Hacker News new | past | comments | ask | show | jobs | submit login
Mozilla's Firefox Relay to be added to disposable-email-domains blacklist (github.com/disposable-email-domains)
258 points by AmandaGreere on Jan 16, 2022 | hide | past | favorite | 285 comments

The reason disposable email addresses exist and are popular is because services have abused users' trust to not use these emails for shady ad revenue and marketing schemes.

It's further compounded by shoddy security that leads to leaks and exposure of people's personal email addresses to pwned compromised lists.

People don't want to give up their personal email addresses so that they can be spammed or hacked. Until services do better (ie don't sell me out for cheap) I'll keep using the latest disposable email address to sign up for your user-hostile websites.

Yup. Sign up for a trial of something and suddenly you're getting 3 emails a day.


"Ravenstine, kick your goals into overdrive now"

"Check this feature out!"

"We're the best, but don't take our word for it"

"Your account is waiting for you"

"This will be like money in your pocket"

"Don't miss out on our webinar"

"The gift that keeps on giving"

"It's been a while..."

"So this is goodbye, Ravenstine?"


F--- YOU! F--- YOU F--- YOU F--- YOU F--- YOU!!!

I've just started marking these as spam. Not worth my time to go through their unsubscribe flow so they can try to trick me into not actually unsubscribing

I think that's completely appropriate. Any unwanted email is spam.

I hate to admit this, but we send a lot of email like this at work, and I always get tickets like "all of our email is being marked as spam, can you fix DNS?" Usually it is a DNS issue (people add email senders without setting up Spam Permitted From and DKIM), but nobody will address the elephant in the room that maybe users don't want to read our marketing newsletters. They likely get 100 of the same things from 100 other vendors, and at some point, enough is enough.

(Dunno if this is a public Gmail feature or one that I'm allowlisted into from working at Google in the past, but I have a "tabbed inbox" and everything like this goes in "Promotions". I look in there from time to time and see thousands of messages a day of this type. Everyone sends these and Gmail knows that nobody wants to read them. It's unfortunate, but true.)

Ha! At a previous company the marketing people swore that our mail setup was miss configured because very often people from the mkting team would get their gmail work account blocked for spam.

They were linking their accounts to use some spammy marketing software to mass send "campaigns ".

Marketing should be forbidden.

> Dunno if this is a public Gmail feature or one that I'm allowlisted into from working at Google in the past, but I have a "tabbed inbox" and everything like this goes in "Promotions"

It's apparently a public feature, since I remember being annoyed by the tabs and disabling them in Gmail preferences.

Worse, they purposely come from the same email address. So if you want meetup alerts for upcoming meetings, too bad, because now you will get all these marketing materials from the same email, which is now subscribed to various promotional lists. I already told google to put that email straight into my inbox and now I get all that junk too. This is 100% intentional because most people aren't going to click unsub per domain or start writing rules analyzing the ever changing subject line.

You can tell which companies have especially corrupt and greedy corporate cultures by how they treat your email address. Whenever I find myself witnessing behaviors like this I do my best to move off the platform and bad mouth them whenever I can.

Ah, automatic drip emails. I don't know anybody who likes these things but a lot of marketing people insist that they are a necessity.

Well they sure are a necessity for their career. It's like expecting a snake-oil salesman to admit that they're scamming you.

They probably used to work. The HN beauty pageant 5th place winner+ used to write positively about them a decade or so back, and I'm pretty sure he knew how well it worked from a very well measured and proven experience:


+ anybody else miss reading about the Rust Evangelism Task Force?

Or even if you didn't sign up.. I get constant emails from sales people that must have farmed my LinkedIn or something, even though I have it pretty strictly protected. Often even having scheduled a call with me without my consent. Usually for solutions I have absolutely nothing to do with if they'd actually taken the time to look at my profile.

Of course I mark them as spam and blacklist them. I often see followups months later in my trash box. It makes me feel good at least having wasted some of their time.

I buy corporate contacts from farms and I think they get a lot of them from apps that force you to upload all your contacts as the price to use them. Your personal contact information is probably in dozens of your friends and colleague's phones.

Interesting.. It could be but I kinda doubt it. I'm actually very careful with my data. The only such app I use is whatsapp. I'm very hesitant to install most apps and all the ones I use the most are from F-Droid (open source). The apps that do spying/telemetry etc I all use inside a work profile where they can't access my contacts or pictures and I run a tracking blocker inside that work profile. This makes Whatsapp awkward to use as but these days I just use a matrix bridge anyway so I can override the whatsapp label.

On LinkedIn I blocked my last name to non-contacts (everyone else it just shows my initial) because our work has a simple email address naming scheme (first.last@company.com). But still I get an absolute ton of them. Literally several per day. It's so annoying, though most of them are not as persistant as I mentioned in my post above.

All of them seem to be from the US by the way, and always trying to propose meetings during US timezones so they seem unaware that I'm in Europe. I'm kinda suspecting a data leak in the past or something.

Just to be clear (and you might have read it this way) - I meant that people you know, who have you in their contacts, have installed apps on their phones which pulled in all their contacts and that meant the app got your contact info from them. I'm 99% certain that's where the sites I buy my data get theirs. One of the sites won't even let me log in without giving up all my contacts, but I have a $15 phone on Boost with zero contacts on it to use in these kind of scummy scenarios.

Ahhh now I get you. Yes that is indeed very likely. I tend to focus too much on keeping my own yard safe and forget I'm walking through everyone else's too.

It’s also a privacy concern. A single email address ties your identity across platforms, which may be convenient, but could potentially be abused.

It's not just a potential concern: this is how a variety of ad services are starting to track users across sites (typically via a hashed email address, but given the ubiquity of email/password dumps, de-anonymising is relatively practical).

Starting? This has happened for ages.

Ad companies' customers willingly share the email addresses in hashed form so the ad companies can correlate this against their own lists (by doing the same hashing and checking for a match).

The same happens with phone numbers as well.

I recently found a burner phone number relay service for this reason. Anyone that wants your personal info is almost always user hostile.

Could you please share the name of this services I’ve been looking for something similar.

I almost built my own with Twilio but decided to search first and was surprised to find a service called Burner App.

Seems to do the job and fairly priced given what I know about what it costs to acquire a phone number via Twilio.

The downside is limited set of numbers vs. iCloud+ creating a brand new email every time I register on a website.


I used one in the past actually called burner (burnerapp.com). Did not work every time though.

Silent[.]link offers US based eSims, with a real number for inbound texts and data plan. I haven’t tried it directly but initial reviews seemed promising.

https://jmp.chat looks nice

The reason disposable emails exist, and that countermeasures exist, is because it's a power struggle, plain and simple. People like to have control over a situation, from either side, and also abuse their power from both sides.

There may be a power struggle between marketers and some bad actors, but most users are not bad actors and simply don't want to be spammed.

I’m the founder of a small bootstrapped SAAS and people use disposable email addresses all the time to avoid paying for our product. We don’t sell any data.

> people use disposable email addresses all the time to avoid paying for our product.

From the prospective subscriber’s perspective, that’s your problem to worry about — not theirs.

> We don’t sell any data.

How should users know that? It’s also not just a matter of selling data — almost all companies will spam your email address, even if you check the box asking them not to.

>From the prospective subscriber’s perspective, that’s your problem to worry about — not theirs.

exactly...which is why there are blacklists like the one linked in the OP.

… which makes it the prospective subscriber’s problem, pushing nearly all risk onto them, and requiring them to trust that the service won’t spam them or sell their e-mail address.

What alternative do you suggest?

Depends hugely on the SAAS and it's current and desired customer base.

But some obvious candidates are

1) discontinue free trials.

2) provide enough obvious value to convert the current funnel of free trials into paying customers at a high enough rate that you don't care about the "freeloaders"

3) radically differentiate the support available on free trial accounts.

In the long run, and dev effort/time spend integrating email domain blacklists is just time taken away from building features that add value to the service/company. It's only possible that spending that time adding features will turn the conversion rate up, but its guaranteed that fencing off the top of the funnel will reduce the number of conversions.

A comparison of the dev time to check a value in an array and modify your entire business model is absurd.

Mitigation against abusers of a service is a valid strategy.

Emails don’t guarantee unique users. I’ve seen free tier signups that require a valid credit card or sms verification codes. It depends on the value of the free offering on whether or not putting signup barriers in place is worth it.

How do you know people use those emails to bypass payment?

I guess:

- multiple sign ups using different emails and similar name

- same ip address

- same data


Don't underestimate greed or laziness.

I have no idea how they know that. Perhaps they found a reddit or Twitter thread describing how to abuse their platform with anonymous email addresses.

Businesses that don't accept my email address don't get my business.

That's great, but there are very little businesses of 1.

>almost all companies will spam your email address, even if you check the box asking them not to.

I find this very hard to believe. "Spam" has a specific definition; the most important bit of which is that it is unsolicited. Mails landing in your inbox that you'd rather not get, but which are not unsolicited (say, by you signing up for an account and confirming your address), are not spam by definition.

"Almost all companies" would find themselves unable to send email in short order if what they were delivering was spam.

Definitions are important. Let's not misuse them.

Most email I get from services is unsolicited. While I did sign up for the services I did not solicit every newsletter, marketing email, "notification" and so on.

For 98% percent of services I use I mainly want my email for one thing: a way to reset my password.

Often I need to unsubscribe from each of them individually and then navigate some sort of "notification preferences" interface. Even after that has been done a lot of them seem to default any new newsletter or preference to on instead of deriving the preference from the closest existing option.

Yes you did. When you open a relationship with a company (by signing up to use their services), they are allowed to market to you, send you newsletters, and so forth, until such time as you terminate that relationship.

It isn't spam because you don't want it. If you actually don't want it, then click 'unsubscribe' - and if they continue to bother you afterwards (which, FWIW, I've seen a reputable company do a grand total of once in years), then and only then, is it spam.

Your definition of spam is different than most people's. Yours is closer to the legal definition in the can-spam act, and other laws/regulations. But popular usage of the word doesn't _have_ to conform to your narrower definition.

That conflicting definition is why the people receiving your email marketing get so mad at you. They would rather have not given you their email at all, but they have to, and they don't want emails from you, but they get them anyway. They don't click your link to unsubscribe because they don't think it would work, and probably just make things worse. So they mark your email as spam, send it to their junk folder, and the returns on your email continue declining, and eventually the mail services start blacklisting you.

> It isn't spam because you don't want it.

It isn’t not spam because you want to send it.

You’re departing substantially from both the historical and commonly understood, contemporary definition of spam.

I see little historical precedent or common understanding for the HN definition of 'email I'd rather not have in my inbox' equating to 'spam'.

> I see little historical precedent or common understanding for the HN definition of 'email I'd rather not have in my inbox' equating to 'spam'.

Man, oh, man, you're funny. Even more so as it is apparently unintentional and you're being totally serious.

To the rest of the world, i.e. everyone who isn't a spammer, 'email I'd rather not have in my inbox' is and has always been the exact definition of 'spam'.


This is the subject line of an email in my inbox right now. Sure you could say the sender allows me to opt out but I shouldn't have to opt out. This isn't legally spam but I want to know what you would call this unsolicited, non-transactional commercial email.

» Your Prime Membership: {{first name}} {{last name}}, discover the latest in deals and entertainment included with Prime

>I want to know what you would call this unsolicited, non-transactional commercial email.

Commercial email, differentiated from spam in that you have a commercial relationship with Amazon that you initiated and agreed to (i.e. solicited), and as such, they are allowed to market to you until such time as you ask them to stop.

I can see my opinion on this matter isn't a common one on HN.

> I can see my opinion on this matter isn't a common one on HN.

Your opinion isn’t common among anyone other than marketers trying to justify sending spam.

..And people who spend a lot of time fighting actual spam, as in, actual unsolicited junk email, who have to deal with false positives from uninformed users who think the 'report spam' button is the appropriate response to them getting an Amazon email they don't like.

I'm disappointed to see that attitude here.

In practice, there is little difference between "junk email" which I assume you mean scams/phishing/pills/viagra/etc adverts and that Amazon email. Both take space in your inbox, may send you a notification and require time and brain power to deal with. Whether the latter example may comply with some jurisdiction's definition of "spam" is irrelevant.

The "mark as spam" button gives users the ability to keep their inbox clean and you shouldn't be faulting them for using it.

Not to mention, even if we agree for a minute that the report spam button should only be used for emails that conform to the legal definition of spam, which law should we be following? The US' definition of spam is much more liberal than the EU GDPR's one for example.

> actual spam, as in, actual unsolicited junk email

solicit, v 1. To ask from with earnestness

unsolicited, adj 1. not asked for

Your justifications hinge entirely on a very unusual and rather tortured definition of “solicit”.

I'm disappointed to see spamming apologia here.

Did I sign up for a mailing list?

Yes - not spam

No - spam.

Creating an account with a company is not signing up for mailing lists unless there's a choice presented. Yeah, you can hide consent in the ToS that nobody reads, but that's not asking for permission.

It is the exact correct button for that kind of shit, and it sounds like you need to reevaluate what it is you're trying to optimize for.

> false positives

It's not a false positive. The filter needs to be tuned to what your users think is spam, that is what spam filters are for. You are not the gatekeeper of what other people are allowed to think is spam.

Ok, let's use "spam email" for what you consider spam and add a new category for unsolicited trash from known senders, e.g. "trash email".

> you have a commercial relationship with Amazon that you initiated and agreed to (i.e. solicited), and as such, they are allowed to market to you

That's not what that word means. I didn't solicit marketing emails; the only emails I asked for were the bare minimum to open an account and anything needed for orders that I initiated.

you do know, another name for spam is unsolicited commercial email (UCE), right? That is exactly what that crap is, since a) the person didn't want it (unsolicited), b) its relating to commerce, and c) its an email.

Any email I didn’t request or expect as part of a transaction (shipping update email) is spam as far as I’m concerned. I’m not concerned with any other definition other than my own. I will report every unsolicited marketing email as spam to my email provider. If the company that sent it wants to dispute that is between them and the provider. I don’t care what happens after I report and block the address. I don’t care if it takes “up to ten business days” to remove me from the marketing email list. That’s not my problem, I told you now I unsubscribed now and as far as I’m concerned any email I receive after that is spam.

I’m just a lowly user. Reporting it as spam is the only recourse I have.

Thanks to years of abuse of my email address by marketers I am all out of fucks to give.

It's actually very dependent on the country and jurisdiction.

Some EU countries require that you offer a simple and effective option to opt-out when gathering the contact details. Depending on the content, that can be a required to be an opt-in toggle.

It's not enough to offer users a way to unsubscribe once you've already started spamming them, there should be a way to not have the first spammy newsletter/newsletter group.

I'm curious - I see on your profile that you're a DevOps engineer presumably using a lot of online services on a daily basis, so what approach do you use to deal with email that would justify your opinion here?

Do you just let it fill up your inbox and essentially make it unusable as it's saturated with marketing spam? Do you read every single incoming email (if so how do you find time and how do you justify spending that time for this instead of other, more productive/fulfilling endeavors)? Do you have some magical, bulletproof AI that can classify and hide these marketing emails with 100% accuracy? Do you outsource the management of your inbox to someone else and if so how do you justify paying for that?

>so what approach do you use to deal with email that would justify your opinion here?

When I get email I don't want from a company I have an account with, I scroll to the bottom and click 'unsubscribe'. I then don't get anymore of those kinds of emails.

What I absolutely do not do is throw a hissy fit and click 'report spam' (which not fucks up my own bayes classifiers and makes false positives more likely, but sends harmful false reports to antispam orgs).

Seems to work quite well. Certainly well enough that I can't comprehend the level of snark and vitriol received here.

So you're accepting that for every company you sign up for you should expect at least one spam that requires time & attention to deal with (some may require login, etc)? Fair enough but I disagree that this is something we should all be accepting just for the benefit of a minority that happens to work in marketing.

> of those kinds of emails [emphasis mine]

Also keep in mind that scummy companies have caught on to that and now have dozens of different categories of marketing emails and unsubscribing merely unsubscribes you from one of them.

What I "accept" is that getting an email I'd rather not have gotten is not a day-ruining event worth rudely snarking at strangers on the internet for, and the level of entitled rage and piling on generated in response to a calmly stated ask (let's save 'spam' for things that actually meet an objective, commonly-accepted standard used by most groups that actually try to stop it) is ridiculous.

In a way you're perfectly correct: You're only wrong in the tiny detail that you think it's your narrowly legalistic definition that is the objective, commonly-accepted standard one. It isn't. (BTW, how did the fact that nobody else here accepts it not tip you off that it's not commonly-accepted?)

But, sure, say we go with your wishes and, as someone else suggested, call your spam something else than "spam" -- let's go with their suggestion and call it "trash email". Then the category -- or, now, categories -- of stuff that we want to get rid of from our inboxes become, in stead of just "spam", the more cumbersome "spam and trash email".

I'm sure you see the problem that immediately rears its ugly head: Language is lazy. "Spam and trash email" will in daily speech, inevitably, shortly become... "Spam". You may try to resist that, and as a longtime linguistic prescriptivist I extend you my sympathies... (But, psst, spoiler alert: This quixotic struggle is doomed to fail.)

But, anyway, you are of course perfectly free to keep campaigning for your cause. Only, in the name of all that is decent, be honest about it and call it for what it is: You're not defending spam, "only" trash.

Maybe after a while you'll realise why the rest of the world sees no difference in your distinction.

> let's save 'spam' for things that actually meet an objective, commonly-accepted standard used by most groups that actually try to stop it

Your definition is based on what’s legal under the “established business relationship” exemption in the CAN-SPAM act, not any “commonly-accepted objective standard” of what spam is.

Spam fighting existed long before a 2003 US law. RBLs came into being in 1997, Spamhaus in 1998. You'll note precisely none of these organizations (in any country) blacklisting Amazon, or any other company, because they send marketing emails to their existing customers.

> Spam fighting existed long before a 2003 US law.

So then it wasn't originally defined as per your preferred legal wording, now was it?

> RBLs came into being in 1997, Spamhaus in 1998.

And did they coin the expression, or was the concept itself around long before that...? (A: AFAIK, at least a decade earlier.)

> You'll note precisely none of these organizations (in any country) blacklisting Amazon, or any other company, because they send marketing emails to their existing customers.

Ah. So it's not actually the legal definition that is important, but the corporate one. OK, gotcha, that is of course so much better. (Blindingly obvious: /s)

[Edit: Added missing quote marker > ]

I have had enough experience with unsubscribe on spam that I have to wonder what your figures are for "working well enough". They don't work enough for me. It is also a well-known assumption that using unsubscribe on a bit of spam only confirms that the sender has found a working address and those sell for more on the spammer's email address market.

I also don't understand why "marketers" want to put stuff in my email inbox or anything else I use to receive real communications that I just don't want.

If people dislike receiving that email so much that they report it as spam, it's spam.

Maybe if enough scummy companies have to mess about getting de-blacklisted, they might reevaluate whether their emails serve their customers, themselves, or, more likely, neither the company nor the customer but rather someone in between who is using some artificial metric (maybe "clients reached", "tracking pixels delivered", whatever) to angle for a pay rise.

Unsolicited email from people and businesses you don't know is spam - and deserved to be flagged as such.

If only all companies actually had an unsubscribe link in their emails…

Nope. In the UK and EU (and probably other places!) you can’t send someone email marketing unless they explicitly opt in (i.e. no pre-ticked boxes either) [1].

Also, it is presicely spam because I don’t want it, whether you have a right or even obligation to send it or not.

[1] https://ico.org.uk/for-organisations/guide-to-data-protectio...

Well, technically you can, because the government agencies doing the enforcement are systematically understaffed.

As a user, I don't at all care about the technical/legal definition of spam. As with obscenity spam is a case of "I know it when I see it".

> Mails landing in your inbox that you'd rather not get, but which are not unsolicited (say, by you signing up for an account and confirming your address),

This itself is a redefinition of “spam” to exclude the types of spam businesses want to send.

There’s a two-part test I use to define “spam”, which I think is aligned with both the historic definition, and how most users perceive it:

1) An e-mail is a marketing e-mail if, on the balance, the e-mail primarily benefits the sender, not the recipient.

2) A marketing e-mail is spam if the user did not explicitly opt-in to receiving them.

Behold the dictionary definitions:

Merriam-webster (https://www.merriam-webster.com/dictionary/spam)

"e-mail that is not wanted"

Oxford (via google https://www.google.com/search?client=safari&rls=en&q=oxford+...)

"irrelevant or inappropriate messages sent on the internet to a large number of recipients."

Neither is your absurd definition.

And to be clear, entering a business agreement for a product or service you sell, is not me soliciting anything other than that product. Marketing emails, "product updates", etc are not the product or service I am paying for.

> "Spam" has a specific definition;

The legal definition of spam arose as a distortion of the preexisting concept lobbied for by spammers to allow as much spam as politically possible while allowing politicians to be seen as “doing something” about the spam problem.

> We don’t sell any data.

Not only do I have zero reason to trust you when you say that (because every person planning on selling my data ways the same thing).

But I also have zero reason to trust you're skilled or resourced enough to adequately secure my data (or have sufficient motivation to do so).

And I also know that one day you'll likely sell your SAAS, and will have no control over what the people you sell it to will do.

If you've got enough traction that people are willing to jump through minor disposable email address hoops to use your product for longer than the free trial, but not enough traction to convince them to pay for it, I reckon you'd be better off building more features that add value and reconsidering your free trial plan - instead of devoting any dev effort into rejecting disposable emails.

I signed up for a KVM hosting provider. They initially rejected my account because I used a "disposable" email address. Their experience is that use of disposable email addresses is highly correlated to use of their VM instances to send spam or carry out other hostile activities.

That explantion was acceptable to me; if it works for them. I might note that they only send me transactional email (statement of charges for the month) and no marketing.

And that's fair enough but this is just another thing that businesses have to chalk up to as a cost of business because users' privacy is more important than your dollars.

I have sympathy for businesses out to make a buck: they are the reason I get to put food on my table. But on the scale of balance between users' rights and business rights over the last twenty years, it's no contest: business rights reign triumphant.

Recently, I wanted to try a web service but they did not let me register with a disposable email address. Well, I guess I will not try the service then.

And how would you protect your service from users that just sign up with disposable Emails for the 7 day trial over and over again?

I doubt that a meaningful number of users creates new accounts every 7 days just to avoid paying. Setting up a new account is usually enough work that it is not worth it. But if that is the case for your service, here are three things from the top of my head that might even work. If instead you just block disposable email addresses, I might as well look somewhere else.

* Reduce the trial period for users with a disposable email.

* Don't allow data import/export so that creating a new account is more work.

* Reduce cookie lifetime so that a login is needed more often.

Thanks, the first idea is a really good one for our use case. (the other ideas won't work unfortunately)

And yes, it is not a meaningful number of people that do so, but over time this is very ugly and frustrating (as it requires manual intervention) and you block the disposable Email provider they used ...

> but over time this is very ugly and frustrating (as it requires manual intervention) and you block the disposable Email provider they used ...

This seems like an ego issue honestly. Like you feel like you are being taken advantage of. If only a very small numbers of users are doing this then I don't see it worth the dev time to block the email providers they use possibly hurting valid customers. Just leave it alone. I use Relay for services I genuinely pay for but don't want to give out my email address in case of leaks.

Your free trial is too generous.

Suggest using the Standard plan but with significant rate limiting. Like 5/day.

If they want to remove that, enter credit card details which you verify.

You can still have the trial expire and the credit card isn't ever charged; but you can track people on trials more easily.

> You can still have the trial expire and the credit card isn't ever charged; but you can track people on trials more easily.

I think that someone who doesn't want to give their real email address to try out a service is even less likely to trust an unknown service with their credit card number. There are just too many "free trials" that promise to not charge your credit card and then make you jump all sorts of hurdles (e.g., having to call) to cancel the free trial.

> I think that someone who doesn't want to give their real email address to try out a service is even less likely to trust an unknown service with their credit card number.

I think you'd be surprised. Credit cards are easier to dispose of then email addresses, and they offer greater protection with fraud and billing dispute processes. Some banks even offer virtual cards that let you set limits on duration or amount.

> I think that someone who doesn't want to give their real email address to try out a service is even less likely to trust an unknown service with their credit card number.

And that's OK. The problem as I understand it is that people are signing up with disposable email addresses, using the API key they receive for 7 days, and then signing up again. They are leeches, exploiting the generous free trial.

If they stop signing up, no problem. Other people who sign up with a disposable email address can test within the restrictions, and once they trust the service have a choice to enter card details or not. If they are planning to do business with the service, they're going to have to trust it with card details.

I mean, if its not having a notable impact except emotionally, maybe its better to just let it be?

Missing the forest for the trees and all

Probably. But if we wouldn't block certain disposable Email providers since years, maybe this would be already dozens per month.

> just sign up with disposable Emails for the 7 day trial over and over again?

That's a lot of effort to go through to avoid paying for something. And I guess you can't keep your data or configuration, if the app has any.

That happens quite frequently to our SaaS where people need free access to a new API key. We try to block multiple registrations but there are people who also invest into proxies to circumvent this protection...

people who want to bypass those restrictions can easily do it. It is trivial to get a bunch of mail addresses to use, even without "disposable mail" providers. People who try to abuse the trial period over and over will do. Blocking the disposable mail providers however also blocks users who are curious, but not yet committed.

I argue that maths is negative for your business and a better approachbis to make it easy tonget started, but show them clear benefit of switching plans. Maybe a cheap entry level plan with a small set of convenience features, not available to the test account.

Just a few idea: Make it useful to have a persistent identity, so you have something to lose if you abandon the account (like a library of games in steam, or a network of friends on facebook). Require a payment method and limit how many free trials can be activated with the same card. Require a phone number since they a harder to get than emails.

I really dislike services that require payment or telephone numbers for verification just to try out a service. And we are unsure if this increases friction for normal users.

If someone wants to use disposable email addresses out of fear of having the service sell or abuse their permanent email address, they will most likely also not be willing to reveal their phone number.

Make the service less useful in the free trial period — for instance a really low cap on API requests per hour/day or limit the user to cresting a very small number of records/items when they aren’t paying.

If making a new email address is all it takes to get free stuff then your trial model is broken. If your service stores data, a time-limited trial with no export option is usually enough. If it's more or less stateless, then you need to limit other things as well. Would you be willing to share what the SAAS is? Outside of content providers (streaming, etc.) I've never really seen any reason to abuse trials.

Besides, the whole idea of a "disposable email blacklist" is ridiculous. Are you going to block Gmail? Gmail addresses take like 1 minute to make. If not, you've already lost the battle, so do us all a favor and stop this blacklist nonsense.

But why would having a "valid" email address help you more getting payment?

At most you may send reminders, but even then, those may end up in a spambox?

Even once you've verified the email, you have not much of a guarantee it will stay verified/working long. That's more the subscriber's problem, if they want to continue to use your product.

It's easier to create many disposable email addresses than "real" email. To get a new "real" email address, you need to fill a lengthy form (e.g., try it on Gmail.com now) and it's not easy to automate the process. But it takes only one-click to create a new disposable email address. Some disposable email providers also provide APIs, so you can create addresses in batch.

People may exploit paid services by creating many new accounts -

1. Free trials: When trail period ends, create a new account.

2. Services with metered billing: Use the service, then refuse to pay. Then create a new account. Then refuse to pay. Then create a new account...

Of course, (theoretically) if the service provider has enough resources (i.e., money, time, knowledge...), they can always find a better solution than banning all disposable emails.

> It's easier to create many disposable email addresses than "real" email.

The difference between real and disposable is manufactured. A novice could register a domain, sign up for email hosting, and set up a catch all for cheap.

Probably it is not the validity of an Email but the fact that you can use many disposable Emails and misuse the free tier / trial.

Out of curiosity, what does your service do and how do you know that these users would've paid for the service otherwise? As in with piracy, the argument is that it hurts sales but it's very difficult to determine whether that is really true.

I can't speak for the OP but free trial period abuse is very common.

"Would have paid for the service" vs "Are actively working to use the service without paying for it" are two different things.

I worked for a company that had some free tools on the web, with no published API. Those tools were scraped well above the T&C limitations to be mined by other companies.

We had a "free forever" account that you could use to monitor a single domain. Within the user table there were multiple instances of 20 to 300 (worst case) myaccount+<domain>@mycompanydomain.com trying to abuse the single domain rule without paying for it. In one case, the results were being packaged up to be shown in somebody else's product.

I'm certainly not advocating for spam or selling data (the company I mentioned didn't do this either), but abuse it the more common use case that web businesses deal with. To combat abuse, 90% of the battle is to identify where the abuse is coming from first.

If offering "free forever" causes problems, maybe that's too generous? What if it was only free for a couple of weeks - enough time to evaluate the service but not enough time to use it for commercial purposes?

> I’m the founder of a small bootstrapped SAAS and people use disposable email addresses all the time to avoid paying for our product.

So, make it worthwhile to pay for the product.

that's not really how it works. If you create something and unless you license it permissively that product is yours and you get to set the terms and conditions.

If it is now mainstream to basically feel you're entitled on setting the terms for other businesses or stealing their software then nobody needs to complain when any email relay service gets just blacklisted. If people now think it's okay to abuse multiple accounts to avoid paying for software that they use and that costs money to build then nobody needs to be surprised that everything gets an identity verification.

> that's not really how it works.

Yes, it really is how it works.

> If you create something and unless you license it permissively that product is yours and you get to set the terms and conditions.

And if you want people to pay for it, you have to offer enough marginal value over not paying for it so that they choose to do so. The concrete, social, and personal moral consequences of violating social norms can provide part of that value by weighing negatively on the “not” side, in the case there is an available but “not permitted” mechanism which gives the benefits without paying. But that doesn't change the basic fact that you have to provide adequate value if you want people to voluntarily pay.

> If people now think it's okay to abuse multiple accounts to avoid paying for software that they use

Then models where you give the full service for free for each account with the limits actually applied that people are exploiting that way probably isn't the right model for that SaaS.

> that's not really how it works. If you create something and unless you license it permissively that product is yours and you get to set the terms and conditions.

It's exactly how it works, if you want to succeed. If you don't offer value that enough people are willing to pay, you still own the product, but it's worthless.

Is it worth the hassle to have a free tier? Is it a good enough funnel to the paid tiers?

Once the my data is in your server. There is no way for me to know what you are doing with my data. You could be selling it. How will I know?

Disposable email domains aren't the issue here. Creating a disposable @gmail account to avoid paying is possible too. Don't use emails to assert user identity. Most companies use credit cards for that. Or make it so that creating another account from scratch is more of a hassle than paying. Better yet, offer free tiers.

You can only create a small number of gmail accounts, since ever account needs to be linked to a valid phone number. Google actively work to prevent using their platform in this way.

You can also pay $2.40 for a domain name for a year and have your own disposable email service.

You actually don't need have to have a phone number to use Gmail. You can skip that step.

I don't think so. I have numerous old Google accounts with their passwords in my password manager. Not for gmail, but for Google Groups lists, Google+ and various other services that no longer exist. Whenever I log in (in an account container of course) I cannot continue without adding a phone number. Have not found a way to skip the step (well, have not tried for some months now, trying to avoid Google increasingly). None of the accounts has stored any data. I would understand that Google would block people from misusing them as free cloud storage.

Where could I get disposable phone numbers from at a reasonable cost? So that I can receive just the first SMS. These are not valuable accounts, I don't need password reset years later.

You can use protonmail.

How do they avoid payment? Do you have a trial period and people are signing up with different emails?

Why don't you ask for a credit card instead of relying on email?

As someone signing up for the service, it's far easier for me to deal with unwanted email after signup than recurring credit card charges. I don't sign up for anything that requires credit card for free trial.

People don't like giving their credit cards for free trials, mostly because of services that have abused this by automatically charging for a paid subscription if you don't cancel your free trial.

I would go further and say disposable online identities are getting more and more important.

And unfortunately, the reason disposable email address providers end up banned from sending to other addresses is because their users abuse them for shady cold contacts and marketing schemes.

One of the comments on the issue [1] says:

> My reasoning on including this is that an email with a mozmail domain is never going to be a primary email and is always going to forward to some other address.

This is laughable and sad at the same time. I have a few tens of email addresses that are used for different purposes and with different classes of sites and services. None of them are “primary” and I wouldn’t really give one address used for one purpose to a service that I classify under another. People also use aliases on email services, and those are also “forwarding” emails in a way. This point about forwarding is a poor distinction.

As other comments in the issue have stated, adding Firefox relay domains to this list is a user hostile move with no benefits. I’d love to see them try this with Apple’s email relays (used by Sign In with Apple if a user decides to hide their email address).

[1]: https://github.com/disposable-email-domains/disposable-email...

The difference with Apple's hide my address feature, is that it will only give you one per site. So even though it's an address generated specifically for that website, it's still your "primary" email for that domain.

If you signup for Netflix using the feature, you can't cancel your account and then signup with a new Apple email, it will only allow you to login with your original one.

This negates the primary reason for blacklists like in OP, in that users generate multiple disposable addresses, within the one domain, for their single identity, usually to circumvent account limits, user blocks etc.

This whole thread is going on about spam but most have misunderstood what "spam" the blocklist is trying to tackle. It's there to tackle people signing up with a disposable address, spamming or abusing the platform, getting blocked and then creating a new account to do the same thing again.

> If you signup for Netflix using the feature, you can't cancel your account and then signup with a new Apple email, it will only allow you to login with your original one.

You absolutely can. You can generate as many as you want, whenever you want

Ah, on further reading it looks like there are a couple parts to it.

I have only used the "Sign in with Apple" feature directly in apps, which only ever lets you create one for that app.

However, apparently with an iCloud+ subscription, you can generate arbitrary email addresses from within iCloud itself, and then use those wherever you like.


My primary address IS a forwarding service. One of those ones that exist to let you give the address out to anyone you want, and still be able to change your actual email service provider, without having to change your address -- because, hey, it's your primary one, right?

From a service provider's point of view [1], a big portion of "users" with disposable email domains have intention to do bad things, e.g., spamming, aggressively scraping contents... It's not easy to distinguish users-who-want-to-try-out-then-never come-back from users-who-want-to-do-bad-things-to-your-service.

Typically, online service provider may have empathy towards users with whatever emails, including disposable emails for privacy reasons. Then the online service becomes popular, and spams / scraping activities become out of control - Internet is big and there are a lot of bad people / bots. Try different tactics to fight bad users / bots. Eventually, the service provider joins the dark side and bans the use of all disposable emails. It's not ideal. If you are Google or Amazon, maybe you can trivially allocate 20 full time engineers to develop an elegant solution. For small businesses, you just use very limited resources and do whatever to survive.

[1] I run listennotes.com

> From a service provider's point of view [1], a big portion of "users" with disposable email domains have intention to do bad things, e.g., spamming

From a service user’s point of view, a big portion of “services” that demand their real email address have intention to do bad things, e.g. spamming

Fine, you don't have to provide your real email and can use a forwarding service. I'm gonna need you to verify your non-voip phone number, submit a picture of your government issued ID and a photo of yourself in a specific random pose as a liveliness check, or register a valid credit card in order to activate your account.

Services use emails from well-known providers specifically because they're "good enough" signal in terms of spam/bot avoidance. It's not like the need for those signals go away and "real emails" are one of the most privacy preserving because they're pseudoanonymous. The alternative is Real Name policies.

I really don't see how "determine unique legal identity" is such a requirement? What are you running, e-voting?

If that's really what you need, the relevant jurisdiction is likely to have some adopted e-identity system.

If not, go back and question how you can solve your issues with as little PIIs as strictly necessary.

We did, it's called non-disposable email. A non-unique pseudoanonymous identity that's somewhat difficult to mint in bulk.

If you don't like "accounts of well-known service providers" -- email or login-with-whoever then sources of identity that "everyone" has that are hard to get many of are government ids, phone numbers and credit cards.

Like what else is there? For super technical people we could do something like "proof of bitcoin address" where we verify control of a wallet with some minimum long-standing balance. We could make you submit a recording of yourself saying some random phrase and then do some facial recognition to detect duplicates. IP banning hasn't worked since the 90's.

I don't really get this. Where do you draw the line between disposable and non-disposable email? What prevents anyone from creating <random string>@gmail.com addresses?

You need a valid phone number to create a gmail account, and you can only have a few accounts attached to the same number. Google is "trusted" because they actively try to prevent spammers from joining their platform. Disposable email platforms don't, they let you create as many as you like.

At least a third of spam registrations on a platform I run come from Gmail addresses, with another third from yandex and yahoo. They also all went away after we implemented a nearly trivial captcha in the registration flow.

Seems to me that 1) Gmail accounts aren't that hard to farm 2) most spam comes from free webmail providers not disposable email and 3) a captcha will solve most of your problems and if it doesn't, it means your site is being specifically targeted by someone with cash to burn, so you can assume that they'll have emails that aren't on the blacklist. At that point, invest in detection and moderation.

>You need a valid phone number to create a gmail account

This is 100% not true. Yes, the main site will require it, but there are legacy "portals" that allow signup without a phone number. No, I won't link to said portal.

Ok my bad gmail was not a good example. Lets go with outlook account then. Just tried and it definitely doesn't need phone number. And I wouldn't consider outlook disposable platform.

Sometimes it's hard. We try to keep our little list useful but it can never be a full solution -- I hope it cannot ever be and people value their privacy enough to not give up the freedoms of internet and TCP/IP.

As of gmail -- one of the guidelines for the list addition is whether you need to go through some sort of a registration. If you do then it is usually not treated as disposable by us.

Nothing, but if you try to create 1000 of such emails you’ll get banned by Google.

A normal user wouldn't make anywhere near that many and to a bot developer, "banned by Google" doesn't present even the slightest of challenges. Source: I develop web scrapers for many sites that really don't want to be scraped, including Google/Abc properties.

The phone number requirement?

See my other comment. Gmail was bad example, outlook has no restrictions.

I find that the problems you mention are primarily a problem when you offer free accounts and monetize via some other (and typically malicious) way such as the usual "growth and engagement".

If accounts or services are paid, spamming becomes unprofitable (the ROI of spam would become negative as they'd need to keep paying for new accounts all the time).

Scraping? If you're selling content you should be selling content and not mode of consumption, and for misbehaving scrapers your DoS defense strategy (you have one, right?) would also work there - an easy solution is to rate-limit the amount of requests by account to a reasonable level (that a human user won't exceed) and then let them choose whether they want to consume the content manually or through scraping.

There are many legitimate services that offer free trials. Netflix, Spotify, etc.

Free trials are a common method to battle the barrier people have in spending money before understanding if a product or service fits their needs.

This seems perfectly fine. A list of disposable email domains should contain disposable email domains like Firefox Relay, iOS "Sign in with Apple", Fastmail's random e-mail generator and others. Weird that Apple's domains aren't on the list, though. Hell, Gmail and Outlook should be on the list as well, because creating email addresses there is so quick and easy they might as well be considered throwaway services.

I'm not sure what the point of that list would be other than to drive users away from your service, but hey, if you want to be a dick, you're perfectly allowed to do so.

Edit: as written here: https://github.com/disposable-email-domains/disposable-email... the list is not intended for websites where one needs to sign up for an account first, like free mail services. I suppose that means neither Firefox Relay, nor any other such service should be on the list.

> Gmail .. should be on the list as well, because creating email addresses there is so quick and easy

GMail does antispasm. It’s easy to create a disposable gmail, but it is much harder (I supposed) to use that address for outgoing spam/fraud/etc.

(I'm an engineer on Relay.) Relay has anti-abuse protections too, which is why it was removed from a similar list: https://github.com/wesbos/burner-email-providers/pull/339

Thanks for this info.

Thanks for adding it to the issue!

Fastmail uses @fastmail.com (the default domain) for randomly generated aliases. Good luck blocking the hundreds of thousands of fastmail users by trying to block the minority using masked addresses.

This project seems to work under the pretense of fighting the spammers. Maybe it actually does. But it also deprives people of their right to not be tracked constantly, to remain anonymous. A world with no crime is a world without individual freedoms. The way this is so casually and openly discussed here is slightly terrifying.

To work around our list while having a decent level of privacy just do not use a complete burner address. You can e.g. make a pseudonym address with an actual provider like gmail, fastmail, protonmail etc. Heck we even have an allowlist with some "shady" providers that balance on the edge included in the repo, just browse: https://github.com/disposable-email-domains/disposable-email...

In retrospect my comment was probably too harsh. Thanks for providing an escape hatch, but it's practically impossible to create an anonymous gmail account.

Not as impossible as you might think. This service was doing it for free in seconds when I tested it last summer: https://github.com/disposable-email-domains/disposable-email...

A world with no accountability is a world without individual safety.

One’s individual right to remain anonymous does not necessarily take precedence over the societal right to hold one accountable. The pendulum of that tension swung all the way to fully anonymous over the past decades, and we now have the most unsafe Internet that has ever existed.

It will, guaranteed, swing back from full anonymity, as already began with many things one could previously access anonymously (such as email verification only) online or in person: Cellular service (ID required), FedEx shipping (ID required), many Discord chats (verified phone number required to defend against sock puppet attacks), and LinkedIn name changes (birth certificate and photo ID required). Whether it swings back to “no right to pseudonyms” or instead cones to rest on lesser outcomes such as “identity protected by law” and “a warrant is required” is up to politicians to decide.

Politicians do not accept and consider anonymous letters, so adhering to the outgoing belief in perfect anonymity may severely construct your ability to influence the outcome of the pendulum’s backswing away from it. I hope that when you write your politicians about this issue, you are doing so in handwriting from your registered voter name and address, so that they are considering your input at all.

"Safety" is the capability to exert your individual freedoms freely. If, to ensure that safety, you suppressed the freedoms, then you've failed.

But we're not talking about fighting crime here, but companies tracking what people do and as far as I know there is no societal right for Discord and LinkedIn to track people.

If that pendulum ever swings back too far, and you're right, it likely will, I'll be sure to let "my politicians" know using regular old no-government-id-required email as I already did on occasion with no issue.

This is disappointing as I have really been enjoying using Firefox Relay to cut down on the email spam I receive. It looks like they are even planning on blacklisting the "custom" @personaldomain.mozmail.com domains that come with paid accounts.

This is genuinely concerning to me. The www and various systems, such as email, should be agnostic to whomever I am providing my details to. If I purchase a new SIM I expect a number where I can make outbound calls, receive inbound calls and use data without worrying about any "lists".

Email should work in a similar fashion but as we know it doesn't, and there are various systems in place such that it's a game of roulette if your email reaches its intended target, and worse of all to me it's opaque, there's no way to know how likely it is or the various processes that may prevent my email being received by the other party.

And for systems that are critical for communication we should not allow them to be put in any type of "allow"/"deny" boxes and no domain should be either trusted or untrusted, after all Gmail can be a huge source of spam, but it seems those who provide users control and privacy are considered an adversary which is really sad.

I wish Google would start offering disposable relay emails that were indistinguishable from their regular ones, since nobody could afford to block all of @gmail.com.

Fastmail offers disposable email addresses (Masked Email addresses) on its fastmail.com domain:


Fastmail does have undisclosed limits, however:

> If you're having trouble creating new Masked Email addresses, please note that we have limits on how many new Masked Email addresses can be created within a certain amount of time to prevent abuse.

It would be good to see other email services offer a similar feature.

Fastmail also allows you to use a custom domain for masked email addresses. You can switch from fastmail.com to one of your custom domains.

I have encountered services that block gmail and instead demand work emails.

This is obviously distinguishable but you can use the "+" aliases. For example, if you are bob@gmail.com, you can use bob+blah@gmail.com and use that to filter email.

The problem is that even though "+" is a perfectly valid character, a lot of services don't accept it.

> The problem is that even though "+" is a perfectly valid character, a lot of services don't accept it.

did you know that the `.` character is also ignored? So you can actually devise a scheme where you put in dots into your email address (unfortunately, it has to be your email address, not any additional suffixes), and bypass these checks and filters.

E.g., youremailaddress@gmail.com is the same as your.email.address@gmail.com

and for some extra fun, you can do both - add a unique set of dots to your email, and also add a `+` suffix, and if the service emails you without the `+` suffix, you know they deliberately filtered it out to spam you.

See https://gmail.googleblog.com/2008/03/2-hidden-ways-to-get-mo... for details on it

I've seen at least one site simply strip the +tag and spam my real email directly. Since Gmail is so popular, I'm sure the marketing piranhas had the stripping code written and deployed within half an hour of that feature being announced.

Google makes their money off "engagement" and has absolutely no incentive to help privacy-conscious users.

The real fallacy falls to companies that equate email with identity. They were never the same thing.

The discontent comes when companies rely on that as fact, and someone comes along and via masking or disposable or lots of other ways (even just signing up for a new email at yahoo or hotmail or proton or tutanota or..) , shows them it isn't true.

Interesting project. I was recently inundated with abusive account signups, and it seemed like the "fast path" for attackers was to register an outlook.com domain, and use that to create a Github account. I guess Microsoft does no validation on these signups. It was especially painful since legit users used outlook.com and Github, so I couldn't just block them. (Fastmail is in second place here, but had no legitimate use, unfortunately.)

For emails that I don't want an ongoing obligation to read... I used to have a custom alias for mailinator (nospam.jrock.us MX <them>). At some point I guess I got rid of it, perhaps because mailinator stopped offering that service. Unsurprisingly, nobody ever looks up the MX record to implement the denylist. Worked perfectly every time.

> perhaps because mailinator stopped offering that service

That is untrue. Mailinator definitely still supports pointing any domain to it's MX records and will allow all incoming email (modulo DoS protection, abuse, etc). Such email will arrive in the respective Mailinator inbox (i.e. bob@yourdomain.com goes to the "bob" inbox)

Is iCloud's "Hide My E-mail" on the list too?

No. Apple's "Hide My Email" uses the same `icloud.com` domain as the rest of their email addresses (unless you're using the "Sign-in with Apple" feature which uses `privaterelay.appleid.com`).

Blocking `privaterelay.appleid.com` would be kinda pointless since you'd be breaking your "Sign-in with Apple" feature, but if you don't support that feature you could block it (theoretically, one could create a login for SiteA and use the private-relay address for SiteB). Blocking `icloud.com` would mean blocking lots of legitimate email addresses along with the hidden ones.

Genuinely curious, does anyone actually use an "@icloud.com" address to sign up for anything? I was under the impression that iCloud emails were only used as a FQDN for internal Apple services, but it's been ages since I've had an iCloud account.

I registered several important accounts with @icloud.com email, because I was sure that I would never switch to Android besides the fact that the email looked cool (what a stupid reason in retrospect).

I deeply regret using the @icloud.com address for anything serious, because you would be unable to receive or send emails as soon as your iCloud storage subscription expires, provided that you use a larger quantity of data than is allowed in the free-tier iCloud. This is what actually happened to me a few weeks ago. I forgot updating my credit card number on the Apple account, thereby making it impossible to renew the iCloud storage subscription, resulting in the inbox full of emails "Your iCloud storage is full" -- these are what replaced the emails that have been sent to the @icloud.com address after the subscription expired. In addition, I did not receive these emails even after I renewed the subscription. To this day I do not know what these emails were about.

> Genuinely curious, does anyone actually use an "@icloud.com" address to sign up for anything?

Yep! one of my primary email accounts is an iCloud domain. It only gets used for services I know I’ll be using for a long time, or it’s particularly important.

It doesn't look like it is: https://github.com/disposable-email-domains/disposable-email...

Edit: icloud.com seems to be another domain used in Hide My Email but is also not present (although I guess this one is actually primarily used for permanent addresses): https://github.com/disposable-email-domains/disposable-email...

I think as long as it's just INCOMING email, what's the harm in it?

Isn't Firefox Relay the same, though — you can receive e-mails, but not send unsolicited mail?

You can reply, at least I can with my premium subscription.

People can use it to sign up for things like discord and then use that to spam. Though I guess even Gmail could be used for this

To spam who? How? Sybil attax ?

Of course not.

Why not, then?

A few reasons. The hide my email addresses use the same domain as regular icloud email addresses. Apple always gets what it wants. They don't want to be sued by Apple.

How can Apple sue them for adding their domain name to a blacklist?

I don'get this list. It just seems to be about being explicitly hostile towards users.

Any useful disposable email service will only allow *receiving* emails. As a user this protects me against possible bad actors that for some reason need me to give out my email to them.

Any service allowing *sending out* mail from their mailservers will quickly find their mailservers blocked - this is also list based. A common one being spamhaus.org . The way firefox relay solves this is by only allowing to *reply* to mails you have received, and I assume they have some rate-limiting in place as well.

This is really just about making life harder, and forcing people into using an emailaddress as their identity token, which seems all sort of wrong.

Next someone will block mailservices that allow + adressing or other kinds of alias systems ?

> It just seems to be about being explicitly hostile towards users.

it is. The idea is to prevent users from being able to sign up anonymously, and try a service risk-free. It ensures that a user has something to lose by trying a service (aka, their real email address), in the hopes that said user would not abuse the free-trial, and also to allow the service to send marketing reminders on paying.

I have made it my policy to not sign up to any service that require an email address, if that service does not accept a disposable email address, nor will i pay for such a service.

I've started using my own domain to avoid giving out my "real" addresseverywhere. It doesn't always work, but it usually does.

I used to do that, but then considered I might be leaking out more inferred info by doing that.

Such as WHOIS info (if not cloaked), or an algorithm may assume I'm a business and charge me higher prices, etc. I used to get marketing spam from Dropbox saying that many of my coworkers enjoy using it and to upgrade -- but I was the only user on that domain name.

> WHOIS info (if not cloaked)

I wouldn’t consider this a legitimate concern. Whois privacy is common and often free for nearly all registrars (barring TLDs which disallow this)

> May assume I’m a business

I really doubt this happens frequently, at least far more infrequently than a business using your permanent email for spam. Besides, if the algorithm decides that any non-gmail/outlook/yahoo/etc mail is “business”, then they’re going to assume that about any disposable email.

Personally, I find the $4/year I spend on a domain name to be incredibly worth it and the downsides are far fewer than the upsides.

I did the same using proton mail and catch-all addresses. Every website I give a unique email address and it all goes into a special folder. If I start receiving spam from any address it gets blocked. This also gives me a pretty solid idea if a company is selling my info.

Your own domain pointing to your own service or other "standard" email service (as contrasted with say mailinator's custom domain feature) ? I have never had any problem using unique addresses at my own domain with anybody. It makes for funny interactions with customer service people though, because those addresses generally contain the name of the company I give it out to.

(Obviously anything at a domain I own is directly associable to me, and for many trashwalls I still prefer to use mailinator etc)

I do the same but my worry is that any kind of smart enough spammer or stalker can use the domain as a fingerprint.

It's been reported[1] that PayPal (and probably other services as well) use the entire domain name as a fingerprint, banning everyone connected if there is a serious issue. Since they're presumably more closely linked in a way than a Gmail/Protonmail/etc email domain shared by unrelated users.

[1] https://news.ycombinator.com/item?id=29940133

Why doesn't it always work? I'm also using my own domain, not sure why'd that ever 'not work'.

As an experiment, I once tried to see if online services accepted role-based emails (like admin@domain info@domin sales@domain contact@domain).

Surprisingly, the game Eve Online was super-strict in refusing these types of addresses. Most other services were fine though.

EVE Online has highly sophisticated user fingerprinting to prevent fraud and real money trading. So even if you got through with that email address it wouldn't be long before an issue was raised for your account.

With EVE, fraud comes in many ways and most would presume credit card fraud but because you can earn ISK in-game, which can be converted/sold for PLEX (their game-time subscription currency, worth real $) many items (Capital Ships, High Experience Characters, Corporations) are bought and sold for real money outside of the platform - which in some cases, is revenue that EVE would/could benefit from if PLEX was purchased from them directly and used legitimately instead.

So aside from basic things like blocking utility email addresses, they have sophisticated algorithms that monitor user accounts for unusual activity. The definition of unusual is constantly growing/changing and it is monitored and managed by a dedicated "security" team.

Source: Friend of friend works in that security team.

Because some people implementing email rules implement stupid rules. Biggest name that I remember that silently just didn't work with a private domain was aliexpress.

How about blacklisting Gmail? They're a major source of spam.

This is not outside of the realm of possible. Google does nothing to stop spammers, makes up their own non-public rules and doesn't communicate with the Internet community, so Gmail addresses are already on shaky grounds.

For instance, for starters, go search through all of your email for any email sent from Google servers where the "Reply to:" doesn't match the "Mail from:", and tell me if there are any legitimate instances. We could all benefit by starting to reject all Google sourced email with a different "Reply to:".

What we really need is a blocklist / allowlist system which tracks the millions of Gmail email addresses. Has it never been seen before? Reject it with a message telling them to go sign up for the allowlist. Has it been around for a while? Allow it.

Google can't be asked to keep their own spam in check. We have to force it on them.

> johnklos 8 minutes ago | parent | next [–]

This is not outside of the realm of possible. Google does nothing to stop spammers, makes up their own non-public rules and doesn't communicate with the Internet community, so Gmail addresses are already on shaky grounds. For instance, for starters, go search through all of your email for any email sent from Google servers where the "Reply to:" doesn't match the "Mail from:", and tell me if there are any legitimate instances.

Why is this scenario a red flag in all instances? Mailing lists, including Google Groups, may have settings that set the Reply To to be different from the Mail From.

> For instance, for starters, go search through all of your email for any email sent from Google servers where the "Reply to:" doesn't match the "Mail from:", and tell me if there are any legitimate instances. We could all benefit by starting to reject all Google sourced email with a different "Reply to:".

Yes. Very common. Sorry but you have a very limited view of realistic mail traffic.

It's really difficult creating a fake google account nowadays

As someone who gets spam from various Gmail accounts on the daily I'm not inclined to believe it's that difficult.

It's only difficult for those who want to commit the atrocious crime of having privacy.

Lesser evil criminals such as spammers already have a supply chain of phone numbers, residential IP addresses, etc that can be used to work around the restrictions.

I've created several ones over the course of months without any issue. I wasn't even asked for a phone number.

Of course if you do it constantly or from third-world IP addresses, I understand they refuse your attempts.

The issue with blocking Gmail is that Gmail is a lot of people's only email. This list is a list of domains people use for addresses that definitively aren't their primary email address (since they are disposable/temporary/forwarding addresses).

While Gmail might be a major source of SPAM, they're also the email service most people legitimately use. If you block dummy-address@my-email-relay.tld, someone might be annoyed, but can sign up with their non-proxied address. If you block Gmail, the person can't just use their "real" address. You're forcing them to create a different email address to use your service - and there's no reason to think that new email address will be from a service that better validates their users.

While Gmail might be a major source of SPAM, they're also the email service most people legitimately use.

That was once true of Yahoo, Myspace, and even AOL.

repo seems to be owned by a google employee

I started the repo and have nothing to do with Google.

There are 2 members in the disposable-email-domains organization on GitHub.[1]

You (martenson) are one of them. The other member (di), who is a "core maintainer" of the project according to the README changelog,[2] is also a member of the Google organization on GitHub.[3] di describes himself as part of the "@google open source security team"[3] and the website linked from his profile says that he is "a Developer Advocate at Google".[4]

[1] https://github.com/orgs/disposable-email-domains/people

[2] https://github.com/disposable-email-domains/disposable-email...

[3] https://github.com/di

[4] https://dustingram.com/

Thanks for summing it up. All of this is correct afaik. What I wanted to respond to was the implication that Google is somehow part of this. It is not. This project started before Dustin joined Google open source and was already couple of years old when Dustin himself joined.

Websites that block Firefox Relay email addresses to be added to my list of services I won't sign up for.

Also, what a big surprise that one of the two creators of this repo works in Google's "open source security" team.

Yep, I won't sacrifice my privacy and main email address from spam just to sign up somewhere that doesn't align with my values.

if you're having issues with disposable emails, you need to either add phone verification or make it so people can try your service (or view prices!) without signing up

phone verification sucks, though. I refuse to use anything that has it mandatorily. And disposable emails are also a problem because of spam.

Yeah, Instagram started demanding a phone number for my personal account that I've had for many years. I just stopped using Instagram.

Yeah I'm the same way, unless I -really- need the service like the place work or my bank, they don't get my phone number.

Just get rid of the password and require email based magic link login.

Fine use a disposable email but the account will be wiped soon when you never log back in again.

Please no. I hate services that do this, it takes longer to jump over to email and open a link then to autofill the info with a password manager and click submit.

Password managers should start supporting this flow. Allow the password manager to read your Gmail, or for cloud-based managers log up with an @1password.com email... Not trivial technically, and maybe turning password managers into SSO providers, but that's a lucrative business in itself.

At that point we'd be better of figuring out a proper protocol that allows websites to talk to the password manager directly.

Mozilla designed a decentralized authentication protocol back in 2011 called BrowserID, which was later standardized by the IETF. IIUC, it was similar to OpenID but sites would authenticate your identity with your email service provider. Unfortunately, the protocol never gained traction.


Don't we already have that with WebAuthn? It should be possible for the authentication request to be directed to the password manager. Less secure than using a hardware key, but more secure than password, email, or text message authentication.

That looks like it could work, though I don't think it has a lot of support from either password managers or websites.

Something like OpenID connect?

Well, ideally without the centralized server in between.

I don't want anyone but me reading my email. I just want to use password with 2fa an we all good.

If you're masking your email because of privacy concerns, are you really going to be happy to go through phone verification?

I have a VoIP number that I ported from an actual cellphone carrier, so that it isn't normally flagged as part of a VoIP phone number range.

At least I can turn it "off" when I don't expect a phone call or text message.

it provides a small financial cost which is enough to limit spammers while letting legitimate users through

This was inevitable. If you’re leaking the info that you’re using a proxy, it’ll eventually be used by people who want to.

One solution is a traditional webmail provider being willing to reuse that primary user domain for forwarding addresses. There are two that I know of doing this, Fastmail with @fastmail.com and Apple with @icloud.com. These domains probably won’t ever be blacklisted, because you’d also blacklist a ton of primary email addresses. (Aliases, which most providers have, tend to be too inconvenient and quantity limited.)

Another solution is to use different addresses at your own domain, which trades anonymity against the company you sign up with for freedom to change providers.

I think all three of these, including announced proxies like MPR, can be the best solution depending on whether you just want to be able to cut contact or you want privacy, and from whom.

Fastmail is excellent. They have subdomain addressing, which is kind of like plus addressing, but better (not all places let you sign up with plus addressing).

I've got my own domain, for example: mydomain.com. So my fastmail email address is depingus@mydomain.com. But with subdomain addressing, I can sign up for services with unique email addresses that look like:


Fastmail will automatically route incoming messages arriving to this email address to my "social" folder. If I start getting junk to that address I can easily blacklist it.

It wasn't easy switching out my email address EVERYWHERE. And there are places that won't even let me change it. But in the end, it was so worth it. I don't even miss Google Inbox anymore!

I did the same thing a few years back, I love it. It has allowed me to find where my emails are being leaked. So far not too many which is good, the biggest and worst were ledger and instagram.

I know Facebook is cancer and all but I'm still surprised they'd be leaking them as their business model relies on capturing personal data but not giving it away.

Posteo.net also allows creating aliases, so effectively you can create disposable email addresses. The aliases use the same domain.

One thing I learned operating a payment processor for a decade is that by far the email domains of choice for people trying to do evil were big free email providers like google, ms, yahoo and so on. A few operators would use something like mailinator (the kind of thing that is being blocked here). By evil I mean everything from attempting to hack us and our users, to financial fraud, to just trying to get a merchant account after being blacklisted by Visa.

A lot of the logic I see in replies here is that people use services like mailinator to abuse free trials. I think this is also the logic for blocking or stripping RFC 2822 email addresses (something+somethingelse@gmail.com). On the RFC 2822 stripping / blocking, you are just breaking the internet. Disposable emails seem like a problem, but I suspect the trend is towards more "private" email forwarders like Mozilla's relay, Indeed's private emails and iCloud's hide my email.

If you are having problems with free tier abuse, one small thought... This isn't universally applicable advice... but it may be helpful. If having an account on your service does not accrete value for the user, the user will be ok with abandoning the account and starting from scratch to get free service. If it is not possible to accrete value, you may have a product that is not a good fit for the freemium model. Try alternative models. You may find you are leaving money on the table.

When it comes to fraud a non-trivial chunk of it originates from idiots who unwillingly do it (by getting hacked or duped into participating into the scheme), so seeing "normal" email providers there is no surprise.

I hope this addition will help reduce the spam on Discord. I had a talk with one of these spammers and he explained that he is unblockable because of Firefox Relay.

It takes a bit more effort than that - Discord servers can use IP address, email address, and phone number to blacklist against.

Doesn't discord ask for your phone number?

Many Discord servers are configured to require a validated phone number. It is up to the admins of the servers to decide whether enforcing this requirement is appropriate for their community’s needs and requirements.

My solution to email spam is a second Gmail account. I use this email to sign up for everything, and it forwards to my main account, but all those emails get auto-archived on receipt. That way if I need a password link or something it’s as easy as checking my “All Mail” folder but I never see any of the spam.

This method works to eliminate spam, but it doesn't prevent different services from being able to match your identity together. It also prevents a user from signing up multiple times (tho with gmail, you could use the `+` to generate more unique looking addresses, but it's easily detected and eliminated too...).

I pointed a random domain I own to mailinator. Works like a charm and avoids this list.


It is interesting that the MR was opened by someone who wishes to remain anonymous. Fuck you DI and mathieu

This repo helps dividing the internet into monitored or not. Just like recaptcha. No wonder someone from google came up with it.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact