This is completely ignoring the useful use cases of "disposable" emails like privacy. I have a domain that I specifically use as a catch all, so anytime I sign up for a website I use the domain as the username, like news.ycombinator.com@forward.to.me.com
This helps protect me in many ways. If my email is sold or leaked, not a big issue, I can just add that specific email to a blacklist and I never need to get spam from it again. Or if I cancel and keep getting spam about rejoining, blacklisted. It makes it easy to keep my spam and newsletters to a minimal.
It has the built in advantage that I can always sign up for new trials if I want, just do thatdomain.com1@ thatdomain.com2@ and so on. Although I don't do this often, I have had to do it for various reasons.
I've hit on occasion websites that block their domain from being in the email address, likely a poorly implemented security check because their software might say anyone with a "@service.com" email is an admin or something. In that case, I enter some random crap. I never have to remember the emails, since I can just search my email history for the address the service sent the registration confirmation to.
However, the downside is privacy. I use my own domain, which contains my full name, so when I sign up to some services and want to do so without giving my name, I still rely on a disposable email service such as hidemyass.com; and I do this for many online services. I am not a believer that everything I sign up for needs to know my full name, address, and email - often services ask for this information for no reason.
So attempting to block these types of services, that have valid and useful benefits to users, simply harms your users. You can avoid spam users with a captcha, and for trail abusers you already can't do much because @gmail.com already allows for a lot of aliases to work like @googlemail.com, or user.@gmail.com or u.s.e.r@gmail.com etc, or user+whatevertheywant@gmail.com
I disagree. I run a SaaS product and disposable emails are a bane to my existence. I get thousands of signups a day from people all around the world using disposable email addresses trying to milk the free tier of the product.
You have no idea the lengths people will go to.
If all you wanted to do was test a product out, create a real email address even if it's full of bogus details.
If you won't try my product without a real address then you're a customer I don't want and don't need.
As people already pointed out that your product isn't free, if you require knowledge about a person then they're giving you their information. Facebook doesn't cost a user money, but it costs them plenty else.
For a product with a "free tier" that doesn't work where a user needs to sign up several times, the product itself is flawed.
However, disposable emails again are not the problem, as there are tons of ways to get valid, working emails to bypass any unique email requirements. Blocking disposable emails aren't going to help you with that. The only thing you're removing it a user's access to better privacy. Again, if you require knowing who your users are then you are not a free service.
If you don't care about having users unless you know their real email addresses then you should consider validating their identity in other means, besides an email address. Many services use a text message to validate you also have a phone number that works, which is much harder to anonymize (although I personally have four different numbers for this very reason, based on the trust I give a service I decide which number I want to provide them - since to me, my privacy is worth something, I don't share it for free).
I was involved with running a SaaS which also had issues with free tier signups.
Two observations.
1. Prioritise paying customers. Use spare provisioned capacity to provide for the free tier: don't spin up new capacity for free tier customers - or at least do it on your own terms. Now it doesn't matter if people milk your free tier unless you believe, almost certainly incorrectly, that these people would pay if they couldn't sign up for more trials.
2. We had repeat signups from gmail accounts, but almost none from disposable addresses as such. Any service that lets you have multiple email addresses for free is a potential "risk". That obviously includes any self-run email server, or any corporate email server from the perspective of a user allowed to add new addresses to their mailbox.
Your "free" tier isn't really free, then. As payment, you're asking for the sacrifice of your users' privacy.
Some users may value your service so much or their privacy so little that they may pay up, but for the rest of us it's back to the disposable email arms race.
PS: Kudos for being open and considerate enough to defend an unpopular position on here, though it's ironic that you did so using a disposable HN account.
> Your "free" tier isn't really free, then. As payment, you're asking for the sacrifice of your users' privacy.
Is that what asking for an email to sign in to create an account to use a service that probably doesn't work well without having an account is now, invasion of privacy?
Where do we put our foots down and stop saying that everything a SaaS does is sacrificing the user's privacy... Soon we're gonna start seeing "Whoa, asking them to pay and input their credit card? You're asking for the sacrifice of your user's privacy."
As a business, the onus is on you to provide a service that incentivizes consumers to move up from the free tier. If your free trials are being abused, that's an issue with the way your business is structured, not how people register.
You are well within your rights as a business to decline potential customers over something like this, but you need them more than they need you.
The problem is the assumption that I, as a tester, want to be talked at by sales. I don't. I want to test the product and yea or nay, that's it. Unless you're in a specialized industry, there are probably competitors out there and I can judge the applicability and function without the help of a salesperson.
Are you sure your monetization strategy is the right one? Do people have the right incentives to pay? Not allowing people to stay in the free tier is a pretty bad motivator.
Not to be an asshole but I absolutely loathe this... these sort of things are why I'm forced to give my email address to organizations I don't trust. This is offensive to my sense of privacy and I wish people would stop doing it.
Too often now sites/app want a login for no benefit other than to SPAM me with newsletters and crap I never wanted. That's why I use disposable email addresses, you're providing me no real value, at least sight unseen, but I must give you something I know is valuable-- my contact information.
I add the name of whomever I'm mailing whenever I enter my address, like "cryptarch+microsoft@gmail.com".
If they remove the "+microsoft" portion mailing me, that email is sent to my spambox and reported to spamcop, because I did not sign up with that address; the address I signed up with has the +etc infix.
Eventually I figure companies will get wise to this and I'll have to set up my own server which does the same trick with an underscore instead of the "+" sign.
You can make addresses on the fly like microsoft@cryptarch.fastmail.com (which will automatically be resolved and sent to cryptarch+microsoft@fastmail.com) and you'll save the hassle of having to run and maintain your own mail server.
gmail supports having +stuff in your email address too. it's fairly easy to set up filters to put stuff into folders based on the email it got sent to.
You don't use a '+' at all in the fastmail email addresses you give out.
For example, say with gmail you have name+stuff@gmail.com, with fastmail you could use that if you wanted, but you can also use stuff@name.fastmail.com
If fastmail receives mail on that address, it converts it for you as if it had been sent to name+stuff@fastmail.com instead.
This happens entirely on the fly so you can make 'proper looking' emails without a '+'
That doesn't help if they sell your email though, because you don't know what company to match the spam with.
I use mynamemicrosoft@mydomain.tld for each service, and i catch every email regardless of mail address.
Sure they can manually fool me or use more sophisticated regex to find their service name (and i can obfuscate it), but in practically all cases i know which service has leaked my address if i get spam against a certain address that's not the service i signed up for.
With gmail you can use periods in the email address and gmail will ignore them. i.e. bob.smith@gmail.com is the same as bobsmith@gmail.com or even bo.bsmith@gmail.com.
The +company trick doesn't work everywhere anymore.
I recommend using a personal domain and a mail service that offers catch-all filters. Stuff regex on that and you can also filter all emails of this type into a specific folder.
If they're not providing you with any value, then don't give them your email address.
If it's just a Regex check then you can just use dslfkjsdlfj@fdsjfs.com. If it requires you to click on a verification link in the email then that is quite a high bar for you to go through to obtain something of `no value`.
Hi Exuma. FYI, I do check custom domain names pointing to disposable email address providers. If you add your own domain name, it will be also blocked.
I think the mistake was using the word "block". A general purpose "email type classifier" might be useful.
No need to block the temporary email, but you might use that information for other purposes, like having it be some weight to a fraud detection system. Note, not calling it out as fraud outright, but using it as one data point among others.
+1, and it all depends on how the website owners, SaaS providers, etc use it. They may choose to block or let them in with nice notifications message then block later.
I created it as a side project to stop fake registrations with disposable email addresses, like emails from mailinator, email-fake.com, temp-mail.org, etc.
It has a public API, no registration required, accepts up to 10 checks per minute. A WordPress plugin and a simple PHP library are also included.
Because some services have sensitive information and need a reliable way to contact you. If you use my service and attach your credit card to pay for it, and used a disposable email to sign up with and your account gets breached, who's fault is it that I couldn't email you and let you know?
Sure if it's some throw away service that doesn't have such sensitive information, that's fine, but there's many reasons to use such a service.
> who's fault is it that I couldn't email you and let you know?
The user's fault; they are knowingly trading that risk for protection of their privacy. That says a lot for how they regard the service in question.
What about rejecting ISP-issued e-mail addresses? Those are also ephemeral, for those who use them.
What about Yahoo! / Outlook.com / Gmail addresses? in the vast majority of cases people using those have no 'hold' on them and their accounts can be suspended at whim.
Domain-related addresses can be lost if the registry decides to hike the domain prices beyond affordability, such as with the 1000% increase in Uniregistry gTLDs later this year.
Where to draw the line? All e-mail addresses are temporary.
That makes sense, thanks. My line of thought was that if someone is using a disposable address they probably aren't going to respond to marketing anyways - they're just checking out your service.
There's a reason I'm using a disposable address for your service. A much better user experience would be for you to allow me the option to try out your service before giving you my email.
Disposable email addresses exists precisely because we don't plan on returning. Some websites tried to block disposable addresses already, I just went somewhere else.
It classifies things like gmail, yahoo mail, hotmail as "Consumer" addresses.
So, there might be some additional markets for you if you can identify "consumer" emails vs "business". Also, some niche areas like isEduEmail(), for things like student discounts (fyi, not as simple as it seems at first glance).
If you consider using this, please for the privacy of your users make sure to only check the domain, not the full mail address (so not like the first two API request examples).
This is such a bad idea. 99 out of a 100 times the use case for such a service is because the developer wants to make sure it can spam a real email address.
But, I hope this doesn't take off because there are valid reasons for using fake email addresses. E.g. I don't trust the site not to sell my email, or leak it inadvertently through a security exposure.
I really don't like this service at all. It destroys value, like the ability to be anonymous, and enables abuse by companies - the 90% use case is by companies who use it for sending marketing junk as we all know perfectly.
While the service mentions blocking them, this API can be used just for that. All it does is take an email and tell you if it's a temp email. What you do with that info after is up to you.
+1. The WordPress plugin gives a nice warning message with a promise that the website owner won't spam or sell the email address. After all, it's all up to the website owner.
I really hope this doesn't see adoption in many cases. I can see it being okay in places where abuse is an issue, but I use different disposable email services specifically because I don't want spam or my actual email exposed in the endless stream of breaches.
I don't want Best Buy Rewards, etc. having my email to sell.
Can someone provide examples of temp mail abuse that makes this necessary? I sometimes use these service to avoid being subscribed to ceaseless email marketing rings or get at information (in my opinion) needlessly siloed in things like forums.
Seems also like a user-hostile escalation in this kind of arms race that will eventually be overcome anyway.
If you ask somebody their phone number and they give you a fake one - they don't trust you and think you are an asshole. Same with e-mail. When you feel you need to protect yourself from "disposable emails" then your problem is elsewhere.
I don't quite understand why this service is attempting to charge for what is basically an email list, when email lists with more domains have been public for quite some time.
Ones can create multiple email addresses, and disposable them in an instant. It's just another disposable email service that is easily abused by spammers.
I store and track "disposable email address service provider", so I want to abbreviate that name. Anyway, I removed the "DEA provider" counter and the acronym :-)
> Disposable Email Address (DEA) services are tools for spamming, fake registration, free trial abusing, etc.
And we hate them!
Gloves are a tool for criminals! Knives are a tool for murderers! Cameras are a tool for terrorists and pedophiles!
Like these other tools, email addresses have legitimate uses. If you find yourself getting a lot of disposable addresses, there are other ways to ensure you get a valid email address, like only asking for one when your users are actually going to want to receive your emails.
This got me thinking of a tangential business idea: a user-hostile site blocker.
You take a quick quiz of stuff you personally consider unacceptable from a site (such as blocking disposable emails), and then it comes up with an autoupdated blocklist.
If I have no incentive login again, you should probably not ask my email. This service is a nuisance just like all those sites that require an email for no good reason.
This sucks. I hate it. VERY few "services" are worth the exposure of my real email address. I made this mistake with yahoo, bigfoot.com and amazon.
It would not hurt my feelings if the developer of this "service" became allergic to pizza. And if the service were to close... The allergy is reversed, gradually.
This helps protect me in many ways. If my email is sold or leaked, not a big issue, I can just add that specific email to a blacklist and I never need to get spam from it again. Or if I cancel and keep getting spam about rejoining, blacklisted. It makes it easy to keep my spam and newsletters to a minimal.
It has the built in advantage that I can always sign up for new trials if I want, just do thatdomain.com1@ thatdomain.com2@ and so on. Although I don't do this often, I have had to do it for various reasons.
I've hit on occasion websites that block their domain from being in the email address, likely a poorly implemented security check because their software might say anyone with a "@service.com" email is an admin or something. In that case, I enter some random crap. I never have to remember the emails, since I can just search my email history for the address the service sent the registration confirmation to.
However, the downside is privacy. I use my own domain, which contains my full name, so when I sign up to some services and want to do so without giving my name, I still rely on a disposable email service such as hidemyass.com; and I do this for many online services. I am not a believer that everything I sign up for needs to know my full name, address, and email - often services ask for this information for no reason.
So attempting to block these types of services, that have valid and useful benefits to users, simply harms your users. You can avoid spam users with a captcha, and for trail abusers you already can't do much because @gmail.com already allows for a lot of aliases to work like @googlemail.com, or user.@gmail.com or u.s.e.r@gmail.com etc, or user+whatevertheywant@gmail.com
Don't harm your users with useless validations.