Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Show HN: An ad free temporary mail service
54 points by TemporaryMail on July 14, 2024 | hide | past | favorite | 94 comments
Made this privacy conscious temporary mail extension as a hobby a few years ago as I found a cool domain.

I've now revamped the UI, added more domains and created an extension that shows your inbox in your browser (it only asks for permission to read from TemporaryMail.com and not all sites like the other extensions), it's also free from ads (paying the service out of pocket and perhaps adding an upgrade feature later on).

What makes this site a bit more unique is that I wrote the email parser from scratch following the RFC (took me 2 months and tons of testing) so it should display all incoming emails exactly as they are displayed in your favorite email client.

The site itself: https://TemporaryMail.com

Firefox Extension: https://addons.mozilla.org/en-US/firefox/addon/temporary-ema...

Chrome Extension: https://chromewebstore.google.com/detail/temporarymailcom-a-...

Edge Extension: https://microsoftedge.microsoft.com/addons/detail/temporarym...

Opera Extension: https://addons.opera.com/en/extensions/details/temporarymail...

Please give me your worst and criticize it to oblivion as I want to improve it. Also thinking about adding an API for it so let me know your thoughts on that too.

PS

I launched this back at the end of December 2020 and posted here on HN and it didn't get much traction.



The only feature temp mail service should focus on having tons of domains.

Many temp mail domains are blacklisted. only way to get around is rotating the domain name everyday.

I will give it a try.


You're right about that and I'm doing my best at rotating, but it's very easy to detect these addresses as the "detectors" can simply just set a cron to grab the latest domains once an hour.

I'm however thinking about creating a paid service with a low price (maybe like $2/month) just to filter out the majority of the bots and then using that money to get a lot of domains.


You could allow users to use their own domains, like https://yopmail.com/add-domain does.


I'm not sure that's a great solution though, because all the domains would use the same mail server which would basically instantly flag your domain and all your addresses as disposable.


The fact they constantly have to rotate to avoid blocks is because they are used for abuse and are attempting to essentially attack network services.

Something like private aliases attached to a real account you actually have adds privacy, but retains accountability. (You can create aliases on Proton, Fastmail, Outlook, etc. but they are attached to your real account so abuse is manageable.) A service rotating temporary domains to avoid services blocking them is a malicious attacker, and should be treated as such.


I don't agree with this and I think the right approach is to simply not require visitors to give up their email accounts if they don't want to.

If you want to block a malicious attacker, then you can use a captcha.

A serious malicious attacker wouldn't have a problem paying a few dollars to buy a domain, creating a catch-all address and if he wants to take it one step further he can even have it look like a legitimate email service.

Disposable services are ad blockers for emails.


Aliases you can discard are ad blockers for emails, disposable services are for bots, scams, and fraud. If you know the space, you'll be aware CAPTCHAs are trivially defeated today, regardless of the provider.

I certainly agree people shouldn't be asked to provide an email if it's unnecessary, but again for the issue of bots, scams, and fraud, you generally need some sort of unique relatively hard to get many of identifier to prevent people making tons of accounts on any service which either allows posting content or costs money to provide service. Email is generally okay for this.

Ultimately disposable email providers who continue to believe domain rotation is anything but an attack will force a far worse outcome, which I've already seen some major sites do: Only accept registration from Gmail, Outlook, and Yahoo accounts. (The Verge is one example where I know I had to register with a Gmail account and open a support ticket to change my email to my real email because they figured out the best way to avoid abusers on disposable email was to allowlist major providers.)


Life's too short to give a real email address to any random web site that requires registration. One reason is privacy, as they will inevitably sell one's data to a thousand data brokers. Second reason is to avoid having to deal with all the spam, that will again inevitably come. Even if unsubscribed from everything, we've change our policy emails and other nonsense will keep wasting one's time.


I have my own SMTP server that I use for all purposes. I have set up a separate address for each person/service that I use email with. If I receive spam or other unwanted messages, then it is easy to delete that email address, which will cause the SMTP server to return an error message to any client that tries to send messages to that address.


>Aliases you can discard are ad blockers for emails, disposable services are for bots, scams, and fraud.

What is the difference between the two though?

This kind of reasoning is why people can't run their own email servers anymore and instead have to rely on the big services.

>If you know the space, you'll be aware CAPTCHAs are trivially defeated today, regardless of the provider.

They are a lot more reliable than an email which is basically just a domain that anyone can buy and setup within mere minutes giving them access to endless email addresses.

>you generally need some sort of unique relatively hard to get many of identifier

Why not use phone numbers instead if the issue is truly important to them? This would cost spammers and bots way more money than emails.

Perhaps it's due to the fact that they won't be able to use the phone number to send their spam (or they could I guess, but it would cost them some money).


> [CAPTCHAs] are a lot more reliable than an email which is basically just a domain that anyone can buy and setup within mere minutes giving them access to endless email addresses.

CAPTCHAs also can be unreliable with false positives and false negatives and other problems (although some CAPTCHAs are worse than others). "CAPTCHAs are trivially defeated today, regardless of the provider" is just one more thing, that makes even more worthless.

> Why not use phone numbers instead if the issue is truly important to them?

Even telephone numbers you might not have, or might be shared with someone else (more likely to have shared telephone numbers than with email).


Another fun fact, of course, is that CAPTCHAs not only suck for most people in general, they're especially frustrating for blind users, people who have privacy settings in their browser (hi Cloudflare!), etc.

It's one somewhat irritating tool in the toolbox, but honestly abuse-enabling services like disposable mail providers really just need to be taken down. We need to stop giving free help to criminals. Privacy is vitally important, but that should look more like a web of trust, not a fog of anonymity. No, every site shouldn't know your phone number, but they should be able to assume that your email provider does or knows enough about you to be confident you are a real person they can transact with.


In your ideal world we would be all be:

- Be hooked to a bunch of paid plans for stuff that's currently free.

- At the mercy of all the big providers that could one day just decide to turn our account off without a reason.

- Receive more spam than we currently do as all service providers would have our email addresses. Although these would all be aliases, we would have to spend a decent amount of time organizing folders, identifying which aliases that are receiving the spam and turning these off without losing access to the account.

I referred to your other points in detail here also: https://news.ycombinator.com/item?id=40968143

I really enjoy that you challenge my views on this though as we both have the same goal of stopping abuse on online services, while at the same time preserving user privacy. Your plan would work if all service providers were honest and didn't abuse your trust, my plan currently works and I'm no longer getting emails from politicians asking for donations.


> At the mercy of all the big providers that could one day just decide to turn our account off without a reason.

This had me genuinely concerned when a lot of the superfuous account bans were happening on Twitter and Facebook around the 2020 election cycle. Retweeting a joke could knock you off, and I'd been using Twitter as a 2FA for many/most sites where it was offered at the time.

Now, I'm much more inclined to choose email/password options. I've also been using a wildcard domain for most new things. Ex: site@mydomain, etc for every site, store, etc I use.


That's funny in a bizarre way.

Imagine having to tell someone that you can't access your accounts because you retweeted something that wasn't deemed acceptable.

Perhaps if we're lucky we will advance to having the big corps create a social credit system for us as well, ha!


> What is the difference between the two though?

If you have a hundred aliases on say, Fastmail, and someone reports one of them, Fastmail can investigate the abuse you are involved in and can suspend your account. But the places you are using those aliases have no way to identify the main account of an alias, they can only report the alias, and Fastmail, the company providing your core service, is the only one that has the ability to deanonymize that relationship. Most of the services who allow these excess aliases are paid services or have identity checks, so other service providers can trust they will do a reasonable job to prevent abuse.

Meanwhile, if you bother to investigate how your service is being used, the percentage of users using it to abuse other sites will inevitably approach 100%. As bot spammers realize you're another set of free email addresses they can stack up, they'll swarm to each new domain you rotate to. If you are as privacy focused as you say, you'll have no tools at your disposable to regulate this either, they have plenty of IP addresses to work with, mostly compromised devices on residential IPs that are part of botnets, that will look like real users from a cursory glance.

> This kind of reasoning is why people can't run their own email servers anymore and instead have to rely on the big services.

That's why it's so fundamental that you understand rotating your domains is abuse, and it hurts the email ecosystem. Every time someone like you thinks this is okay, you make more service providers lock down what email domains they accept, punishing folks like me who just want their own domain on their email. Because disposable mail services do this, we all get punished for your bad behavior.

> Why not use phone numbers instead

Well, that's what a lot of major providers do. Gmail makes it much harder to get going without a phone number these days, mostly for that reason. I certainly don't want to have to give my phone number to every site I sign up with, but if that is, in your opinion better for privacy, by all means, enjoy the fruits of you screwing over email for this.


> Fastmail can investigate the abuse you are involved in and can suspend your account.

What if the Fastmail account is simply just using their free 30 day trial, how will they track the user then?

My point is that the malicious user will still have a way, while the legitimate user is punished by having to pay a fee to the email provider.

> Every time someone like you thinks this is okay, you make more service providers lock down what email domains they accept, punishing folks like me who just want their own domain on their email.

How about no one gets punished and service providers verify phone numbers instead of emails and we get to keep our inboxes clean?


> How about no one gets punished and service providers verify phone numbers instead of emails and we get to keep our inboxes clean?

There are plenty of scammer bots/accounts that get around this just fine.


I honestly am very concerned you are releasing this with clearly... no understanding of the Internet abuse space. To be honest, good luck, you will need it. Make sure your cloud service allows what you're doing, make sure you have cost controls in place, and make sure you already have a relationship with a good lawyer.

(Trials usually both restrict features like this and require valid payment info is already entered, having websites all ask for people's phone numbers is way more privacy-invasive than asking for their email, and of course... you can keep your inbox clean without disposable email.)


> I honestly am very concerned you are releasing this with clearly... no understanding of the Internet abuse space.

I've given this some thought over the years so I know where I stand morally. As I've mentioned several times already, the issue lies in the service provider for forcing the user to give up their email address, in the majority of cases it will end up with you receiving spam from many different sources as your address will be sold, leaked and more.

>good luck

Thanks for the motivation!

> Make sure your cloud service allows what you're doing, make sure you have cost controls in place, and make sure you already have a relationship with a good lawyer.

Yeah, it's an expensive service to run (if you want to run it properly at least), but as long as it helps users and I see people sending in positive comments through the contact form, it will give me the motivation to continue.

A close friend of mine is a lawyer also so the day it becomes illegal to receive emails, I'll have to give him a call.

>Trials usually both restrict features like this and require valid payment info is already entered

That's good at least, but what I'm trying to say is that anything can be abused, the same way that the

>having websites all ask for people's phone numbers is way more privacy-invasive

It costs sites way more to send out texts than it does to send out an email, I'm sure that if we were to look at the overall amount of spam one receives in their lifetime, then we would see a great decrease. It's also a lot easier to stop spam coming from phone numbers as they are all registered and regulated compared to emails that aren't.

> you can keep your inbox clean without disposable email

You can also walk to the destination without taking a car, you can get fit without going to the gym and you can cook a meal without a recipe, but it won't be as convenient.

---

I'm starting to sound like a broken record as I'm just repeating myself, but to summarize things, we are both on the same page as our goals are to stop spam to users and abuse of services. The majority of the times an email address shouldn't even be needed and when it comes to sites where spam is more prevalent (e.g you mentioned The Verge), then they could simply verify your phone, payment details and a ton of other measures (captchas, checking IPs, rate-limiting, etc).


I've come to the decision to charge $5/year for a site I'm going to put online in the next year... only to cover the transaction fees and mostly actual costs. If it takes off, should at least pay for itself and discourage fake accounts. But not every site/service will get that many people to even pay that much.

On the latter bit... not sure if I completely disagree with that take as well. As much as I also dislike SSO for other reasons, it is nice as at least some level of validation.


I think that completely depends on what the service is, but I don't think users would have anything against paying a few dollars if they find the service valuable, especially now when there are so many payment processors available.

Best of luck with the service also!


For that matter, it's pretty easy to setup a catch all address forwarder. Cloudflare offers this, as did Google Domains. Not sure if Squarespace still offers this explicitely, been meaning to try to get out of Squarespace since the shift. Mostly been lazy.


Fuck captchas


I'd rather fill out a captcha when I sign up than having to drag emails to spam on a daily basis so I can find emails that are actually important.


Outlook lets you add aliases, but your real name is still in the display name if you send out emails.


This is what the top sites do, e.g. temp-mail.org

And they also don't allow you to view all the active domains which helps against getting blacklisted quickly


I find it amusing that a .org site (temp-mail.org) has ads all over it while a .com site (temporarymail.com) does not, given that .org was mostly used by non-profits while .com is intended for commercial use.


It's not 1997 anymore. Anyone can buy any domain name and use it for any purpose. Except .gov and .edu obviously


I remember when this was a thing like back in the early 2000s, but nowadays everyone bombards their users with ads regardless of TLD.


Non-profits still have bills to pay...


Kind of compromises the mission alignment and trust though if it's through ads.


OpenAI is a non-profit.

(Kinda like a penguin is technically a bird.)


That's not really true because they used to have the same mail server so if you found one domain, then you could easily find the rest of the domains too.


I wouldn't call it "easily" as you need a way to reverse lookup for all MX hostnames that resolve to a given IP address. Obviously they can rotate the IP address too, to further complicate things.


They use the same IP and their domains are all listed here: https://verifymail.io/domain/carspure.com

I have to admit that they have improved though as earlier they were all using the same MX records, now at least each domain has its own.


Yeah the first one I learned about was mailinator and it worked for a good while but I think throwaway email services get blacklisted pretty quickly now, at least among people who don't want you to use them for whatever reason.


True and perhaps more weight is being put into detecting these nowadays.

The only reason the service provider requires your email address is to access your data.


How about redefining the problem a little bit so that it is something else than what others are doing?

For example, the platform approach? Allow people to easily set up a temporary email service with their own domain. That would go around the problem needing changing domains all the time. You could make it easy for people to search and buy their temp email domain through you.

Or if that is too much, work, allow people to self-host your service by open sourcing it and creating Docker compose configurations etc.

I would personally also write a spec for one-click account delete link that can be recognized automatically, sent with the email. If that takes traction, then it would benefit everybody. It just might, as it benefits the service provider the most.


Worth mentioning, if you want a docker-compose ready email server/service there's mailu[1]. It's relatively easy to get up and running, and will guide you through the DNS records for secure mail. I've got a couple test domains up so far, and it's mostly been good. Some outlook.com (not o365) domains have been problematic though, I'm sure everyone has stories here.

If the article's solution were open-source, would be interested in seeing the UI/UX. I also looked into WildDuck with great interest but the lack of good UI/UX is mostly what held me back. If I didn't have to work for a living, and was less lazy, I might have written something.

    1. https://mailu.io/


That's great advice and although there's already an open source solution available, there's some hassle involved in setting it up.

I will definitely look into these solutions and although I've seen some of them around, there could maybe be a way to implement a better alternative that's both easy to use and safe so it doesn't get abused.


I don't think I would pay for temp email service, or be bothered to set up open source one by myself. But if I could buy a throwaway domain name from company that specializes in temp emails as a package deal, then I would be tempted.


Right, that actually sounds like a decent idea and since the users would then have verified themselves with their payment details, it would reduce the risk of abuse.


Yup. And I don't think I would care too much about the actual domain, because, well, it would be a throwaway domain. It could be some random characters even. Which means you could possibly buy very cheap domain names in bulk, and re-sell them with low retail price, and profit the difference. The temp email service that you would provide "for free" would be the reason to buy from you.


Got it, this could perhaps work and the downside would however be that the user wouldn't have complete control over the domain, unless DNS control is provided and before I can say the word, I'd be a domain name registrar.

I think it's cool idea though and I might give this a shot, thanks for the idea and if I do implement this then feel free to contact me through the form and I'll set "lifetime" account up for you!


I remember using spamgourmet service back in the day, and it had a feature for forwarding emails with an implicit counter. So foo.c@spamgourmet.com would be forwarded three times (c=3), and the rest would be eaten.


It's a great service that I used myself many years ago and I was sad to see them shut down, but it seems as though they are back now.


I'm always a little suspicious of these services. People use them to create throw-away accounts, which they abandon after one use. Those accounts remain active and are useful for botting (vote manipulation, comment spam, etc). Whoever owns the email domain can do a password reset to do an account take over.

I'm curious about the privacy policy. The title says that you don't have ads, but there's tons of discussion about sharing information with ad partners.


Yes, just like all other email providers nothing is encrypted and you could totally look at the emails.

The difference here is though that there's nothing of value.

If I wanted to use this for malicious intent, then I think the most valuable thing I could get away with would be a 5% discount coupon.

I like that you bring this stuff up though as it could perhaps be good to mention this on the site down at the FAQ so people don't think I'm doing something shady with the service since there are no ads.


> If I wanted to use this for malicious intent, then I think the most valuable thing I could get away with would be a 5% discount coupon

Or spinning up hundreds of accounts on a website so you can perform card testing. Or creating accounts so you can put all of the inventory for an e-commerce site into carts to reserve it for yourself. Or running sneakerbots. Or any other malicious intent where the victim is the website operator.


Again, wouldn't it be easier for the attacker to just buy a domain and use that completely undetected instead of having to use a rate-limited disposable email service?


You're assuming they're doing it hundreds of times a minute. Often they're signing up for the accounts by hand to get through the captchas. The rest of it can be automated


That's what I would assume most of them are doing, yes.

In this day and age I don't understand why they wouldn't be able to just use a headless browser instead of doing it manually - has labor really become this cheap?


Captcha and rate limiting solutions are extremely good at stopping completely automated signups. It's far easier to pay someone in India a few bucks to sign up for a hundred accounts so you can do card testing than it is to run a server and write software for it. Hell, most of these people probably aren't even programmers.


I think that's for the small players though as this should be pretty slow, expensive and have the risk of the "employees" stealing the data (the business they are in is practically stealing so I don't think they have high morals).


> People use them to create throw-away accounts

A separate use case is when there's a free download that's email-gated, rather than account-gated. Examples would be Gumroad, certain 3D print platforms and such. I'd rather not wind up having my email just be added to some marketing list.


If I'm using a temporary email service, I'm using it specifically because I don't care if the account gets taken over, though.


Oh, the threat isn't to the user. They don't care about accounts they have abandoned. The threat is to services that suffer vote manipulation, spam, etc. The benefit of this approach is that you've got a bunch of abandoned accounts that were organically created (captchas solved, residential IP ranges, etc.)


I don't think there's any value in that though.

You can get all the stuff you mentioned for a fraction of the time and money it would cost to create a disposable email service and then you would also only target the service you wanted instead of sitting around and hoping that a user creates an account at the site you're looking for.

The real value would in the reputation and history of the account (e.g a popular account on a social media site or community) and this isn't a thing that someone would use a disposable email service for as they wouldn't want to risk losing access to the account.


There's a whole industry around detecting these and placing them on block lists.


Could you recommend a few solutions or companies? I'm looking for such a solution at the moment. Thanks!


This discussion isn't going in the direction I was hoping for, ha ha!

But as a developer of these sites I've used the majority to check my own domains and the most reliable one I've found is https://www.ipqualityscore.com/

I strongly recommend that you take another look at your signup process though and don't require users to give up their email addresses, instead make it optional and present an alternative like a captcha.


I've never evaluated any myself, but became acutely aware of them after launching my own temporary mail service as a learning exercise. I think there's a github repo somewhere that's regularly updated with a block list of these cycled domains though.


There are plenty just like there are IP lists for VPNs.

Feel free to share a link to your service as I'd love to check it out and best of luck running it also!


verifymail.io is a pretty decent source, though I don't know what they charge for API access.


they're honeypots.


Most such services are blacklisted, or very soon to be blacklisted. You can use Gmails and rotate them, and use "." "+" "number" tricks though, but typically, use Gmails is the way to do.


The problem with using gmail variants is it's easy to transform terr.yc.ody+abc@gmail.com into terrycody@gmail.com, and spammers or spammer suppliers can do that automatically.


That's another way yes and I've actually seen another site do this, but I wasn't able to find it in my browser history.


Maybe you are referring to https://www.emailnator.com/, it utilized that trick


Exactly, that's the site I had in mind although I'm pretty sure it had another name before (could perhaps also be the reason to why I didn't find it in the first place).


Why generate the random names on the server? That could just be done on the client, reduces load and is faster.


It's a pretty big list of names that I've scraped together.

There's barely and load on the server to generate the names and it only happens once for the new users so it wouldn't be worth putting that load on the client just for that one time, especially not with the traffic it's currently getting (currently around 1k users/day).


> Made this privacy conscious temporary mail extension

> Enable JavaScript and cookies to continue

It's not privacy conscious. Privacy conscious would mean A) does not use Cloudflare as a CDN B) does not require JavaScript C) does not discriminate against Tor users.

There are a few services like this already, which I'm not going to spoil for cred on HN, but my rating of this site as of now is 0/10, unusable in the literal sense.


A) The connection is fully encrypted.

B) That would make the UX horrible.

C) I had Tor enabled in the beginning, but when I got complaints from people on Tor doing really shady stuff with it I had to disable it.


The woes of supporting an "I don't want to leave any crumbs" threat model. There are countless of pro-privacy projects who call themselves that simply because their service can be used to increase privacy, but they do not actually do much to protect privacy beyond that. Many even use Google Analytics.

For B, simply support both. This site is popular enough for there to be no risk sharing: Guerrilla Mail.


Take a look at your network requests though, there isn't a single third-party script running on the site.

I understand what you mean, but it has to apply to the use-case. If the service I was running was to support journalists, then I would agree with you, but taking these measures would help promote spam as users would be able to get around the rate-limiting that I've set.


how do you know you're following "the" RFC correctly? And which one is that? There are several different standards just for email addresses themselves, which almost everyone gets wrong. Did you know addresses can have quotes and parentheses in them?


I didn't know at first and it was hell as when I first delved into this I thought it would be a simple task as it would be some agreed upon standard like JSON behind the scenes, but from what I understood emails were created a long time ago and some providers did things differently.

The majority of the work was done through testing lots of emails and I must have sent at least a thousands emails to myself from different providers and sites.

I've deleted the bookmarks in an attempt to reduce the PTSD it caused, but I think the main one I visited was RFC 1341 as I had some difficulties understanding the boundaries and encoding.

What was really tricky is getting it to work with all the different types as some emails didn't have boundaries while others had them, some were encoded entirely in base64, some partially, some of them were just plaintext, others were HTML while some were mixed or even offered multiple versions depending on what the email client supported.

Best thing is honestly to try it out and just pick a random address and send a really tricky email to it, would love to see you break the parser and telling me so I can improve it.


Do you have a commercial interest or is this just for fun or a kind of public service?


Just for fun.

It started with me getting annoyed with SHEIN as they sent out spam to me and their unsubscribe link was set to localhost (127.0.0.1 - they are still using this last I checked) and in the same time period I found a suitable domain at an auction so I thought I'd give this a go.


I was wondering whether you had ever considered developing an alias email service instead of temporary email? Many users who use temporary email services may soon be blacklisted. Personally, I believe that an open-source service such as Addy (previously AnonAddy) has a brighter future. I am not a technological specialist, therefore I can just mention on the user side.

Regardless, I appreciate your efforts to help the community. I wish you good health and success.


If I'm not misunderstanding you, the same should go for aliases as they will be flagged as disposable addresses as well. I also noticed that Addy allows users to send emails through it, which is a risky process as it requires close monitoring so spam isn't sent out through the service.

I will take a closer look at this and see if it's possible to improve it in some way.

Thanks for the kind words also and the same to you! =)


Simple Login (SL), Addy (AD), and DuckDuckGo Email Protection (DDG) are the 3 alias email services I use. Both SL and AD can send and receive. DDG only receives. You can disable the sending direction and simply allow the forward service to run. I believe you will be able to handle this technological challenge. SL and AD are free for 10 aliases, but AD also includes PGP in the free tier. DDG allows for unlimited aliases but does not support PGP; nonetheless, it is free.

How great would it be if you could combine the benefits of such services?

I appreciate your time.

SL: https://simplelogin.io/

AD: https://addy.io/

DDG: https://duckduckgo.com/email/


Thanks for the advice and I'll look into supporting email forwarding, but I'm not sure why users would need PGP.


You can look at this https://sequoia-pgp.org/blog/2021/06/29/202106-yes-we-want-c...

I quote a section that corresponds to my situation

>Email is everyone’s primary trust anchor online

>If a user loses access to an online account, most services have an account recovery mechanism that will let the user back in. Usually, this works by sending an email to the user with a one-time password.

>If an attacker compromises a user’s email account, they can use the same mechanism to gain control of the user’s account on any service that uses the email account as a trust root. In practice, that’s most of the user’s online accounts. Unfortunately, two-factor authentication only offers limited protection. It is opt-in and usually uses a phone number, which is easily hijacked.

>If account recovery emails were encrypted, the trust anchor would instead be the encryption key. Since the encryption key is stored on the user’s computer, this would defeat this type of attack.


Can you give me an example of who would be sending you emails with PGP though to your disposable email address and why?


I'm not referring about throwaway emails. I'm merely referring to email aliases.

Nobody will send PGP encrypted email to an alias email address. The email alias will route emails using PGP to your inbox.

> Sender (without PGP) -> Alias (with PGP) -> mailbox


Got it, that makes more sense and could actually make your inbox more private as the email provider won't be able to snoop into your emails to gather data to "make your ads more personalized".

I'll look into this now that it makes more sense, thanks for the advice!


Thanks for providing a valuable service to the Internet community and good luck :)


Thanks for that comment, refreshing to read amidst this war zone of a comment section, ha ha! :)


Can I receive email with attachment?


Is there a link to the mail parser itself?


No, I wrote it in PHP and I didn't want to get an angry mob after me.

I've been thinking about open sourcing it if anyone would want it, but right now the site has way too little attention for it to get any traction. It's a really neat script though and it's also just one file and supports all the different kind of emails (with/without boundaries, base64 emails, attachments and some other stuff).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: