Using mail.mailinator.com as MX records are something that almost all tools check to ban disposable email addresses. The only real thing that works for them is to renew their domain pool as fast as they can. In our service in https://apility.io we check for MX records of very well known DEPs, and also we crawl the web to try to keep an up to date list of these domains.
This is one of the most pointless anti-abuse measures you could implement, since a Gmail account can be created in about 20 seconds with no identifying information.
I've created 3 new Gmail accounts in the last year and I've never been forced to enter my phone number. Either it's a myth or the rule magically never applies to me.
Lots of Google rules don't apply to specific, known-to-google "mes".
Google knows who you are by your devices, IP addresses, browser signatures, cookies, and other metrics. They don't need to verify your identity anymore, in fact they could probably tell you things about yourself that you don't even know.
I'm going to guess it's the latter. I'm unable to log into some of my existing gmail pseudonymous aliases because google refuses to let me log in without providing a phone number (ostensibly for my own security, IIRC to enable 2fa, even though it doesn't make any sense).
An existing email account is something worth protecting. It's OK to allow a few extra false negatives while signing up, compare to accessing an existing account.
Wouldn't it be up to me to decide if I want to enable 2fa?
Provided Google has a lot of info about me, they can probably tie those accounts to me anyway, but I'd rather not formally associate them with my public identity.
There's some sort of complex formula that determines whether you need to provide a phone number, based on how many accounts have been recently created from your device, IP, etc.
IIRC, and my memory of it is faint, they don't seem to require a phone number if they can otherwise identify you. For example, try it via a VPN or Tor.
Some people use DEA to abuse of trial services of SaaS, for example. They register again and again after the trial has expired. These users consume resources but they never effectively become customers. Some companies ban users using DEA, anonymous proxies, TOR, VPNs... or even Free Email addresses (the conversion rate comparing a user registered with his or her company email and a Free Email (gmail, hotmail, protonmail...) is much higher).
I am well aware of that feature gmail has and have abused it in the past with many websites, but the parent said that some SaaS platforms block gmail altogether. It seems like a shoddy fix if you can get a really cheap domain and essentially do the same to register accounts.
Yeah, its like putting extra locks on the front door while the back door is wide open. However, most people would try the front door first.
A lot of domains have that feature btw. Gmail's specific feature is with the dots functioning as catch-all [1] (though Facebook apparently has the very same feature).
Except sites that mistakenly disallowed the + symbol.
Also, it's very easy to mechanically identify all such users because of the + symbol, which, if you are trying to prevent your real email address from revealed means it's not that useful...
Regarding the former, my ISP allows me to set forwarding email address. I could temporarily use these until X date or until they receive (a lot of) spam. Though all spam gets filtered anyway.
Regarding the latter, when they email you directly without the + you can be very strict. You could even apply whitelisting.
Actually I do. I bought a domain of my shortened initials and this domain catches all the emails sent to it. Every entity gets a custom address: [email protected], ikea@..., Etc.
I use Fastmail's subdomain addressing [1] to sign up for services in a very similar manner. I'm certainly sympathetic to bad services abusing the privilege of having your email address. My contention is that while this is the purported benefit of mailinator.com, in reality many people use it to abuse services.
In other words, there's a big difference between using ikea@ and saastrial1@, saastrial2@, saastrial3@,.. and so on to keep signing up for trials with the same SaaS provider.
It's really a shame when online services make overly broad generalizations like this. I use disposable email addresses for all of my services, because they are the most effective way I've found to manage spam. (They also have the side benefit of a little added security when someone hacks Site A's account database and tries to use the email addresses to log in to Site B.) When a potential provider tries to coerce me in to exposing my keeper address, it signals to me that they (a) put their own convenience before my security, and (b) don't have a particularly good understanding of the internet. For both those reasons, I take my business elsewhere.
Even worse are the sites that happily accept disposable email addresses and claim to send a verification message, but never actually send it. This wastes my time with rummaging through spam filters and polling my inbox, wastes their time when I contact support to find out wtf is going on, and is generally just (c) a terrible experience.
Your modus operandus means you cannot share your e-mail address whereas my spam filter is so good that the amount of false positives and false negatives is negligible.
> (They also have the side benefit of a little added security when someone hacks Site A's account database and tries to use the email addresses to log in to Site
Using a password manager plus randomly generated, complex passwords mitigates that problem entirely insofar that your accounts can be used on different websites.
Both our solutions do not mitigate the doxing issue. A way to deal with that is removing your personal details whenever they're unnecessary (e.g. changing/removing them after you ordered something). Artifacts might still remain though, and faking them is probably illegal. It can lead to issues as well. My mother always gives a fake DOB akin to her own when she doesn't trust it, or gives a slight variant of her name. Then she knows something is wrong. Pretty clever, esp before this century.
> Of course I can. I don't know what you're getting at.
I was referring to it as an adaptation of the way I do it.
Your way of doing it is introducing another hop/point of failure and either adds a subscription, or having your addressed e-mail public.
> Doesn't solve the spam problem (which is what we're discussing here and the focus of my comment), and introduces its own problems.
I don't have a spam problem. Get an ISP or mail provider with some decent filters. Mine's been stopping spam since the '00 or something. Sometimes the spammers caught up, but only very temporary. I don't have a spam problem. I use the + to figure out how people (ie. marketeers/bots) got my e-mail address.
Also, a password manager does not introduce any meaningful problems.
> They register again and again after the trial has expired
This is great! You have users who are using your product, how could you not be happy? Find out why they are not converting, perhaps your offer isn't that great for their demographic? Note that even if they didn't pay to your service, they may be your biggest fans who may recommend your product to other people. DEA users are usually tech-savvy types, they are also the kind of people who are the early adopters when it comes to tech (since they were able to figure out how a DEA works & how to use one), and are probably the ones who normal people go to get advice. Don't forget that even if not a paying customer, they are still a customer in the sense that they could review your service or refer others through word of mouth! If you're blocking DEA services, it may end up costing you more.
That's a whole lot of "what ifs". I'd rather just block people that are consuming resources and potentially affecting service levels for actual customers (or people that will actually convert). The situation you paint might be true of a very small percentage. But more often than not it's just people that want to use something without paying for it.
So don't let people use your services without paying! A trial is only a trial if it locks or stops the user from using it after a trial period. Freemium models that limits number of uses aren't a trial.
The trial does stop the user from using it after a trial period. If you want to fault anything, it's using an email address to equate to a user. Fine. I'm guilty as charged. But, it's pretty common. Most legitimate users of a service want as frictionless a setup as possible.
Ultimately, my solution was to start requiring a credit card at sign-up. Shockingly, not a single mailinator.com address was used from that point forward and my conversion rate barely changed. But, it sucks I had to do that. There were people that legitimately wanted to try the service out that were put off by requiring a credit card so early. I personally hate providing a credit card for a service I haven't even tried yet.
I appreciate your reply, but I think it's an entirely toxic mentality. My business model isn't freemium because you could game the trial process (and violate the terms of service). And I shouldn't have to grossly restrict the trial to deal with mailinator.com sign-ups. Say what you will about mailinator.com, but it was hands-down the largest source of abuse of my CI-like service. Everyone else played by the rules and enjoyed a liberal trial to get familiar with product.
Tons of trolls use disposable email addresses to register multiple accounts for forums and similar to harass others. I block most of the popular mailinator domains for my larger public forums (200k+ users).
As I mentioned elsewhere in the thread, I never understood why they don't just obfuscate the MX names.
A service like yours would certainly have no trouble noticing the fact that the MXes all have the same IP address as Mailinator, but, right now, anyone can just do a lookup and simple string comparison themselves, without paying.
Congratulations, you are contributing to making the internet a worse place for everyone. How did you come to work for a company that's this blatantly abusive?
