If I am really paranoid or just on tor then I use
One of the reasons why I have a list of all these disposable email services is because some do get blocked from websites.
Eg. mailinator : I loved the service but its mostly blocked everywhere now. ( I know there are alt domains for mailinator )
Really appreciate all these services.
If its blocked then, these surely do the job
When on tor, tormail.net
If they do go the latter route and give you a real email address, it is really so valuable to you? More likely, your interesting offers will get tagged with the "spam" flag, or auto-deleted by a filter.
> Our business values e-mail destinations where we can actually incite the signed up user with interesting offers
I get several hundred of these "interesting offers" every day.
I’ll bet they’re just fascinating.
(My old gmail account gets Pizza Hut order confirmations from some guy in Texas. About every other week.)
Whether the offers you send out to users are enticing or not remains to be seen.
Given some of the other comments in the thread below, it seems like the more of these you have, the more likely one of them will work.
Instead, the site will randomly show one of the alternate domains on every page load. At one point, it would even give 'gmail.com' and other legitimate domains as the alternate if you tried to scrape them too quickly (or rather, they hypothetically-yet-definitely-didn't-do that).
Today, the alternate domains are shown as an image, and even that isn't a complete list, since other people can simply redirect mail incoming to their domains to mailinator.com. Mailinator explicitly condones this.
 http://mailinator.blogspot.ca/2007/10/new-mailinator-alterna... (end of second paragraph)
Resolving not-mailinator.whatever.com returns:
not-mailinator.whatever.com. 86400 IN MX 10 a.bad-mailserver.com
not-mailinator.whatever.com. 86400 IN MX 10 b.bad-mailserver.com
not-mailinator.whatever.com. 86400 IN MX 10 c.bad-mailserver.com
not-mailinator.whatever.com. 86400 IN MX 10 d.bad-mailserver.com
not-mailinator.whatever.com. 86400 IN MX 10 e.bad-mailserver.com
not-mailinator.whatever.com. 86400 IN MX 10 f.bad-mailserver.com
not-mailinator.whatever.com. 86400 IN MX 10 g.bad-mailserver.com
not-mailinator.whatever.com. 86400 IN MX 10 h.bad-mailserver.com
not-mailinator.whatever.com. 86400 IN MX 10 mailinator.com
You could put a limit on the number of MX records a domain can have, but Gmail has 5 and so you'd only reduce the chance of success to 80%.
Then you have to consider the mechanics of DNS. How many layers of CNAME indirection will you follow? Will you cache results? (If so, how will you trust that the responses are valid?) How long will you wait for DNS responses?
A poor implementation of DNS lookups will use unbounded time, unbounded bandwidth, and unbounded file descriptors. This isn't a hack you are going to code up in an afternoon, and one mistake means your website is going to randomly go down.
And so you have to ask: why? Why do you care if someone uses mailinator? Spammers are just going to set up their own domain or use someone's malware'd Windows box. And someone that wants to ignore your email is just going to have a procmail rule auto-submit your messages to Spamcop anyway.
So you gain nothing, spend a lot of time programming, and it won't solve any problems. In conclusion: worst idea ever.
(I'm not trying to block Mailinator, just some exercise for myself.)
Some of the main features are:
* SSL only connections
* All data is stored in memory using redis to make the site blazing fast
* New mails are instantly displayed using web sockets
* Automatically clicking on common activation links
* Your inbox doesn't expire
Your nginx configuration ssl ciphersuite list includes single DES, too, when it shouldn't.
(Granted that in the most common use case, if I know the email address, I probably know what's in the inbox, since I am likely the person who sent the message. But still, why not make these 2 different random strings?)
A couple more examples:
1QjYwHNM vs 1QjYwHOc
1Qk07A9x vs 1Qk07A9X
You can verify this by repeatedly clicking 'Delete this address', which issues you a new mail box. The address string can be thought of as a number that is always incrementing, with the 'digits' drawn from [0-9a-zA-Z]. (So base 62.)
The URL number is always (sample size ~100) just a little smaller than the email number, but not by a consistent amount. Often about 20-30 steps away, but sometimes as much as 600 steps away (depending on server load?).
The number seems to be generated by a clock rather than a counter, since the rate at which the counter increases is very steady. The 5th digit from the right increments every 15 seconds, suggesting that there are (62^4)/15 ~= 0.99 million unique strings per second. Maybe the counter is just using the time in microseconds, and converting it to a string?
1 - If I know your address, I can now guess the 'secret' URL to read your mail in a trivial number of guesses (certainly less than 1000). There doesn't seem to be any throttling of attempts on server side (I was able to manually cycle through ~30 invalid URLs fairly quickly).
2 - Email addresses 'leak' the time that they were created. (Not a clear security risk, but could be problematic in some cases)
3 - As Sami_Lehtinen says, addresses are guessable based on signup time, but given that these are disposable addresses, I'm not sure that's a big problem (who cares if a spammer guesses it). Also, even if there is a new user signing up every second, the success rate for guesses will be 1E-6.
Not giving freebies is of course an option, but then there is goodwill lost on that end instead.
It sucks both ways. At least I don't spam my users, but they of course only trust that assertion so far and I certainly don't blame them - there seems to have been a significant rise in email marketing in the last 6+ months - probably some annoying YC startup or two making it much too easy for sites I signed up for at some point but really don't want to hear from send me email... Tsk, tsk ;)
This is on the same level as adding a CAPCHA if someone comment looks like spam.
Btw: This fix only applies to new mails.
It's only useful until websites start filtering out the receivee domain - that's been happening with a few disposable email addresses.
And the highlight on " We even automatically click on common activation links for you" was a bit confusing. I was expecting a link to a page about the pointlessness of Challenge Response.
And what I really dearly want is an anonymous way to send an email - I don't mind having to sign up; I don't mind having to pay; but I really want a method where sending an email to $Person means they have to work very hard to get my real identity. (This is for good, not bad, reasons. But I can see the potential for abuse.)
Two quick questions:
- "don't mind having to pay"; what might you be willing to spend? $5/month? $50? 2c per email?
- "they have to work very hard to get my real identity"; get-a-court-order hard? Or harder than that?
(oh, and you can use whatever domain you can manage MX records for - its preferable in fact)
That being said, they certainly have IP logs, so make sure to enable Tor.
Here, I created one just now, for you:
If they start getting popular, they either
- start getting slammed with volumes of spam that are so high that the creator needs to start paying some serious hosting fees to keep the service running
- get blacklisted
Mailinator has outlasted all its competitors because it addressed both problems very early on. I wish receiveee best luck but I'm betting that it won't be around in a year from now.
has a massive database and a bounty for new additions!
We have 2 factor verification for http://8centsms.com/ but with the advent of disposable inbound SMS numbers via Twilio as well as disposable email addresses we were getting a bunch of people signing up and getting the free 10 credits repeatedly.
We haven't seen the problem recur since implementing this service, though so it seems the coverage is pretty good (/me prepares for onslaught of fake email signups to get the 10 free SMS credits via fake Twilio numbers ... )
All we need now is a service to blacklist disposable mobile numbers!!
The reason I do this is because many startups (and non-startups) keep abusing on the amount of email they send you, even if I unsubscribe from their "newsletter" they come up with other non-newsletter emails - and this is just unbearable. I feel like being spammed most of the time.
The advantage of using disposable email is that I have access to the service, I decide when I receive emails and it's a great way to protect my account from being hacked (think of any recent social eng hack a la Amazon, Apple, etc. they couln't do it without your signin email).
A handful of other colleagues do the same thing. If you blacklist users who want to protect their privacy and want control over their inbox all you are doing is blocking (in our case) affluent users.
Yahoo in particular has an excellent system for doing this; you can generate disposable addresses by adding a unique string to a base name particular to your account (but which isn't identical to your real address, as it is if you use a '+' delimiter with Gmail). By default, all messages received at any disposable address go to your primary inbox, but you can designate an alternate folder for each of them. Since all of your disposable addresses are @yahoo.com, it's impossible for admins to blacklist the domain.
Sorry if this sounds like a commercial for Yahoo Mail; I'm just very happy with this feature and almost never resort to using Mailinator et al.
receiveee looks great for incoming one-time emails like spam and confirmation emails. Gliph allows two-way email, at the cost of having to create an account.
The cloak address you generate on Gliph forwards mail to your real inbox. when you reply it appears to come from an cloak address.
More info in ReadWrite article: http://readwrite.com/2012/08/14/use-this-app-to-create-anony...
Disclosure: I am co-founder and ceo of Gliph. Happy to answer questions.
is also quite nice.
Like Mailinator, this is a great idea.
Kudos to these guys for putting their mail admin skills to good use.
On the one hand, I respect people's privacy and right to use whatever email address they like.
On the other (more relevant) hand - I sometimes need to contact users who violate terms and conditions that their access may be switched off (I'd never do this without contacting them 2-3 times). Also, I might need to inform them that something has changed which might affect their usage. My service can be quite integral to a lot of apps, so to me that's an important feature...
If they are serious about evaluating our product, they can provide a real email address. If they aren't very serious or inherently don't trust us, then I'm willing to miss the opportunity of having them as a customer.
I respect their privacy, because we don't spam, sell, or abuse any of these email addresses ever, but I find it hard to trust anyone with an account on our service if they use a fake email address. Personally, when I sign up for services, I find it helpful to gauge the company based on how they use my email. If they automatically start sending me marketing materials the next day, that tells me a lot, and I'll generally cancel the service and report all of the subsequent marketing emails from them as spam. The only way to do that effectively is if I use a real email address.
Do people use these fake inboxes for any reason other than trying to prevent or cut down on spam? Am I overlooking some key aspect of allowing people to use these email addresses?
I've not used a single website that hasn't flooded me with "email newsletters", "promotions" and "reminders". Even my damn utility companies (each on their unique addresses) both sold and spammed the address I gave them with the stuff.
There is no trust.
It might be anachronistic, but if a potential customer wants to begin a relationship with us with a lie, then of the two of us, I would think we have more reason to mistrust that individual than they have to mistrust us. Their mistrust is based on projecting bad behavior of other companies onto us whereas our mistrust is based on them actively beginning the relationship with a lie.
Of course, this decision may cost us some potential customers, but for now, that's something that we're willing to accept.
Solid justification for disallowing them. My service doesn't even send a reply-verification to users (but Free users get a CAPTCHA... sadly) and just assumes validity. Perhaps I ought to integrate it at some point, but personally I hate having to click to verify my email address. Comes back to trust, again.
Analogy: When one fucks his/her neighbor's wife/husband (no, just kidding, nobody ever does that IRL), one at least draws the curtains, or goes rent a motel room 500 miles from home. It can lead to legal problems, big loss of money, and shattering a whole family (hurting real people for real), but no jurisdiction in north america or western Europe would sent someone to jail for that.
So... Signing into your new shiny service with a dupe email ? You bet i will. All the more if it's free. And that's just the beginning. It's time people realize their "profile" is as private as their "privates". Don't let anyone profile you for free. Your profile is worth more than that, right ?
That answers your question ?
(Btw nothing personal, as for the "illegal" stuff hapening on your service, it's mostly your problem, alas:( and that's not the easiest part. As long as you wish to profile users, you cannot securely (as in security by design) offer them privacy, and hence will run into the kind of troubles you allude to)
I think the adultery metaphor is a little far-fetched, or perhaps irrelevant, but I understand that privacy is as serious an issue as those things you mentioned.
Perhaps a better approach for startups/businesses is to inform users (perhaps with some kind of UI-friendly alert) that it's OK for them to use your service with a fake email for up to one week at a time (or etc.) - kind of as a trial - after which their account will be deleted.
This shows that you're happy for them to try the service out with no obligation - but if they won't use a 'real' email address, they wont get a 'real' account.
I invert-quote 'real' because, obviously, it's just as possible for them to use a throwaway gmail account.
Mainly I've noticed a distinct correlation between spam signups/service abusers and throwaway email accounts.
I only go to this account inbox when I'm looking for a particular email. It's full of spam and I don't care!
Of course, there are spam considerations here..but I think they have to be worked out.
As re_todd says, mailinator asks for nothing from the user. The accounts are created automatically.
Just send mail to email@example.com
and an account (user) is automatically created. No passwords. No sign in.
Too bad google discontinued the free option.
However I missed a link to bookmark the home page. As on going to https://receiveee.com/ it automatically redirects to newly created address.
It is cumbersome to manually add it to bookmark bar.
"Your Private Inbox
Only you can access this inbox by returning to this web site using the same browser or by saving the link for this page. Others are not able to read your mail."
Props to the progger/designer.
Just a minor suggestion: you could wrap the email address in a link prefaced by "mailto:" to make it super easy to test the service.