Open-source disposable email service (opens in new tab)

(sorry.idont.date)

190 pointspsarna2y ago66 comments

66 comments

There's a security problem with this and many other such services. Writing this here hoping that this increases knowledge about this:

I would be able to get a TLS certificate for this host. Why? Some TLS certificate providers allow verifying the domain via access to one of the privileged aliases like postmaster. So I could receive the verification token URL by looking at the postmaster inbox.

Every service offering any type of email inbox should block these aliases. They are ‘admin’, ‘administrator’, ‘webmaster’, ‘hostmaster’, ‘postmaster’. This is specified in the so-called Baseline Requirements, which is the standard for the operation of certificate authorities: https://cabforum.org/baseline-requirements-documents/

voytec2y ago

RFC 2142: Mailbox Names for Common Services, Roles and Functions [1]

    MAILBOX        SERVICE             SPECIFICATIONS
    -----------    ----------------    ---------------------------
    POSTMASTER     SMTP                [RFC821], [RFC822]
    HOSTMASTER     DNS                 [RFC1033-RFC1035]
    USENET         NNTP                [RFC977]
    NEWS           NNTP                Synonym for USENET
    WEBMASTER      HTTP                [RFC 2068]
    WWW            HTTP                Synonym for WEBMASTER
    UUCP           UUCP                [RFC976]
    FTP            FTP                 [RFC959]

[1] https://www.rfc-editor.org/rfc/rfc2142

sigio2y ago

A CAA dns record will most likely prevent tbat, just set it to your preferred CA tgat doesn't do mail-based validation.

kevincox2y ago

This doesn't help if your preferred CA does mail-based validation. The attacker can just use the same CA that you do.

solatic2y ago

I imagine this domain will quickly end up on lists like this one: https://knowledge.hubspot.com/forms/what-domains-are-blocked...

The real value here is the opening of the source code. Set up a cheap domain, set up a cheap VPS, use Tailscale or similar to keep the web UI private, then you're good.

themoonisachees2y ago

You don't need such things.

You can simply register a domain on domains.google, and they give you email aliases with each domain. The trick is that while you are limited to 5 aliases, you can define the * alias and it will redirect any mail recieved at that domain. The mail then ends up in your mailbox, but you can easily block adresses that do too much while not breaking the workflow of recieving emails you want.

solatic2y ago

> but you can easily block adresses that do too much while not breaking the workflow of recieving emails you want.

Right, so this is a different use-case. You're talking about a usecase where you're not sure if you trust the site, but you may be interested in getting emails from them in the future, should they not violate that trust. You may even be interested in responding to the email. Fastmail also supports this with their masked emails.

OP's use-case is you're sure that you don't trust the site, you're sure that you're not interested in getting emails from them in the future, and you're sure that you will never reply. Therefore, you need an address that is entirely disposable. It's not quite the same thing.

6sp2y ago

Or even simpler register the domain on cloudflare and setup a catch all email address. Free to use the email forwarding service.

blowski2y ago

What a fascinating list. It’s effectively guessing whether something is a business email, given that it’s blocking domains like gmail.com, outlook.com, fastmail.com, and yahoo.com.

kanary2y ago

Do you plan to shuffle the domain? If this hits scale, sites pretty quickly blacklist domains. imo anonaddy is best at scale but still gets blocked.

mdaniel2y ago

this is not "open source," it's source available as the repo is missing any licensing terms. I dunno what the legal standing is of these package management fields <https://github.com/psarna/edgemail/blob/master/Cargo.toml#L5> since I believe at least npm defaults to some very liberal license that almost no one looks at any further and puts a sibling license file in their repo with the actual terms

Also, bold move implementing your own smtpd: https://github.com/psarna/edgemail/blob/master/src/smtp.rs#L...

yawpitch2y ago

Pretty sure that, legally speaking, an author publicly declaring that a piece of publicly published work is offered as open source, coupled in this case with also indicating (albeit indirectly and not obviously) via the Cargo.toml that the work is specifically licensed under “MIT OR Apache”, is more than sufficient to block them from ever successfully pursuing someone else for damages under their copyright for use consistent with those indicated licenses. That declaration effectively does make this “open source” under the plain meaning of that term — the source is openly available, and the author’s clear and openly stated intent is that it is offered as openly available under specific licensure terms — what it probably (or at least properly) is not is “Open Source” per the definition of the OSI.

The author should certainly clarify the license terms if they want this to be widely used, but though I wouldn’t use this for MANY reasons, not one of them is fear of having violated the author’s copyrights.

burnished2y ago

So the absence of a license means it defaults to exclusive copy right, but can advertising it as open source be construed as a 'license'? Or more broadly can express written or verbal permission count?

Just interested in it hypothetically, in practice specifying a license in the text seems like a no brainer

doodlesdev2y ago

   > So the absence of a license means it defaults to exclusive copy right

Yes

   >  but can advertising it as open source be construed as a 'license'

I'm pretty sure the answer is no. There are no terms specified, no definition provided to what "open-source" is, and no information as to _what_ is licensed as open-source (i.e. the files, the compilation result, etc.).

General consensus with most licensing schemes is to add a license header to the top of every file, or otherwise specify that all files in a certain repository are subject to that license in a clear manner that everyone accessing these files will have access to (i.e. README file).

1 more reply

mdaniel2y ago

I'm for sure not a lawyer, but in my mental model just saying "open source" is not the same as "open source under what license?" since there have been an absolutely staggering amount of discussions on this very site about the distinction between Apache, AGPL, GPL, LGPL, and that's not even getting into the non-free licenses that are often erroneously labeled as "open source"

2 more replies

avinassh2y ago

I believe this comment prompted a discussion on the repo and now it has a valid license. So, that's a win

usr11062y ago

For incoming mail this is easy to do yourself if you have a little root server with a decent subdomain (the domain does not even need to be owned by you)

But for outgoing mail that requires real work / knowledge / full control over your DNS records. Recently gmail has stopped to accept any email without SPF/DKIM.

ipaddr2y ago

So not having SPF/DKIM setup could be considered a privacy feature if gmail is going to reject those outright.

usr11062y ago

Well, yes. But if I send an email to a gmail address I know what I am doing and want it delivered.

When I send such email to a custom domain used by a Google office customer it's even worse. Then their admin gets to see my mail (not sure how much detail of it) in the admin interface.

tpoacher2y ago

Nice.

I wonder; if you used this with a "one-payment-only" disposable card, to buy stuff without being harassed by subsequent "newsletters" ... is there a way this could backfire spectacularly by virtue of it being a public address?

I'm assuming the answer is probably yes, but I can't think of an obvious reason why.

EDIT: Hm, on second thought, I guess at a minimum you'd have to give a valid address to buy stuff. Unless it's one of those "give us your email to register" at a physical point of sale. Or unless you have things delivered to a local shop you trust or something. dunno.

eshack942y ago

Really neat service, but how are you ensuring this won't get abused by spammers and fraudsters?

itake2y ago

Websites like this always seem to shutdown. Now I can’t access any accounts I created with them (since I can’t password recovery or change the email).

KomoD2y ago

> Now I can’t access any accounts I created with them (since I can’t password recovery or change the email)

Yeah... disposable

burnished2y ago

I believe this one is for temporary and PUBLIC emails, probably not like anything you have used before if account recovery is a concern.

macintux2y ago

I’ve been a happy customer of https://33mail.com/ for years. It’s a different style of offering with a similar purpose and apparently a sustainable business model.

__MatrixMan__2y ago

Fastmail supports something like this, but the process of adding a new outbound alias every time I need one is not streamlined enough, so the conversation goes like this:

> otherperson@ABC.com to burner123@subdomain.mydomain.com: Blah blah

> me@mydomain.com to otherperson@ABC.com: Blah back at you!

> otherpersonABC@ABC.com to me@mydomain.com: Who are you and why are you responding to my message to burner123@subdomain.mydomain.com?

Does 33mail make it easy to continue the conversation under the alias?

3 more replies

itake2y ago

Are there any email providers that only allow custom domains? I feel like that might reduce riff-raff.

FpUser2y ago

>"All inboxes are public."

What does that mean exactly? Hopefully not that everybody else can look at my "throwaway" inbox.

racingmars2y ago

>>"All inboxes are public."

>What does that mean exactly? Hopefully not that everybody else can look at my "throwaway" inbox.

It means exactly that. This is in the spirit of the old free version of Mailinator. Use a randomly generated string as the local part of the address to prevent others from guessing and looking that that inbox.

zinxq2y ago

Mailinator of course still works this way too. It has private domains, but it still fully supports public,free,disposable addresses @mailinator.com.

Just enter any inbox you want at the top of the homepage.

quickthrower22y ago

Your email address is the secret, so yeah anyone who sends you email can see your inbox.

jdthedisciple2y ago

Did not receive my test email for some reason

KomoD2y ago

Tried it too, didn't receive anything either.

nouryqt2y ago

My test email that I sent now didn't arrive either

browningstreet2y ago

I got one of those duck.com addresses but I have no idea what it is or how to re-access it.

abhinavg2y ago

I'm a happy duck.com address user. I can answer these questions:

What it is: It gives you private throwaway email addresses. Instead of signing up for a website with <real>@gmail.com, use <fixed>@duck.com. It will forward the email to <real>@gmail.com after removing any trackers from it. It also lets you generate <random>@duck.com addresses on demand. If you sign up for something with <random>@duck.com, and they start spamming you, you can turn the email address off without doing anything to <real>@gmail.com or <fixed>@duck.com.

How to re-access it: Information about your duck.com address is stored in that browser. If you use the Browser extension, that remembers it. You simply need to log into that email address from your current browser. To do this, visit https://duckduckgo.com/email/, click on "I already have a Duck address", and enter your original <fixed>@duck.com address. It will email you a one-time password to <real>@gmail.com, and you'll be back in again.

mteam882y ago

I would love something like this that forwards to a gmail address

johnklos2y ago

That can't work because Google does content-based filtering. They blame the forwarder for any spam or anything forwarded that's spam-like, and there's no way to designate a source as a legitimate (that is, don't blame it) forwarder.

dizhn2y ago

I use 33mail with gmail as the actual destination.

freedomben2y ago

I do this using forwardemail.net. If a particular address gets sold and is being spammed, it's trivial to shut it down so it won't forward anymore.

INTPenis2y ago

Receiving is easy, sending is hard. That's why disposable services let you read the mail in their GUI instead of forwarding them.

xigoi2y ago

https://anonaddy.com/

xcdzvyn2y ago

AnonAddy is great. Though I'd like to know if there's anything open source like it, for the safety and longevity guarantees.

1 more reply

rvz2y ago

Just like the other disposable email providers, this one will eventually get blocked pretty quickly.

Instead, use a forwarding email from Gmail, Hey.com, Outlook or ProtonMail.

yawpitch2y ago

Why, off hand, would anyone block an email _receiver_… from a quick glance at the server code, this project is essentially an SMTP dead end; any mail sent to it is temporarily stored in the database, then periodically flushed. With no sending or forwarding of mail to other servers, and assuming it’s properly acknowledging receipt, why would anyone else block it?

vikarti2y ago

People who want 'real customers' who read their very important emails ?

Right now email verification services like verifymail.io says idont.date provides 'real' emails

kornhole2y ago

Or get a cheap domain and setup a catchall email forwarding to a private box. If you want an anonymous domain, checkout https://kycnot.me/services#VPS.

CodesInChaos2y ago

Most of those require a phone number to sign up. Though I managed to sign up to protonmail by giving it a disposable email.

KomoD2y ago

I use temp-mail.org, I rarely have issues with blocking because they rotate domains

j / k navigate · click thread line to collapse

66 comments

hannob2y ago

There's a security problem with this and many other such services. Writing this here hoping that this increases knowledge about this:

voytec2y ago

RFC 2142: Mailbox Names for Common Services, Roles and Functions [1]

    MAILBOX        SERVICE             SPECIFICATIONS
    -----------    ----------------    ---------------------------
    POSTMASTER     SMTP                [RFC821], [RFC822]
    HOSTMASTER     DNS                 [RFC1033-RFC1035]
    USENET         NNTP                [RFC977]
    NEWS           NNTP                Synonym for USENET
    WEBMASTER      HTTP                [RFC 2068]
    WWW            HTTP                Synonym for WEBMASTER
    UUCP           UUCP                [RFC976]
    FTP            FTP                 [RFC959]

[1] https://www.rfc-editor.org/rfc/rfc2142

sigio2y ago

A CAA dns record will most likely prevent tbat, just set it to your preferred CA tgat doesn't do mail-based validation.

kevincox2y ago

This doesn't help if your preferred CA does mail-based validation. The attacker can just use the same CA that you do.

solatic2y ago

I imagine this domain will quickly end up on lists like this one: https://knowledge.hubspot.com/forms/what-domains-are-blocked...

The real value here is the opening of the source code. Set up a cheap domain, set up a cheap VPS, use Tailscale or similar to keep the web UI private, then you're good.

themoonisachees2y ago

You don't need such things.

solatic2y ago

> but you can easily block adresses that do too much while not breaking the workflow of recieving emails you want.

6sp2y ago

Or even simpler register the domain on cloudflare and setup a catch all email address. Free to use the email forwarding service.

blowski2y ago

What a fascinating list. It’s effectively guessing whether something is a business email, given that it’s blocking domains like gmail.com, outlook.com, fastmail.com, and yahoo.com.

kanary2y ago

Do you plan to shuffle the domain? If this hits scale, sites pretty quickly blacklist domains. imo anonaddy is best at scale but still gets blocked.

mdaniel2y ago

Also, bold move implementing your own smtpd: https://github.com/psarna/edgemail/blob/master/src/smtp.rs#L...

yawpitch2y ago

burnished2y ago

Just interested in it hypothetically, in practice specifying a license in the text seems like a no brainer

doodlesdev2y ago

   > So the absence of a license means it defaults to exclusive copy right

Yes

   >  but can advertising it as open source be construed as a 'license'

1 more reply

mdaniel2y ago

2 more replies

avinassh2y ago

I believe this comment prompted a discussion on the repo and now it has a valid license. So, that's a win

usr11062y ago

For incoming mail this is easy to do yourself if you have a little root server with a decent subdomain (the domain does not even need to be owned by you)

But for outgoing mail that requires real work / knowledge / full control over your DNS records. Recently gmail has stopped to accept any email without SPF/DKIM.

ipaddr2y ago

So not having SPF/DKIM setup could be considered a privacy feature if gmail is going to reject those outright.

usr11062y ago

Well, yes. But if I send an email to a gmail address I know what I am doing and want it delivered.

When I send such email to a custom domain used by a Google office customer it's even worse. Then their admin gets to see my mail (not sure how much detail of it) in the admin interface.

tpoacher2y ago

Nice.

I'm assuming the answer is probably yes, but I can't think of an obvious reason why.

eshack942y ago

Really neat service, but how are you ensuring this won't get abused by spammers and fraudsters?

itake2y ago

Websites like this always seem to shutdown. Now I can’t access any accounts I created with them (since I can’t password recovery or change the email).

KomoD2y ago

> Now I can’t access any accounts I created with them (since I can’t password recovery or change the email)

Yeah... disposable

burnished2y ago

I believe this one is for temporary and PUBLIC emails, probably not like anything you have used before if account recovery is a concern.

macintux2y ago

I’ve been a happy customer of https://33mail.com/ for years. It’s a different style of offering with a similar purpose and apparently a sustainable business model.

__MatrixMan__2y ago

Fastmail supports something like this, but the process of adding a new outbound alias every time I need one is not streamlined enough, so the conversation goes like this:

> otherperson@ABC.com to burner123@subdomain.mydomain.com: Blah blah

> me@mydomain.com to otherperson@ABC.com: Blah back at you!

> otherpersonABC@ABC.com to me@mydomain.com: Who are you and why are you responding to my message to burner123@subdomain.mydomain.com?

Does 33mail make it easy to continue the conversation under the alias?

3 more replies

itake2y ago

Are there any email providers that only allow custom domains? I feel like that might reduce riff-raff.

FpUser2y ago

>"All inboxes are public."

What does that mean exactly? Hopefully not that everybody else can look at my "throwaway" inbox.

racingmars2y ago

>>"All inboxes are public."

>What does that mean exactly? Hopefully not that everybody else can look at my "throwaway" inbox.

zinxq2y ago

Mailinator of course still works this way too. It has private domains, but it still fully supports public,free,disposable addresses @mailinator.com.

Just enter any inbox you want at the top of the homepage.

quickthrower22y ago

Your email address is the secret, so yeah anyone who sends you email can see your inbox.

jdthedisciple2y ago

Did not receive my test email for some reason

KomoD2y ago

Tried it too, didn't receive anything either.

nouryqt2y ago

My test email that I sent now didn't arrive either

browningstreet2y ago

I got one of those duck.com addresses but I have no idea what it is or how to re-access it.

abhinavg2y ago

I'm a happy duck.com address user. I can answer these questions:

mteam882y ago

I would love something like this that forwards to a gmail address

johnklos2y ago

dizhn2y ago

I use 33mail with gmail as the actual destination.

freedomben2y ago

I do this using forwardemail.net. If a particular address gets sold and is being spammed, it's trivial to shut it down so it won't forward anymore.

INTPenis2y ago

Receiving is easy, sending is hard. That's why disposable services let you read the mail in their GUI instead of forwarding them.

xigoi2y ago

https://anonaddy.com/

xcdzvyn2y ago

AnonAddy is great. Though I'd like to know if there's anything open source like it, for the safety and longevity guarantees.

1 more reply

rvz2y ago

Just like the other disposable email providers, this one will eventually get blocked pretty quickly.

Instead, use a forwarding email from Gmail, Hey.com, Outlook or ProtonMail.

yawpitch2y ago

vikarti2y ago

People who want 'real customers' who read their very important emails ?

Right now email verification services like verifymail.io says idont.date provides 'real' emails

kornhole2y ago

Or get a cheap domain and setup a catchall email forwarding to a private box. If you want an anonymous domain, checkout https://kycnot.me/services#VPS.

CodesInChaos2y ago

Most of those require a phone number to sign up. Though I managed to sign up to protonmail by giving it a disposable email.

KomoD2y ago

I use temp-mail.org, I rarely have issues with blocking because they rotate domains

j / k navigate · click thread line to collapse