Rendered at 20:20:15 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
thenewnewguy 5 hours ago [-]
The article author attemps to make a distintion between "burners" and "aliases" but I don't believe one exists for this usecase. Let's say for the sake of argument that you think blocking burner emails provides meaningful protection (I don't, but services using such a list obviously do). From your perspective, an "alias" is the same as a "burner". Both can be easily generated in bulk by a human or bots, cannot be resolved to an identity, and cannot be compared to determine if two emails are the same person.
pushcx 2 hours ago [-]
Or it's a distinction without a difference to the site owner. Ever prod service I've run has seen significantly more abuse from human users using alias services, especially protonmail. I'm not surprised that some owners have chosen to block it entirely, given their resources, but I'd prefer to see it used as a signal in a more sophisticated system if possible.
drdexebtjl 4 hours ago [-]
What kind of hide-my-email providers give you unlimited aliases that can be created in bulk?
It’s definitely against the ToS for the ones I’ve used.
One could give the same argument for blocking Gmail. You can create Gmail accounts in bulk, you can’t resolve them to an identity, and you can’t compare them to determine if they’re the same person.
The difference is that you trust Gmail to enforce their ToS, do KYC and ban people abusing their service. Should you?
croes 4 hours ago [-]
> cannot be resolved to an identity, and cannot be compared to determine if two emails are the same person.
How do you do that with gmail addresses?
jeroenhd 4 hours ago [-]
The people who want privacy and the people you want to block are using the same services and techniques. That's why web firewalls block privacy focused browsers, why TOR exit nodes are blocked from bald the internet, why email providers block new domains, and why sign-up forms block burners ("aliases" as you might also call them).
You can accept privacy enhancing measures but doing so hurts your ability to filter spam and other abuse.
I use these burner email services all the time because nobody on the internet can be trusted. Especially not the ones that try to lure you in and pop up an email registration box at the very last minute.
Bratmon 3 hours ago [-]
The "Anyone can use this to do anything they want in total anonymity and privacy" to "oh no bad people are using this to do bad stuff" pipeline is eternal.
is_true 4 hours ago [-]
Haha. I run a service that compiles IP addresses used by proxy services and a few months ago my own IP got there.
Turned out to be a friend that installed an app to watch soccer matches for free and in return he became a node of one of those services.
chucksmash 4 hours ago [-]
Sharing network access? That's not friendship. That's a tenth anniversary wedding gift.
jambalaya8 4 hours ago [-]
The easiest and best way is to rate limit the number of signups from a domain per day. You might still get people trying to bulk signup but as the article states, most large spam operators do not really use those domains anyway. Of course there are plenty of small time scammers to make up for that lack, so to speak.
I personally use burner emails when I want an account somewhere but would prefer not linking all of my personal interests and necessities to the same few email addresses. It just seems smart.
It is frustrating to try to make it clear you are not attempting to bypass authenticity controls, especially when AI can so frustratingly create text posts that can seem realistically 'human'.
Maybe someone will come up with a better way to attempt to add privacy back without ripping it away in the name of attempting to add it.
Though, I mean, that's been the issue since the 1990s: security or privacy, hard to have both, and yet difficult to have either without the other.
christina97 4 hours ago [-]
There is no one-size fits all solution here. It comes down to what the cost of spam/fake accounts is, the level of sophistication of your adversaries, and the cost of loss of use to legitimate users blocked by your signup gates. Each site has their own weighting across these factors.
xena 4 hours ago [-]
I think this post was written by an AI model.
jeroenhd 4 hours ago [-]
Interesting, what makes you think that? A quick scan through the text didn't highlight any of the usual slop marks that stand out to me.
GuinansEyebrows 5 hours ago [-]
His own petard?!
observationist 5 hours ago [-]
He was petarded quite hoistily.
gruez 5 hours ago [-]
Reminder that apple provides burner emails that are effectively unblockable (because they use the @icloud.com domain, at least for now[1]), for $0.99/month.
$50/year and Fastmail will let you alias anything@yourdomain.com to your inbox. I use a different email for every company or website I interact with, so I know who spams me.
rz2k 5 hours ago [-]
I’ve surprisingly found that I have started to have to use mydomain.com with Fastmail. Sometimes banks used for a business account, or accounts at b2b companies don’t treat fastmail.com as a large email provider, and otherwise try to associate me with other fastmail customers as though we are colleagues at Fastmail.
Normal_gaussian 5 hours ago [-]
This is genuinely hilarious. Are you able to elaborate? Which banks? Which B2B? There is probably a shared product stack here that is making some hilariously poor decisions.
rz2k 4 hours ago [-]
I couldn’t figure out why US Bank business card applications using a sole proprietorship EIN kept disappearing into a black hole or being denied. Eventually after a few phone calls they complained about the email address.
The other was ferguson.com, so that I could order specialized furnace parts and larger diameter plumbing fittings than I could order from Home Depot. I don’t remember the details, but I think the Ferguson business application kept trying to autofill an address for me. It probably would have required a confirmation from the person who had been turned into the administrator of “fastmail” before I could have been added to their organization and been able to make purchases using their account.
It might not be a problem at larger suppliers like Grainger or Digikey, but it does suggest a vulnerability if you set up a corporate account at a small supplier using a fastmail address. Their backend could assume that anyone able to receive emails on “your” fastmail.com domain is at least authorized by your IT department to use email. If they assume your IT department has an email retention policy, then they might default to treating it like your problem if one of your employees makes an unauthorized purchase.
OptionOfT 32 minutes ago [-]
You can go to outlook.com and add unlimited aliases for your @outlook.com account.
T0Bi 5 hours ago [-]
My domain at Hetzner including mail costs less than 20€/year and all emails to <whatever>@mydomain.com which are not part of predefined mailboxes land in my catchall@mydomain.com mailbox.
Normal_gaussian 5 hours ago [-]
Do you have sending from the incoming address setup? If so, using what?
jambalaya8 4 hours ago [-]
Services like this are great for some things, like adding and removing forwarding, and vacation mails, and organising mails to make life and work easier, but the provider still links everything. It is only, at best private in a single direction. That is fine for some things, not so great for others (and it has nothing to do with legality).
drdexebtjl 3 hours ago [-]
That doesn’t provide additional privacy, however, because it’s easy to determine that all emails at @yourdomain.com belong to the same user, so you can be tracked across services.
no_input 5 hours ago [-]
I love this feature from Fastmail but I have used a few websites (smaller of course) that will not accept anything outside of the big few email domains.
Lt_Riza_Hawkeye 5 hours ago [-]
ImprovMX will do that for free...
CharlesW 5 hours ago [-]
Apple (like any email provider that conforms to RFC 2822) supports plus addresses as well.
teddyh 5 hours ago [-]
Are you implying that plus addresses are part of RFC 2822? Because they aren’t. AFAIK, no RFC documents specify the plus address convention. The RFCs merely specify that, in an email address, whatever is to the left of the @ sign is to be interpreted by the receiving system, and nobody else should make any assumptions about any of it, and certainly never alter it. And also that the + character is one of the many permitted characters to the left of the @ sign in an email address.
The plus address convention is just that, a convention, widely implemented by many email programs and servers, but not required by any standard, nor universally implemented.
5 hours ago [-]
john_strinlai 5 hours ago [-]
its talked about in a proposed standard, at least.
Any illegitimate email collection service already knows to strip out email subaddresses.
If you’re trying to avoid email spam, there’s not much difference in giving someone myname+foo@gmail.com versus just myname@gmail.com.
eli 5 hours ago [-]
You could just use my.name@gmail.com for the no-alias version. So myname+foo@ works and my.name@ works but myname@ goes directly to the trash.
gruez 4 hours ago [-]
That can also be normalized.
joshuaissac 3 hours ago [-]
The normalised version is what gets redirected to trash, according to GP's proposal. Legitimate senders who do not normalise have their mail delivered to the inbox.
edoceo 4 hours ago [-]
Yea, gotta take all dots out on the username portion of Gmail address
urbnspacecowboy 4 hours ago [-]
In which case the Gmail user knows to mark mail without any dots in the address as spam.
eli 3 hours ago [-]
That's the version that goes directly to the trash.
Larrikin 5 hours ago [-]
It's become a fairly regular occurrence that any email with + just shows an error saying the email isn't valid. Bad actors can also easily strip it out after
joshbetz 5 hours ago [-]
Bad actors can just strip the plus part of the address
hoppyhoppy2 5 hours ago [-]
Fastmail costs $60/year now, at least for new signups
MarioMan 5 hours ago [-]
Cloudflare offers this for free as well.
washmyelbows 5 hours ago [-]
proton too
jedbrooke 3 hours ago [-]
I find they still get blocked occasionally :(
mindslight 4 hours ago [-]
"I never thought the leopards would eat MY face," sobs dude who contributed to the leopard-owned face eating industry.
There has never been a good argument for attempting to filter email addresses based on domain. Check address syntax on interactive forms purely to help users (did they fat finger something). Whatever well-formed address you've got, fire off emails and if they can receive them then it's a legit address. If you want to rate limit signups, then do so per-domain or per-mx, the same way you might limit incoming connections per-ip. That is the extent of guarantee that email provides you - trying to step over that demarc point is a control delusion.
Even outright throwaway domains like mailinator.com - if a user is giving you this type of address, it says more about your own requirement demanding an email address rather than the user themselves.
jeffbee 4 hours ago [-]
Yes, and "well-formed" consists entirely of text on both sides of an @. Do no further validation.
xyst 4 hours ago [-]
i have my own custom domain with a non ".com" TLD for e-mail and the number of services that reject sign ups for this purpose are way too high.
notably, micro center _was_ an issue but had to raise exception.
amukbils 4 hours ago [-]
IDK man .. many services really just don't even want to deal with a sign up they are never going to reach. By using a disposable email, you're telling the business, I want to use your service, get value, but I don't really want you to reach me. To them, it sounds like a loss loss situation. Business are there to make money, and they offer a signup/trial/free account so they can give you access in exchange for being able to reach you.
But I do sympathize with the stupidity of marketing email madness.
drdexebtjl 3 hours ago [-]
The article specifically calls out for the distinction between burners and aliases.
If you give a business a hide-my-email address, they can reach you at that address indefinitely.
amukbils 3 hours ago [-]
Hence my response:
> Aliases are fair game .. for organization for just hiding your own email to limit tracking.. that's fair .. but bad, known disposable email generally just costs too much and is too risky for businesses.
amukbils 4 hours ago [-]
Aliases are fair game .. for organization for just hiding your own email to limit tracking.. that's fair .. but bad, known disposable email generally just costs too much and is too risky for businesses.
It’s definitely against the ToS for the ones I’ve used.
One could give the same argument for blocking Gmail. You can create Gmail accounts in bulk, you can’t resolve them to an identity, and you can’t compare them to determine if they’re the same person.
The difference is that you trust Gmail to enforce their ToS, do KYC and ban people abusing their service. Should you?
How do you do that with gmail addresses?
You can accept privacy enhancing measures but doing so hurts your ability to filter spam and other abuse.
I use these burner email services all the time because nobody on the internet can be trusted. Especially not the ones that try to lure you in and pop up an email registration box at the very last minute.
Turned out to be a friend that installed an app to watch soccer matches for free and in return he became a node of one of those services.
I personally use burner emails when I want an account somewhere but would prefer not linking all of my personal interests and necessities to the same few email addresses. It just seems smart.
It is frustrating to try to make it clear you are not attempting to bypass authenticity controls, especially when AI can so frustratingly create text posts that can seem realistically 'human'.
Maybe someone will come up with a better way to attempt to add privacy back without ripping it away in the name of attempting to add it.
Though, I mean, that's been the issue since the 1990s: security or privacy, hard to have both, and yet difficult to have either without the other.
[1] https://news.ycombinator.com/item?id=48559935
The other was ferguson.com, so that I could order specialized furnace parts and larger diameter plumbing fittings than I could order from Home Depot. I don’t remember the details, but I think the Ferguson business application kept trying to autofill an address for me. It probably would have required a confirmation from the person who had been turned into the administrator of “fastmail” before I could have been added to their organization and been able to make purchases using their account.
It might not be a problem at larger suppliers like Grainger or Digikey, but it does suggest a vulnerability if you set up a corporate account at a small supplier using a fastmail address. Their backend could assume that anyone able to receive emails on “your” fastmail.com domain is at least authorized by your IT department to use email. If they assume your IT department has an email retention policy, then they might default to treating it like your problem if one of your employees makes an unauthorized purchase.
The plus address convention is just that, a convention, widely implemented by many email programs and servers, but not required by any standard, nor universally implemented.
https://www.rfc-editor.org/info/rfc5233/
If you’re trying to avoid email spam, there’s not much difference in giving someone myname+foo@gmail.com versus just myname@gmail.com.
There has never been a good argument for attempting to filter email addresses based on domain. Check address syntax on interactive forms purely to help users (did they fat finger something). Whatever well-formed address you've got, fire off emails and if they can receive them then it's a legit address. If you want to rate limit signups, then do so per-domain or per-mx, the same way you might limit incoming connections per-ip. That is the extent of guarantee that email provides you - trying to step over that demarc point is a control delusion.
Even outright throwaway domains like mailinator.com - if a user is giving you this type of address, it says more about your own requirement demanding an email address rather than the user themselves.
notably, micro center _was_ an issue but had to raise exception.
But I do sympathize with the stupidity of marketing email madness.
If you give a business a hide-my-email address, they can reach you at that address indefinitely.