I get a lot of updates on the kids (not my kids) from one specific person (I've responded to them, they keep doing it), and an occasional W2 (not my W2).

Interesting that so many people had a similar experience. I guess my name is literally unique.

It's no crazier than using any other disposable email service... if I'm registering an account at neopets.org or whatever I probably just don't care.

wow, sites like neopets.org still exists :)

I mean, either it doesn't or that's not the URL... I just pulled the name from a hat.

It’s http://www.neopets.com/

Wow they’ve been around for 20 years now, that’s not bad!

Dude who made it posted on /r/golang recently. Apparently his next masterpiece will be in Go :)

In that regard though, it's not different to existing throwaway email services. I'd use this sort of thing for registering for annoying things like "free" wifi.

Most free wifi hotspots don't verify your email fyi

To some extent, they can't. (How do you verify the email without being on the wifi?)

some may allow popoular e-mail services (and imap/pop3 ports) traffic, while blocking the others

other captive portals let user in, ostensibly to open inbox and click the link, then kick off the net if that didn't happen within 5 minutes.

I own a domain which a lot of people on the Internet like to randomly type in when they are signing up for things. It is ridiculous how many services accepted those fake email addresses over the years and therefor how many accounts I could reset passwords for.

What is it?

I don't understand what point you're making. Isn't that true of mailinator.com too? Have you never signed up for an account on a service you didn't trust not to spam you?

Unless you don't want an account. So many things require stupid email verification just to get at no transactional stuff like content.

and it pollutes the googleborg no less, by using a gmail account.

occasionally people (accidentally?) use my (long-in-disrepair) gmail account in this way, and it's amusing to see their little peccadillos. sometimes you get the devilish chance to change subtle details of an online profile =D

not to mention the damn google dot hack that still works with all gmail email accounts...

Not to mention the +something which gives you infinite email addresses.

If you are worried about your user details getting stolen after signing up with someone else's email-

You aren't using this service correctly.

The idea is to not give away your email or signup for a website, but get access to that website.

Yeah, my interpretation is that it's for situations where you would normally prefer to use a fake email (joeblow238998324@gmail.com) but can't because of the verify link.

I typically use a rando address @mailsac.com but then I have to take the 3 steps to visit, enable links, click links. With this tool, I'm saved those 3 steps. Keep in mind, this is strictly for throw-away accounts that require registration

Thanks for seeing the value, after releasing this I got to know some services require session authentication, so without your password (or cookies) the bot cannot verify.

I think this was a nice experiment and still usable for many services.

You could let people pass the username/password in as part of the email tag, like:


As others have clarified, only for complete throwaway accounts obviously. I tested '-' and '!' and those characters appear acceptable as the delimiter. ':' gives a very strange error on send when using gmail.com. Also imagine you'd lose some letter casing along the way.

Really just a fun and terrible idea!

As a reminder, site operators, this is why some sites require you to enter a user/pass to confirm a "verify link".

Interesting, I've a few questions as food for thought.

- Is it allowed under GMail's TOS?

- Have you considered the security implications of having what is presumably a server somewhere in your name clicking on any link that's sent to it?

- You say startup - do you have monetization plans? Putting adverts on the associated website perhaps?

Google TOS is pretty broad. However, one of the main factors here is that export controls could quickly come into play. Since Google is US-based, providing this service for those in embargoed countries could get you shut down quickly.

They also have a "don't misuse our services" clause and I'm sure this would count as misuse if found.

Someone who works for GMail or Google has already read this HN post. I don't expect it to work for much longer unless OP has found a loophole.

> providing this service for those in embargoed countries could get you shut down quickly.

How come Google can figure out who and where the interested end-user is when emails are actually send by web apps and clicking is done upon email retrieval (I bet some cron with POP3). Moreover emails from "bad" countries are rather filtered out as spam/scam.

Apart of this thread publicly inviting people it may be also hard to distingush the accout from any busy one. But I guess G may have some pattern matching and rate limits for such sinks.

Let me answer this: from what I know, and broadly speaking, this service is both illegal and not allowed by ToS.

> this service is both illegal

.. in your country. Saying something is illegal without mentioning jurisdiction is meaningless.

> not allowed by ToS

The service being signed up to, perhaps. But it isn't clear to me that it's banned by gmail's tos especially since he's using the service APIs normally.

>Is it allowed under GMail's TOS?

Do you even have to ask? The answer is a clear 'NO'. There is zero chance that Google will allow you to abuse their email service in this way.

I hope OPs personal account isn't in anyway related to this account because when 'guerillclick@gmail' is inevitably banned, his personal account may be collateral damage.

you make a very good point, thanks for the warning.

Why do you call this a "startup"? It's a nice hack for sure but I'm not sure if it's has a prospect of being a business.

Because overwhelmingly the HN crowd thinks building an app is building a startup.

The product is a big part of a business, so if you have one, all you need is a business partner and VC's to create a multi-million dollar company.

Yes those are trivial things that are simply an afterthought. The app ain't shit, it's how well the business can execute.

Not enough people realize how true that is.

I've worked for companies that made pretty awful products, but they sure knew how to sell 'em.

If the Yo app can raise 1.5 million...

I wish they were continuing to spend it on their servers! I used Yo with my gf. It’s a daft service, sure, but if I really do just want to tell her I’m thinking about her it was kinda cool.

The iOS app might still work but the watchOS app hasn’t been updated for 5.x. :-(

The monetization is having a curated up to date list of email verification handshakes.

This has value.

guerillaclick+eralp@gmail.com guerillaclick+sdfaskdma@gmail.com guerillaclick+111@gmail.com

Unfortunately, more and more services are rejecting + e-mail addresses. Either ignoring them, or flagging them as an error.

While it's perfectly within the RFC, companies are catching on to the trick.

(3M, I'm looking at you!)

Gmail gives you another option - separate using dots.


The number of options is of course limited but it's still recognized as a separate address while still coming into the same inbox

I've built a few registration systems and always normalize email addresses (remove local part, de-dot gmail addresses) at signup and login.

It helps users who keep trying bobjones@gmail.com when they signed up with bob.jones@gmail.com. Also is pretty good at preventing mass signups using tricks like this.

How do you know where the local part starts? Google uses '+' but nothing stops you from using '-' as a delimiter if you're running your own servers.

Also, how do you deal with spam filters that are designed to spam anything without a local part? Or is this only done to "well-known" domains like gmail.com?

>if you're running your own servers.

This is enough of a threshold probably.

Actually guerilla.........................click@gmail.com would work too, since it fully ignores dots. So the options are just as (not) limited as anything a + can add.

It's within RFC, but they all lead to one email inbox so you end up being able to manage multiple third-party accounts from a single email account. It's recommended to not reject these, but strip them: https://gist.github.com/judge2020/af8fb9cd2ac165462d44de4e58...


Recommended. By google, who just played loosely with the email-spec.

How rich.

? You can store e-mail messages based on the local part of the address however you want. It's basically just an alias.

Yes, I know that. And as I mentioned, companies are still rejecting these addresses anyway because they know people are using them to identify and filter spam.

This is why I use a catch-all on my own domain with a blacklist for companies found sharing or leaking the email address I gave to them. Fastmail makes this really easy to set up and their web interface also lets you set the From address to anything on the domain.

Years ago I locked myself out of my Amazon account. Since I really wanted to keep using the same email account (and I didn't care about Amazon history, nor did I wish to go through an official account reset) I resigned up using a +suffix. I'm still amazed the second account was able to be created, though it's possible it's no longer allowed since this was around 2005 or so.

Still works.

I made a +suffix account so I'm not buying stuff on amazon with my AWS account.

When Google inevitably shuts this down can you opensource the link clicking program?

I will open source whenever I have time, I just did it last night and decided to share.

The "link-clicking" can be done using a Google App Script. I've used it before to auto-accept AWS opt-in notifications for Elastic Beanstalk environments.

My code was tied to a Google Sheet that would hourly pull matching emails, use a regex to extract the link, send an HTTP request to the URL, and record the URL and response in the spreadsheet.

Having a high level description of the code isn't as useful as the code itself. Alas, my code was part of my Google account at a previous employer.

You can use Mailinator to do this already, you can see all of their inboxes on their website and you can use all of their domains to bypass domain restrictions. For example I might use somethingsilly@bobmail.info and it will be redirected to https://www.mailinator.com/v3/index.jsp?zone=public&query=so...

> You can use Mailinator to do this already

While I'm a fan of Mailinator and their approach, I think the feature OP has about auto-clicking verify is unique. But yes, to do this right, you need the multi-domain approach of Mailinator instead of just aliases. Maybe Mailinator has an API or supports POP/IMAP that would make this possible, I haven't checked.

Also exists: https://mailnesia.com/

You can easily use one of many opensource self-hosted temporary email projects with APIs. Just check Github.

Receiving email is pretty easy - own domain with MX record and some cheap VPS with Docker. No need to worry SPF, DKIM, DMARC, DSBL - you care about these when you have to send emails from the host.

If the site you are trying to login in to blocks mailinator, use <whateveryouwant>@notmailinator.com

Last I checked it appeared like Mailinator's POP3 support was completely removed, and API access requires a subscription. It was priced way above what I was willing to pay (I think $150/mo)

Also Mailinator is banned by multiple sites and I feel like that number is increasing (anecdata). Which means it's getting less and less useful for the purpose of "burner" email addresses.

You can point your own domain to mailinator mx records for free.

Don’t have a domain to throw spam at? Pick a sub domain and use that.

I used Mailinator as the quick solution to access some one time resources on websites that forced me to register. It was the simplicity of the throwaway email that made it attractive to me. But when it's blocked on a website I usually wouldn't want to bother with c more complicated setup. If the effort is justified then I can probably use a regular email address. Other people might have different use cases.

Pointing your MX records to Mailinator is a one-time small effort, then it's just a matter to sending mail to whatever@yourdomain.com.

I'm not sure if my use case was clear or perhaps I don't understand what the scenario you present does.

Say I want to comment on a news article and need to register. I don't want random-newspaper.com to have anything directly related to my person, including anything @mydomain.com. So I quickly punch in random-email@mailinator.com to register and once I'm done I can either forget the site and email ever existed or keep using it since it's non critical and losing access to it doesn't matter.

Ideally I would have different email addresses for every site so I can keep those identities separated and free of any personal information. Last time I used it like this was probably a decade ago because since then more and more sites starting rejecting @mailinator.com addresses. I found another such solution that I have been using for the past years but this is also going the same way (not a big issue yet).

service will check MX record of your email and refuse to register if it match mailinator's MX.

but the list of mailinator domains is easily looked up and blacklisted by most major sites. the op's insight is that sites won't blacklist gmail

I don't know if it still does it, but mailinator used to have a neat feature where it would "detect" bots trying to scrape its list of domains and start injecting legit ones like hotmail.com/gmail.com

you don't need to scrape anything. you check provided email for mailinator's MX records\IPs.

This is probably much more difficult and taxing. On every signup, you're now checking MX records and IP's, not just looking at a string. And Mailinator can change this information regularly too if they choose.

>the op's insight is that sites won't blacklist gmail

Why would you blacklist gmail.com when you can blacklist 'GuerillaClick@gmail.com'?

well for one you also need to blacklist the aliases, ex. guerillaclick+sdf@gmail.com, and i suspect sysadmins start showing more hesitation when you need to start pattern matching (risk of false positives and additional overhead)

Just make sure that account is not associated with any of your real data (even IP). There have been horror stories at /r/TIFU about people getting their personal accounts suspended and the whole enterprise account with them.

If Google gets angry about you, your life MIGHT be ruined –partially–

Turns out those r/TIFU stories were fake. A Googler from the GSuite support debunked the claim. [0]

[0]: https://amp.reddit.com/r/google/comments/8l231x/google_banne...

what about the gmail receive limit? its 60 emails per minute or about 80k per day

if you hit 1 minute over 60 you get blocked 24h

That seems like it would be incredibly easy to DoS someone.

Indeed it is.

Why you could easily advertise an email on a tech news aggregate site asking people to use it to sign up for sites that may send you unwanted emails. You wouldn't even need to set up a webpage. That's if you didn't want to sort out a more direct method.

Did you get the idea from GuerrillaMail?


More and more services recognize disposable e-mail domains and don't allow such addresses. Obviously they can't block the gmail.com domain.

I like the idea, but it probably is against Google's TOS, so there's that ...

Theoretically if this guerillaclick@gmail gets popular, I'm sure services can just specifically block guerillaclick+anything@gmail right?

If something like this becomes popular, one might expect sites concerned about non-human verification to add a captcha to their verification page before the account is considered verified.

Or: ask the user to use the same browser and check that cookies match / "sanitize" gmail adresses

Good luck for your startup with no website. It's very simple and clever.

I started my startup with a website to do a disposable emails service: mailcare.io It's also available in open source.

I've always wanted sort of the opposite. I'd sign up to a website, and they wouldn't ask for a password. To login, they would email a link to click and I'd be logged in for however long that cookie lasted. Why don't sites do that?

(Is email still considered slow? I remember having wait times in the hours back in the 90s, but I'm not sure I've ever waited anywhere near a minute in the past decade.)

> I've always wanted sort of the opposite. I'd sign up to a website, and they wouldn't ask for a password. To login, they would email a link to click and I'd be logged in for however long that cookie lasted. Why don't sites do that?

> (Is email still considered slow? I remember having wait times in the hours back in the 90s, but I'm not sure I've ever waited anywhere near a minute in the past decade.)

Tumblr does this at the moment. It asks for either email click or a traditional username/password setup.

Passwordless authentication exists, Medium has it, I've implemented it before, and I prefer it myself. The biggest issue being it adds an additional step, that most don't want to deal with. What if they don't have access to their email on that machine? Blasphemy, but it happens.

This is basically how steam works these days.

Sure, there is a "password" - but they won't let you log in without also verifying you have access to your email account - and you can reset that "password" only knowing the username and having access to the email account.

Tumblr does that now.

I’ve never used the feature. I have an integrated password manager.

Medium actually does this.

How'd you log in if you lose control of your e-mail?

Isn't it spelled with two R's? "Guerrilla"? I didn't even notice at first, and was going to say that it's a hard to spell word for something you have to manually type in. Now I notice even the service itself is misspelled! Or is it just this announcement of it that's misspelled?

Nowadays, most require SMS confirmation that "You are indeed a human". And thus a mobile phone number. Have often considered wiring up something in Twilio so I can create multiple accounts, etc. But am too lazy to put in the effort. Perfectly willing to trade privacy for convenience in most cases ;)

I wouldn’t say “most”. The sites where you have to verify are probably more sensitive and not something you’d verify with this service or a throwaway email anyway.

A lot of these sites know when you're using Twilio numbers and reject you anyway.

How well will this scale? I know GSuite Gmail accounts are limited to 3600 emails per hour, among other limits.

What's awesome here, is that he/she's created a solution to a problem that almost everyone has. It might need a little work, as shown by other comments. but the core idea is a good workaround for sites that force you to give a bad email address to get at the content.

Is it a problem though for legit sign ups? I find the problem is that when you click the link in your email, you now have 2 tabs open. One with a verified login and one without.

A lot of services don't allow +uniqueSection in email addresses anymore; just bear in mind..

Because it's a gmail address, you can put as many . as you want anywhere in the name. Gmail strips them out when determining the email address.

Not as useful as `firstnamelastname+twitter@gmail.com` for example :/

Not as readable, but each inter-character spot is a bit, and if you have 11 bits, you can represent 2^11 addresses.

EDIT: Assumes Zero or One periods per bit-gap; if you can chain them, the sky’s the limit.

I just tested it with a bunch of periods. I got rejected with just two periods adjacent, and with quite a few more periods adjacent. So only bits. Looks like it can be used for filtering too.

Dots cannot appear consecutively in the local-part unless quoted.

I never understood why that was useful. If you're a spammer that harvests email address or if you're an unscrupulous service that sells your user email address to spammers, wouldn't you simply remove the '+' suffix from any gmail address before commencing your spamming?

Good thought. At the same time, it's a feature; not a startup. Sorry.

A feature of what?

If this guy can convince people to send him their registration codes and somehow monetize it he's in business.

it is a geek idea! i like it.

you still get a website? ``` I will provide a website to see the inbox of your alias. (maybe for services who send your pw in the email, but then you might be better off using other established servers.)

Gmail API is a bit slow so it might take 30 seconds for email to be received on my end, keep in mind while testing! ```

just wondering does it break gmail's terms?

If you are not making money off of it, why would you call it a startup. It really is a project of yours.

Thank you for making this though.

Request for feature: Chrome extension: a shortcut fills in guerillaclick+<random_hash>@gmail.com

great idea, which also warns about the websites it won't work on.

some require session authentication, so bot needs to login and THEN verify.

A bit weird to call it a startup but a clever idea!

Maybe Mailinator could implement this autoclicking.

Can something similar be done with phone number verification ?

Seems like the perfect one to get one's account stolen

Throwaway/shared e-mail addresses are not for accounts you care about, they're for working around stupid requirements to register "for free" to access a resource you need.

Doesn't mailinator (mailinator.com) already do this ?

some sites prevent mailinator accounts on signup

Truth. All ephemeral/temporary/one-time mailboxes suffer from the same issue - once enough people start using it, the website owners take notice and it's blacklisted.

It'd be nice if you could create temporary <insert reputable domain here> accounts on the fly. User provides a captcha solve, your service uses this to create a random account & log in, user can view inbox or click 'open all links'. This wouldn't work with gmail because of SMS verification but would probably work on other domains and circumvents the above problem.

And not all sites honor the "+". Too easy to filter that out.

there are alternatives like http://10minutemail.com

Wow. This is a sneaky idea. I love it.

Thanks, just spent five minutes modding my webapp to disallow email aliases.

That has to be the worst idea of the year. You are essentially blocking perfectly valid emails on the assumption that one single email provider uses the + character with some special meaning. Congratulations, that's how you break the internet.

I will call support to notify them my e-mail (with a + in it) isn't working, like I have done before. No I don't have another e-mail address. Yes, this is really my e-mail address.

To be fair, I would assume/hope the implementation is gmail specific and just truncs the + part only when doing uniqueness validation. Granted its effectiveness is small.

This would not account for emails which have a custom subdomain but are still hosted by gmail, which will behave the same way as gmail with respect to the "+" sign (I've seen many universities do this).

That is essentially losing 1 customer vs handling thousand spammers.

Except people use aliases to protect themselves from spammers - who frequently buy or steal e-mails from companies like the one you're considering.

Then better alternative would be to develop a unique mail check functionality ignoring the + part. Maybe that could work for both sides.

When I helped my grand parents set up GMail they decided that they wanted one shared email account instead of one each. That has worked very well for them. Old people have enough to keep track of already so a shared email inbox for the both of them is great. My grandfather uses the GMail web app on his Mac desktop and my grandma uses the GMail app for iOS on her iPad.

However, when I set up Apple ID for each of them I wanted to create separate Apple IDs for each of them.

Thankfully Apple does not do anything like ignoring the + part you provide.

There are many ways spammers can create any number of email addresses.

Ignoring the + part of email addresses isn’t going to stop spammers, but it is going to cause a lot of pain for regular users because the + part has many applications that you can’t even imagine.

When the user hands you an email address, use that email address as is. Don’t ignore the + part of GMail addresses or anything like that.

Thank you for nice explaination, it changed my mind to worry less.

When a website presumes to normalize my Gmail address, I presume they aren’t interested in my money.

You are well within your rights to prohibit duplicate signups from the normalized address, but please don’t presume to replace what the user entered.

Kind of a slap to anyone who uses email aliases to sort/filter email

I use aliases to filter my email and also to see who sells my email address to third parties. All the websites I've used allow "+" in the email address so that's good.

You can assume that the companies selling off email data are smart enough to do the entirely trivial "remove + sign to @ sign" transformation for gmail addresses, at least partly because their job tends to be tracking you across a large amount of domains.

I switched to mails under domain I own (and powered by FastMail) some time ago; I now use alias@username.mydomain form. Try to filter for that without breaking non-aliased e-mails!

By that point you might as well set a fixed-width length and treat everything after that as an alias, like me@domain.tld would be the base and mespammers@domain.tld would be your alias for spammers.com, etc. Even better, put the alias before the username and keep the + as a separator.

Come to think of it, I bet doing this actually gives them better signals than they'd otherwise get, because if they receive emails by word of mouth, then they get additional context as to what sites you're signing up to.

You may want to allow email aliases, but ignore the 'alias' part when checking for uniqueness.

Please don't. It's an important feature for a lot of people (me included).

Just ignore it when checking uniqueness, if you really must

The problem is that you are no longer compliant with the email spec: https://tools.ietf.org/html/rfc5322#section-3.2.3

Does nobody read RFC’s anymore?

> Does nobody read RFC’s anymore?

I did, before posting my answer, though I admit I was too lazy to look up the email RFC and instead just used the URI RFC and assumed the allowed characters in the user-name would be the same :P

I'd reconsider this change. Lots of people use email aliases to track which sites share their contact details with third parties. I see it all the time in signups for one of my sites - don't mind, of course, because I don't share their data. If you stop people doing this it might send the wrong message.

This is a poor way to track who is selling your contact details. It's trivial to strip + aliases from a list.

But it's a good way to track who accidentially leaked your contact details.

Unless the receiving party strips them as a matter of deliverability of their spam.

That's downright silly and a user hostile move, IMO (why at all wouldn't you want someone to test things out without having to give one of their main email address?). Your solution seems to assume that everybody uses only Gmail and Gmail plus addressing. Gmail also considers dots/periods in addresses as not existing. Try blocking those too (no, actually don't try this!). There are so many temporary or disposable email services that you'd be wasting your time trying to disallow all those. Your time could instead be better spent on making your product or service more attractive to paying customers.

Excellent work. Now disallow catch-all email addresses. I'll wait.

Well surprise, I actually use that feature in real life with my real email.

It is really helpful if you want multiple profiles for a service (ex. Different mode, different recommendation) or in filtering all emails sent to that specific address (can't filter with the "from" as I don't know who is emailing me)

Please don't break standards

But, then you are not complying with standard email, are you? See https://tools.ietf.org/html/rfc3696#section-3

I use an alias for every website, like me+apple@gmail.com to login to Apple.

Sounds like busywork without appreciable gain

Until you take a look at your spamfolder to see who's been selling you e-mail address.

most spammers use bcc, no?

Not the ones that are in my junk folder currently.

Not sure of your app, but what do you care if multiple people share the same inbox? They can always with something like Mailinator or other domain-level aliasing.

Revert that change. Just like DRM is easily defeated, so is your webapp's alias check, one can simply buy a few cheap domains and your checks fail.

Great marketing for your services since you're putting them in your profile.

Interesting idea!


Don't worry about providing website.

For future awesomeness please follow @eralpbayraktar on Twitter :)


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact