Open-source disposable email service

Open-source disposable email service(sorry.idont.date)

190 points by psarna 3 years ago | 66 comments

hannob 3 years ago |

There's a security problem with this and many other such services. Writing this here hoping that this increases knowledge about this:

I would be able to get a TLS certificate for this host. Why? Some TLS certificate providers allow verifying the domain via access to one of the privileged aliases like postmaster. So I could receive the verification token URL by looking at the postmaster inbox.

Every service offering any type of email inbox should block these aliases. They are ‘admin’, ‘administrator’, ‘webmaster’, ‘hostmaster’, ‘postmaster’. This is specified in the so-called Baseline Requirements, which is the standard for the operation of certificate authorities: https://cabforum.org/baseline-requirements-documents/

voytec 3 years ago | |

RFC 2142: Mailbox Names for Common Services, Roles and Functions [1]

    MAILBOX        SERVICE             SPECIFICATIONS
    -----------    ----------------    ---------------------------
    POSTMASTER     SMTP                [RFC821], [RFC822]
    HOSTMASTER     DNS                 [RFC1033-RFC1035]
    USENET         NNTP                [RFC977]
    NEWS           NNTP                Synonym for USENET
    WEBMASTER      HTTP                [RFC 2068]
    WWW            HTTP                Synonym for WEBMASTER
    UUCP           UUCP                [RFC976]
    FTP            FTP                 [RFC959]

[1] https://www.rfc-editor.org/rfc/rfc2142

sigio 3 years ago | |

A CAA dns record will most likely prevent tbat, just set it to your preferred CA tgat doesn't do mail-based validation.

kevincox 3 years ago | | |

This doesn't help if your preferred CA does mail-based validation. The attacker can just use the same CA that you do.

solatic 3 years ago |

I imagine this domain will quickly end up on lists like this one: https://knowledge.hubspot.com/forms/what-domains-are-blocked...

The real value here is the opening of the source code. Set up a cheap domain, set up a cheap VPS, use Tailscale or similar to keep the web UI private, then you're good.

themoonisachees 3 years ago | |

You don't need such things.

You can simply register a domain on domains.google, and they give you email aliases with each domain. The trick is that while you are limited to 5 aliases, you can define the * alias and it will redirect any mail recieved at that domain. The mail then ends up in your mailbox, but you can easily block adresses that do too much while not breaking the workflow of recieving emails you want.

solatic 3 years ago | | |

> but you can easily block adresses that do too much while not breaking the workflow of recieving emails you want.

Right, so this is a different use-case. You're talking about a usecase where you're not sure if you trust the site, but you may be interested in getting emails from them in the future, should they not violate that trust. You may even be interested in responding to the email. Fastmail also supports this with their masked emails.

OP's use-case is you're sure that you don't trust the site, you're sure that you're not interested in getting emails from them in the future, and you're sure that you will never reply. Therefore, you need an address that is entirely disposable. It's not quite the same thing.

6sp 3 years ago | | |

Or even simpler register the domain on cloudflare and setup a catch all email address. Free to use the email forwarding service.

blowski 3 years ago | |

What a fascinating list. It’s effectively guessing whether something is a business email, given that it’s blocking domains like gmail.com, outlook.com, fastmail.com, and yahoo.com.

kanary 3 years ago |

Do you plan to shuffle the domain? If this hits scale, sites pretty quickly blacklist domains. imo anonaddy is best at scale but still gets blocked.

mdaniel 3 years ago |

this is not "open source," it's source available as the repo is missing any licensing terms. I dunno what the legal standing is of these package management fields <https://github.com/psarna/edgemail/blob/master/Cargo.toml#L5> since I believe at least npm defaults to some very liberal license that almost no one looks at any further and puts a sibling license file in their repo with the actual terms

Also, bold move implementing your own smtpd: https://github.com/psarna/edgemail/blob/master/src/smtp.rs#L...

usr1106 3 years ago |

For incoming mail this is easy to do yourself if you have a little root server with a decent subdomain (the domain does not even need to be owned by you)

But for outgoing mail that requires real work / knowledge / full control over your DNS records. Recently gmail has stopped to accept any email without SPF/DKIM.

ipaddr 3 years ago | |

So not having SPF/DKIM setup could be considered a privacy feature if gmail is going to reject those outright.

usr1106 3 years ago | | |

Well, yes. But if I send an email to a gmail address I know what I am doing and want it delivered.

When I send such email to a custom domain used by a Google office customer it's even worse. Then their admin gets to see my mail (not sure how much detail of it) in the admin interface.

tpoacher 3 years ago |

Nice.

I wonder; if you used this with a "one-payment-only" disposable card, to buy stuff without being harassed by subsequent "newsletters" ... is there a way this could backfire spectacularly by virtue of it being a public address?

I'm assuming the answer is probably yes, but I can't think of an obvious reason why.

EDIT: Hm, on second thought, I guess at a minimum you'd have to give a valid address to buy stuff. Unless it's one of those "give us your email to register" at a physical point of sale. Or unless you have things delivered to a local shop you trust or something. dunno.

eshack94 3 years ago |

Really neat service, but how are you ensuring this won't get abused by spammers and fraudsters?

itake 3 years ago |

Websites like this always seem to shutdown. Now I can’t access any accounts I created with them (since I can’t password recovery or change the email).

KomoD 3 years ago | |

> Now I can’t access any accounts I created with them (since I can’t password recovery or change the email)

Yeah... disposable

burnished 3 years ago | |

I believe this one is for temporary and PUBLIC emails, probably not like anything you have used before if account recovery is a concern.

macintux 3 years ago | |

I’ve been a happy customer of https://33mail.com/ for years. It’s a different style of offering with a similar purpose and apparently a sustainable business model.

__MatrixMan__ 3 years ago | | |

Fastmail supports something like this, but the process of adding a new outbound alias every time I need one is not streamlined enough, so the conversation goes like this:

> otherperson@ABC.com to burner123@subdomain.mydomain.com: Blah blah

> me@mydomain.com to otherperson@ABC.com: Blah back at you!

> otherpersonABC@ABC.com to me@mydomain.com: Who are you and why are you responding to my message to burner123@subdomain.mydomain.com?

Does 33mail make it easy to continue the conversation under the alias?

itake 3 years ago | | |

Are there any email providers that only allow custom domains? I feel like that might reduce riff-raff.

FpUser 3 years ago |

>"All inboxes are public."

What does that mean exactly? Hopefully not that everybody else can look at my "throwaway" inbox.

racingmars 3 years ago | |

>>"All inboxes are public."

>What does that mean exactly? Hopefully not that everybody else can look at my "throwaway" inbox.

It means exactly that. This is in the spirit of the old free version of Mailinator. Use a randomly generated string as the local part of the address to prevent others from guessing and looking that that inbox.

zinxq 3 years ago | | |

Mailinator of course still works this way too. It has private domains, but it still fully supports public,free,disposable addresses @mailinator.com.

Just enter any inbox you want at the top of the homepage.

quickthrower2 3 years ago | |

Your email address is the secret, so yeah anyone who sends you email can see your inbox.

jdthedisciple 3 years ago |

Did not receive my test email for some reason

KomoD 3 years ago | |

Tried it too, didn't receive anything either.

nouryqt 3 years ago | | |

My test email that I sent now didn't arrive either

browningstreet 3 years ago |

I got one of those duck.com addresses but I have no idea what it is or how to re-access it.

abhinavg 3 years ago | |

I'm a happy duck.com address user. I can answer these questions:

What it is: It gives you private throwaway email addresses. Instead of signing up for a website with <real>@gmail.com, use <fixed>@duck.com. It will forward the email to <real>@gmail.com after removing any trackers from it. It also lets you generate <random>@duck.com addresses on demand. If you sign up for something with <random>@duck.com, and they start spamming you, you can turn the email address off without doing anything to <real>@gmail.com or <fixed>@duck.com.

How to re-access it: Information about your duck.com address is stored in that browser. If you use the Browser extension, that remembers it. You simply need to log into that email address from your current browser. To do this, visit https://duckduckgo.com/email/, click on "I already have a Duck address", and enter your original <fixed>@duck.com address. It will email you a one-time password to <real>@gmail.com, and you'll be back in again.

mteam88 3 years ago |

I would love something like this that forwards to a gmail address

johnklos 3 years ago | |

That can't work because Google does content-based filtering. They blame the forwarder for any spam or anything forwarded that's spam-like, and there's no way to designate a source as a legitimate (that is, don't blame it) forwarder.

dizhn 3 years ago | | |

I use 33mail with gmail as the actual destination.

freedomben 3 years ago | |

I do this using forwardemail.net. If a particular address gets sold and is being spammed, it's trivial to shut it down so it won't forward anymore.

INTPenis 3 years ago | |

Receiving is easy, sending is hard. That's why disposable services let you read the mail in their GUI instead of forwarding them.

xigoi 3 years ago | |

https://anonaddy.com/

xcdzvyn 3 years ago | | |

AnonAddy is great. Though I'd like to know if there's anything open source like it, for the safety and longevity guarantees.

rvz 3 years ago |

Just like the other disposable email providers, this one will eventually get blocked pretty quickly.

Instead, use a forwarding email from Gmail, Hey.com, Outlook or ProtonMail.

yawpitch 3 years ago | |

Why, off hand, would anyone block an email _receiver_… from a quick glance at the server code, this project is essentially an SMTP dead end; any mail sent to it is temporarily stored in the database, then periodically flushed. With no sending or forwarding of mail to other servers, and assuming it’s properly acknowledging receipt, why would anyone else block it?

vikarti 3 years ago | | |

People who want 'real customers' who read their very important emails ?

Right now email verification services like verifymail.io says idont.date provides 'real' emails

kornhole 3 years ago | |

Or get a cheap domain and setup a catchall email forwarding to a private box. If you want an anonymous domain, checkout https://kycnot.me/services#VPS.

CodesInChaos 3 years ago | |

Most of those require a phone number to sign up. Though I managed to sign up to protonmail by giving it a disposable email.

KomoD 3 years ago | |

I use temp-mail.org, I rarely have issues with blocking because they rotate domains

MAILBOX SERVICE SPECIFICATIONS ----------- ---------------- --------------------------- POSTMASTER SMTP [RFC821], [RFC822] HOSTMASTER DNS [RFC1033-RFC1035] USENET NNTP [RFC977] NEWS NNTP Synonym for USENET WEBMASTER HTTP [RFC 2068] WWW HTTP Synonym for WEBMASTER UUCP UUCP [RFC976] FTP FTP [RFC959]