Hacker News new | past | comments | ask | show | jobs | submit login
Show HN: TrashEmail – Telegram-based disposable mail service (github.com)
113 points by r0hitSehgal 44 days ago | hide | past | favorite | 100 comments

Feedback for the OP: I didn't understand how this works, and am reluctant to start a bot just to figure it out. It would be helpful if you could add some screenshots showing how email address creation, deletion and email receipt work (please do not use GIFs, just a set of static images are enough).

Tangentially on Telegram bots, one of the things I dislike with privacy on Telegram is that the user ID (an internal Telegram generated number, not to be confused with your chosen username) given to bots is static. It's not an ID per bot and there's no way to change the ID without deleting your Telegram account and creating it again later (I'm not sure if it changes then either). Bots can also see and save your name (as entered on the profile) on Telegram. This makes it easier for bots (or bot swarms) to track users on Telegram. (AFAIK, Telegram bots don't get the phone number of the user; it'd be terrible if they did).

Sure, Will definitely take this into account.

Telegram is such an underappreciated platform. It has many features other platforms lack, is reasonably privacy-friendly, more so than fb/whatsapp/etc, but not enough to sacrifice features or UX. The have an API ind both official and unofficial clients for almost all platforms, including command line and native, non-electron Windows (UWP). The client API is not easy to use, as crypto and similar features are involved, but C libraries exist. On the other hand, the bot API is one of the most pleasant APIs I've ever seen. It just works, can be tested in the browser, there's no oAuth crap one needs to set up. It's beautifully simple. I use Telegram whenever I can, and it has become my goto Messenger these days.

> is reasonably privacy-friendly, more so than fb/whatsapp/etc, but not enough to sacrifice features or UX.

Welp, there is a lot of discussion around these claims.

But we are also on Telegram, mostly because I'm using their API for our Home-Assistant instance to deliver status updates (left the bathroom window open for too long, weather-forecast on the morning and evening for the next 3 days). I like it.

Sorry if it’s off-topic but how does it know if the bathroom window open or not? Did you build some kind of device and connect it to the home assistant?

I'm happy to answer. :)

I'm using a ready-made sensor for this. It's the same system I'm using for temperature and humidty measurement. It's proprietary [0], but someone reverse engineered it [1], so I can send the data via MQTT to home-assistent. I then wrote an automation using Node-RED. It get's triggered when the window opens. After an initial timeout of five minutes, it will compare the inside temperature and humidity with the outside temperature and humidty, and decide if it should wait another five minutes or fire off a notification. If you close the window before, it will stop everything and reset itself.

[0]: https://mobile-alerts.eu/ [1]: https://github.com/sarnau/MMMMobileAlerts

Thanks for the answer! I didn't know there are already ready-made sensors for such use-cases (though I'm not familiar with Home Assistant itself either, only heard of what it is).

You can easily integrate Zigbee devices. The Aqara or Xiaomi door/window sensors for example are cheap and pretty nice.

Thanks! I didn't know Xiaomi made such sensors too. They are definitely one of the brands that I recognize.

Officially, they only work with Mi Home cloud-crap, but there are Zigbee drivers for interfacing with it.

I use a few different devices from them with zigbee2mqtt and it’s working great. It’s perfect for combining devices from different manufacturers and not having to use their individual gateways.

I use it with OpenHAB. It is easy to integrate with, fast, and reliable.

Kind of odd that I trust Durov more than Zuckerberg, but here we are.

   > It has many features other platforms lack, is reasonably privacy-friendly
Telegram still has no E2E encryption by default and their official desktop client dont have it either. So it's worth nothing if no one use it. It's not that I have much trust into proprietary fb code, but there are certainly better apps privacy-wise out there.

  >> reasonably privacy-friendly
  > Telegram still has no E2E encryption by default
Right, but e2e encryption is a small part of "privacy".

Not leaking your personal data, identity or telephone number, and with whom you communicate is often more important.

> there are certainly better apps privacy-wise out there

With significantly worse UX.

> still has no E2E encryption by default

This doesn't make it not reasonably secure in my mind. While the TG people will be able to access your messages, they can also process them, making stuff like large groups even possible (imagine the distribution hell otherwise).

I do tend to think that there's not much of a down side to E2E for private chats though, since you can still share private keys between devices to enable sync.

> So it's worth nothing if no one use it.

Telegram is way more than secret chats.

> This doesn't make it not reasonably secure in my mind. While the TG people will be able to access your messages, they can also process them, making stuff like large groups even possible (imagine the distribution hell otherwise).

So your standard for “reasonably secure” communications is Facebook Messenger?

No. You're using the same "if it's not perfect it's worthless" argumentation as GP.

It's not perfect, nothing is. But it makes better compromises than others.

It’s worthless as a “secure messenger.” They can read and store all the messages unless you use the E2E mode.

Email has no E2E and people still use it all the time, for much more sensitive things than get sent over whatsapp and such.

What's your point? I'd rather not assume you're saying "privacy doesn't matter because people don't care about it" or "Email is more private because people think it's more private".

The point is that it doesn't make sense to be paranoid about no E2E if you still use emails for sending/receiving sensitive info.

Okay, but how is that more than a straw man? Who is this mythical person who is paranoid about E2E and then emails their darkest secrets around?

You can choose to use E2E if desired. Why is the default so important?

Not on desktop Windows and GNU/Linux: https://github.com/telegramdesktop/tdesktop/issues/871

Yes, the desktop client does not support it. If I want / need E2E I use my phone.

But e.g. signal don't have the feature where either party of a conversation can delete messages on both phones. This is possible with telegrams secret chat. And its great.

Signal has disappearing messages for this use case. Not the same but the crypto in Signal is so much better (and permanently enabled) it’s hard to argue that Telegram is more secure.

Definately not the same. For a better snapchat—like feature, where you want reasonable protection against your coms partner telegram is way better. Also protects you from screenshots etc (again: reasonable privacy relative to threat model)

does it protect you from taking a picture of your phone?

i'd rather have a foundation of properly functioning, award winning cryptography than "features" designed for people who haven't thought through their threat model sufficiently.

castles made of sand melt into the sea eventually

My threat model with nudes are different from my whistle blowing.

Signal also makes trade offs in order to het crypto to the masses.

Yeah, but “supporting plaintext comms by default” is not a trade off to get crypto to the masses, it’s a failure to do so at all. What’s wrong with the disappearing messages feature?

Disappearing messages are per thread. In telegram i can choose to 'disapear' single messages.

You can turn it on and off for the conversation whenever you want.

But I can't go back and delete a message. I can prepare to delete the next message. Not, a message.

I mean, that feature can be abused in a whole host of ways

In a private chat... thats a feature. Imo

How can crypto be better or worse? It's either works or it does not. I did not hear about anyone breaking Telegram crypto.

Telegram have said that you can’t trust Signal because the developers live in the US and something something the CIA, which is pretty ridiculous. They rolled their own crypto and they aren’t cryptographers, which should be reason enough not to trust its security: https://security.stackexchange.com/questions/49782/is-telegr...

This answer is ridiculous. They got world level mathematicians in their team, what more do you want? Who are those "cryptographers"? And why those cryptographers don't break Telegram if they think that their crypto is broken?

Again, crypto is either broken or not. Telegram crypto is not broken. It's fine. Not everyone might like it, but that does not matter. I don't know story about CIA (although I wouldn't be surprised to find out that Signal is honeypot), so can't comment about that.

Mathematicians are not cryptographers. Crypto is harder to trust when the rationale behind it hasn’t been justified. Signal’s crypto is very easy to justify. That’s about it.

>Again, crypto is either broken or not.

Security is not a yes/no thing. It is equal to the price to break it. If the cryptography is well-tested for decades, the price is much higher. This is not true for Telegram. It does not matter how good its creators are.


Signal leaks your telephone number to everyone with whom you communicate, which is a privacy disaster before you even send your first message. (Please don't take this as implicit approval for Telegram's approach to secure messaging, but at least they managed not to cock up in such a basic way.)

This has been explained on HN ad nauseam. It leaks less metadata than anything else, the phone number is the only metadata that it leaks (only to people you’re messaging, mind), and they’re working on a solution to that problem right now. It works that way because the developers wanted to avoid holding a central server with metadata for their entire user base. Instead it uses your local contact list to discover other users. I would say that being unencrypted by default and having a centralized metadata directory in plaintext is more of a cock-up in secure messaging than taking a rigorous and cautious approach to metadata leakage.

The constant repetition is indeed nauseating. It's also nonsense.

There is another unique identifier that's stored in the local contact list: email addresses.

Use either email address or a phone number as an identifier, and you've no longer built a offensively privacy-violating service but have exactly the same distributed property.

You can use any phone number to sign up, it doesn’t have to be the one on your SIM. The rationale is that people typically text using phone numbers, and they wanted to make it easier to text people securely. It’s not nonsense, it makes perfect sense, and again, they’re working on it: https://signal.org/blog/signal-pins/

If you only have access to one phone number and not giving it out is critical, then Signal might not be the right choice for you. But you won’t find a more secure channel that collects less metadata anywhere else.

People typically email using email addresses, and text using phone numbers. They're both messaging identifiers that might be easily be repurposed for Signal.

There's no property of the latter that makes them a better choice than the former, but the existing ecosystem makes a disposable or role email address a much easier thing to obtain, and in general leaking an email address a far-less-damaging privacy violation than leaking a phone number, which can so easily be used to harass and directly track you.

In many parts of the world, disposable mobile numbers are very definitely not a practical thing. The correct starting point here is to use either an email or a telephone number as an external ID. It's still not perfect, but at least it's not a complete disaster any more.

Alas they've been 'working on it' for a very long time now, and are likely to fail because of this painfully slow progress.

Perhaps if they'd pissed around less with trivia like cryptographically secure stickers, they might have increased their chances of becoming a useful product before they end up surrendering the space to an inferior product which gains too much market share to overcome before they're even properly off the starting blocks.

I criticise Signal here because I like the design and hate their botched execution, not because I dislike the protocol. On the contrary, I dearly want something that competent to succeed, but fear we're rapidly losing the chance of that happening because they have launched a privacy-disaster product and most of the potential market will have seen that, dismissed it and forgotten about it before they pull their finger out and fix it.

Yeah but even with the phone number “leaking” (only to the recipient) nothing else even comes close to it. If your standard calls Signal a privacy disaster, what kind of product would you expect people to use? Everything else either involves storing comprehensive metadata in plaintext or worse durable logs of all conversation and interaction. Prepaid SIMs are pretty cheap and outside the US most phones are unlocked. Emails are too easy to fake and generally abuse. Nobody has solved this problem yet.

> Telegram is such an underappreciated platform.

Seriously, that's how I feel whenever someone asks me for my WhatsApp number (no, I don't use WhatsApp, and there's nothing called a WhatsApp number) or asks me about Facebook Messenger. Great UX, fast and new features added at a pace that puts other chat platforms to shame.

[I won't talk about the security aspect in this comment, since it has been rehashed many times here]

A WhatsApp number would be the phone number to which a user has tied their WhatsApp, for cases in which users have multiple phones and multiple phone numbers, not all of which are accessible beyond SMS.

> non-electron Windows (UWP)

Oh? I thought it was Qt. I don't want to seem like I'm complaining for nothing as it's definitely much better than, say, Slack client, but I still feel like the Windows client is a bit "out of place". Like the task bar context menu looks different from all the other menus for other apps in there, with rounded corners etc.

I'm not sure that Slack is a proper term of comparison for Telegram. A closer competitor would probably be WhatsApp, and Telegram Desktop easily beats the "desktop" version of WhatsApp on every single aspect. The only reason I'm still using WhatsApp is due to the fact that that's what all the people I know use.

It's Qt. GP might have mixed it up with Unigram client[0], which is UWP.

0. https://github.com/UnigramDev/Unigram

> is reasonably privacy-friendly, more so than fb/whatsapp/etc

This is a harmfully misleading notion that we shouldn't be spreading. Without explicitly invoking "secret chats" which are not even available on desktop telegram is no different from skype and fb messenger and is categorically less secure than whatsapp.

> reasonably privacy-friendly

There is still no e2e encryption on GNU/Linux desktop, even as an option.

Upd: https://github.com/telegramdesktop/tdesktop/issues/871

Privacy-wise Whatsapp is probably better due to E2E.

How do you know it has E2E? The app itself is closed source. As far as anyone is concerned, it's all claims. How do they handle the private keys, for example? Any backdoor?

WhatsApp reverse engineering happens all the time. There's news channels out there with people dedicated to being the first to announce references to upcoming features every update.

The same can be said of Signal or any other chat application distributed through Google Play. How do you know the binary corresponds to the source? Good luck getting reproducible builds on Android or iOS. If you want to be sure your chat app is secure, you need to review and compile the code every time. And, of course, you need the knowledge and skills of a good cryptographer to determine hidden backdoors in the algorithms.

Whatsapp is reasonably secure, as long as you don't upload your unencrypted chats to Google Drive (the backup functionality). Telegram, with E2E enabled, hasn't been proven insecure enough despite its weird custom crypto scheme. However, WhatsApp brings E2E to group chats where Telegram needs manual configuration in private chats to do so. If we want to bring E2E to the masses, WhatsApp is the best option for now.

I'm hoping Matrix will change this or Telegram will implement proper crypto, but until then, WhatsApp is probably the best option we have.

Reproducible builds are a red herring, they do nothing to defend against bugdoors.

It uses the Signal Protocol/Axolotl Ratchet and Open Whisper Systems helped them integrate it, which is a big reputational stake from very trustworthy people.

Open sourcing whatsapp would solve precisely zero of these problems. There’s no way to know if a bugdoor is a backdoor or just a mistake.

AFAIK, WhatsApp has decent E2EE, but metadata is not encrypted. So even though Facebook can't see what you are saying, it can see to whom you are saying it, how often, at what times etc.

Telegram isn’t encrypted at all by default, and its encryption scheme is sketchy.

Eh? It's encrypted by default. Not E2E, though, although that is an option which you can choose to use.

That's a bit disingenuous. Everything is encrypted these days, there's virtually nothing that doesn't use TLS. Therefore, when someone says "encrypted", it's a good bet they mean E2E.

Telegram non-E2E is more than just TLS, though.

What more do they do? I'm not aware.

It is documented here: https://core.telegram.org/mtproto

These layers are used in addition to any encryption done on the transport layer.

Fair enough, but they have the keys for that layer, I don’t see how that’s an improvement over TLS.

Exactly. WhatsApp still wins by having the message encrypted

Depends on what you prefer. WhatsApp shares your messaging metadata with Facebook. WhatsApp also exposes your phone number to everyone else (for example, in groups). Telegram does not expose your phone number to others by default, and you can even make sure that phone number enumeration attacks can't be carried out (like the authorities did in Hong Kong last year).

Does it still wants to upload unencrypted backups into Google cloud?

Remember the old Zawinski's Law? "Every program attempts to expand until it can read mail. Those programs which cannot so expand are replaced by ones which can."

In 2020, r/mail/chat/g

Telegram is such a great messenger to integrate with. It is basically just "import telegram" and you're almost done. I built the Telegram integration for Histre in just a weekend: https://histre.com/blog/take-notes-with-telegram/ This lets you take notes on Telegram either directly or via share intent, so that you can save links etc from your phone without installing another app. I think I also watched a movie and went for a hike that weekend, so it's not like it was an intense weekend of furious typing.

I wish other messengers made it as easy. I'd love to integrate with Signal, and probably will do so soon, as a good number of my users are on Signal. But the number of steps listed just makes it easy to put it off for later.

If you haven't integrated Telegram with your app yet, I'd suggest you look into it. You'd be surprised how easy it is.

I think the sane and simple API approach is going to make Telegram eat all other messengers. But I'm a programmer, so maybe I just want that to be true ;)

The problem with disposable mail is that it gets blocked quite often. For example, I have a list with more than 3000 domains of disposable mail servers and you can’t register or comment with such a mail on saashub.com or libhunt.com

I run a service called Kopi that does this (plus email2rss functionality).

You can bring your own domain, so broad block-list based blocking like that doesn't work. Plus, you're not locked in to the service. It's your domain - when you want to use something other than Kopi - you just change your MX record.


Is this list public?

I would like to take a look on it.

Not op.

You can use something like this. https://github.com/FGRibreau/mailchecker

I will try to work on this part as well.

Good work.

I was thinking about building a tool with opposite functionality - Getting chat messages delivered on email.

Reason - To switch to a full-linux based phone, as clients for those platforms aren't available. I rarely use chat message so, intuitiveness is not the concern. But when I do get a message, I would like it to be delivered via an encrypted email service.

Little thought went into this - Parsing messages from web app of the respective chat apps on a SBC.

Would you like to collaborate in this ? I would be happy to work with you on that.

I appreciate the offer, I'll help in the way I can; but my coding time is very limited due to the health conditions.

email: abishek.muthian[]protonmail[]

Why doesn't AWS SES allow generating receiving addresses without giving a domain, like `<uuid>@inbound.ses.amazonaws.com` or something - there wouldn't be a reputational risk if it was incoming only right? That would be awesome.

(The more common use case might be 'contact us' forms, for example, where you want to accept something as an email, but the address isn't user-facing so doesn't need a domain.)

First, this bot doesn't work. I was using this https://etlgr.io for disposable emails and it worked no stress.

My Outlook app kept getting closed by android and I kept missing emails. So I created a disposable etlgr email to get bank notifications. Created a rule in Outlook.com to send balance notifications anytime money enters or leaves my account.

Also a few times when discussing with clients, sent the email title to the bot.

A few months back, there was one "a page a day" book reading service that came on hacker news. Created an email just for it.

Another to receive manga notifications.

Etlgr recently became a subscription service and that was the end.


RSS feed reader for sites. Also created a private channel for my friends that posts 100% free udemy courses. It's been completely hands off for over a year now.

Why Telegram Rocks

My telegram account is accessible from 4 different devices - Two phones and two laptops (6 client apps).

Could switch off the phone with the number registered to telegram and I'll still be able to chat. With WhatsApp this is impossible.

I could lose my sim card, both phones and one laptop. But if I still have access to one client, I can login on fresh devices.

This is because once you're registered, telegram sends the OTP to the installed clients instead of SMS.

One awesome stuff they do is that after a successful logon on a new device, the notification is broadcast to all logged in client apps. Deleting the notification in one device will not remove it in others.

Making it harder for account takeovers to happen stealthily.

Also newly logged in clients cannot terminate older sessions.


The ability to edit already sent text in telegram is awesome. Make a mistake? Correct it.

Telegram does not leave a "deleted" stamp when you delete a message unlike WhatsApp.

In telegram you can delete everything in your chats from the other person's device.

WhatsApp allows you to delete your chats from the other person's phone. Telegram tops that by allowing you to delete the other person's words from their own phone!

Without this, quoted chats will have empty placeholders alerting the other party.


Up to 1.5GB per file

Telegram Rocks.

Oh this is exactly the same service that i tried to build. Does this enforces privacy ? They have some pricy model, so seems like they would be definitely keeping some ads out their in free version. But yeah thanks for letting this know, i will check this out.

Cool idea for a bot. Suggestion: the UI could use more polish. You can use a conversational UI instead of `/create <email>`, `/delete <email>`. Also, it would be nice to have a command that generates a random user ID instead of having to type something in.

I will definitely take this into account sir :)

What’s the point of implementing this as a telegram bot rather than a website? I guess it’s a USP, considering there are hundreds of disposable email websites out there, but I don’t see how it enhances the user experience.

In my case it's convenience. I have Telegram open most of the day and occasionally I use bots for small tasks that could be done elsewhere, but bots offer a more streamlined experience.

I get the concept, but I don't see how it applies to this use case. Both web/bot has the same workflow.

web: open browser -> find website in bookmarks -> copy email -> do whatever you need to do with it -> switch back to the website to check for emails

bot: open telegram -> find bot in chat history -> tell it to generate a new address -> copy it -> do whatever you need to do with it -> switch back to the app to check for emails

The only case I could think of a bot being useful is for semi-permanent email. ie. using the same email address for weeks/months, rather than one time only.

I'm guessing it's just lesser friction for whoever uses Telegram. It's similar to how companies keep pushing apps instead of promoting websites (they do have other ulterior motives for that too).

I'm not sure how this works, I installed the bot, sent /start

No reply yet.

The bot is simply down. I would say 90% of all bots are down all the time and most of them completely go offline within the first 3 months.

There are a lot of reasons for that. like - no revenue - made by beginners with no scalability in mind so it simply cant handle the traffic if a bot gets popular - lose of interest in developing if it doesn't "blow up" soon - every good idea is instantly copied especially if the code is public there will be clones all over the place. - no official way to promote your bot. Most large groups will directly ban you if you tell em about the bot you made. Some even have bots to auto-ban if you name another bot. Everything is considered advertising/spam very toxic behavior in a lot groups. As with everything free on the internet there are the 0.1% who create and all other consume and give back nothing.

Source: I'm on Telegram since nearly day one. I run roughly a dozen completely free to use bots since many years. Some of them with thousands of daily users.

I will definitely try to keep this up running for the longer term. Also I have not planned to make this monetary and keep it free from advertisement. I know initially things are slow, but I have jumped in to the game with long commitment. Also the source code is completely written by me and the motivation was to learn spring boot. I have not copied it :) And thanks for taking some time to review it. I really appreciate that.

Thats great! If you have any trouble or questions about telegram bots/the bot API I suggest you to join https://t.me/BotDevelopment

handshake failure is happening with certificates, I will look into the issue tomorrow, and we should be good :) thanks for trying.


How does this bot differ from this existing one?

Thanks! There are other services like this out there, but they're all sketchy (the one I tried spams you with ads).

I don't have such intentions, the main reason to make this open source was this only. Even i hate ads, and I know every one does. Currently the bot is down, I will definitely work on this to get this fixed tomorrow. And once this is fixed the bot will be healthy.

For now due to certificate issues with Telegram, Bot is not working, I will check the issues with the bot tomorrow, and will try to resolve it. Till than thanks for taking time to review it :) I really appreciate everyone's effort.

Bot is up again :), the issue got finally resolved :)

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact