[kornnflake]

I used my free time during Christmas and pushed a huge update to my latest weekend hack. It's a disposable email address service.

Some of the main features are:

* SSL only connections

* All data is stored in memory using redis to make the site blazing fast

* New mails are instantly displayed using web sockets

* Automatically clicking on common activation links

* Your inbox doesn't expire

[harshreality]

You should append the PositiveSSL CA 2 intermediate certificate to your certificate file. That comodo cert isn't in a few browsers'/systems' certificate stores yet.

https://www.ssllabs.com/ssltest/analyze.html?d=receiveee.com

Your nginx configuration ssl ciphersuite list includes single DES, too, when it shouldn't.

[aaronpk]

The string in my URL is different but very similar to the string in the email address. Curious. 1QdVfTRH vs 1QdVfTS1

[kornnflake]

That's not your mailaddress in the URL. It's like a password to access the inbox later :)

[chockablock]

Hmm... But why should the 'password' URL be so similar to the mail address. Doesn't this mean that if I know your mail address, I can fairly easily guess the secret URL to let me see that inbox?

(Granted that in the most common use case, if I know the email address, I probably know what's in the inbox, since I am likely the person who sent the message. But still, why not make these 2 different random strings?)

A couple more examples: 1QjYwHNM vs 1QjYwHOc 1Qk07A9x vs 1Qk07A9X

[nwh]

Yeah, the developer is going to want to fix that quick smart. At a complete guess they are two strings being generated in quick succession from the same seed, and they both happen to be very close. End result is that I can guess your email.

[Sami_Lehtinen]

Also email addresses are in really tight set and easily guessable. So that system should be fixed in general. Not just for address / password issue. But also getting proper address distribution.

[chockablock]

Addresses and URLs seem to be timestamp strings that change every microsecond, with the URL code being generated just before the email address. This makes it trivial to read someone's mail if you know their address.

You can verify this by repeatedly clicking 'Delete this address', which issues you a new mail box. The address string can be thought of as a number that is always incrementing, with the 'digits' drawn from [0-9a-zA-Z]. (So base 62.)

The URL number is always (sample size ~100) just a little smaller than the email number, but not by a consistent amount. Often about 20-30 steps away, but sometimes as much as 600 steps away (depending on server load?).

The number seems to be generated by a clock rather than a counter, since the rate at which the counter increases is very steady. The 5th digit from the right increments every 15 seconds, suggesting that there are (62^4)/15 ~= 0.99 million unique strings per second. Maybe the counter is just using the time in microseconds, and converting it to a string?

Issues raised:

1 - If I know your address, I can now guess the 'secret' URL to read your mail in a trivial number of guesses (certainly less than 1000). There doesn't seem to be any throttling of attempts on server side (I was able to manually cycle through ~30 invalid URLs fairly quickly).

2 - Email addresses 'leak' the time that they were created. (Not a clear security risk, but could be problematic in some cases)

3 - As Sami_Lehtinen says, addresses are guessable based on signup time, but given that these are disposable addresses, I'm not sure that's a big problem (who cares if a spammer guesses it). Also, even if there is a new user signing up every second, the success rate for guesses will be 1E-6.

[aaronpk]

Cool, thanks.

[greenyoda]

Thanks, it looks very useful. However, if I want to reuse an address several times, it would be nice to be able to delete individual messages once I've read them.

[aaronpk]

Using Websockets is a nice touch. However I haven't gotten my tests to work yet. Tried from my Gmail, and also manually SMTPing in.

[kornnflake]

Taking a look into it. My first thought is that some DNS servers are not updated yet :(

[xoail]

Thanks! I will add it to my filters and make sure users dont register through it. ;)

[EwanG]

Why? It seems like you are escalating a war AGAINST your users. Most folks who use a disposable address are trying to make sure their main address doesn't become a fount of spam. If I continue to visit your site/service, then I will probably decide to "update" my address on my own for the convenience. Am I really being naive?

[duskwuff]

You are being naive -- it really depends on the service. For trivial online services, a disposable email might be fine, but for anything that costs money, you're doing your users a disservice by letting them register with an email address that they won't be checking (and which could potentially get hijacked, if someone knew the address).

[arscan]

If a service prevents me from signing up with whatever email address I want, I won't be using it. It's one thing to discourage weak passwords, as that's a common mistake for people that don't know any better. It's another thing altogether to deny signing up with something like this, as they clearly will know the ramifications of doing so.

[jacobn]

I have a website that gives freebies (=$$$) to new signups, so allowing throwaway accounts makes people do things like sign up for 100 accounts.

Not giving freebies is of course an option, but then there is goodwill lost on that end instead.

It sucks both ways. At least I don't spam my users, but they of course only trust that assertion so far and I certainly don't blame them - there seems to have been a significant rise in email marketing in the last 6+ months - probably some annoying YC startup or two making it much too easy for sites I signed up for at some point but really don't want to hear from send me email... Tsk, tsk ;)

[LiveTheDream]

Then just give the freebies to non-throwaway accounts. Now your users still have a choice, and you don't lose any goodwill (obviously, explain that throwaway accounts don't qualify).

This is on the same level as adding a CAPCHA if someone comment looks like spam.

[krichman]

You might not be naive, but you are probably mistaking the value of allowing sophisticated users to try in this way versus the value of getting an email that you can send weekly updates to.

[kornnflake]

Gonna add new domains form time to time :p

[16s]

mailinator does this too.