WingNews logo WingNews GitHub [2]
top | item 19094818

Show HN: Startup with no website - [email protected]

288 points| eralpb | 7 years ago

Hey there, there are lot of disposable email services, but as I was thinking I realized 95% of the time, I don't care about my inbox. I just want to "verify my email".

That's why I created a startup with no website, it's called [email protected], it's a credible domain (you don't say) and it will click on any "verify" links you send it to it.

You can use aliases to get around of duplicate emails in the target system, so like

[email protected] [email protected] [email protected]

so choose an alias and start using the service!

I will provide a website to see the inbox of your alias. (maybe for services who send your pw in the email, but then you might be better off using other established servers.)

Gmail API is a bit slow so it might take 30 seconds for email to be received on my end, keep in mind while testing!

Best,

184 comments

order
[+] nine_k|7 years ago|reply
This is delightfully crazy.

Give some random guys with no website your registration record somewhere, allow them to verify your registration as theirs, and then impersonate you, reset passwords, see any communications, possibly log in as yourself and do anything. All this with no recourse.

Nigerian spammers moan from envy for such a brilliant self-propelled gullibility filter.

[+] Semaphor|7 years ago|reply
I have [email protected] and I've had people play poker and lottery and sign up for dating websites with my e-mail address. I've also received confidential information from insurance and building construction companies.

It's hilarious.

[+] gpm|7 years ago|reply
It's no crazier than using any other disposable email service... if I'm registering an account at neopets.org or whatever I probably just don't care.
[+] sleepychu|7 years ago|reply
In that regard though, it's not different to existing throwaway email services. I'd use this sort of thing for registering for annoying things like "free" wifi.
[+] LCoder|7 years ago|reply
I own a domain which a lot of people on the Internet like to randomly type in when they are signing up for things. It is ridiculous how many services accepted those fake email addresses over the years and therefor how many accounts I could reset passwords for.
[+] laughinghan|7 years ago|reply
I don't understand what point you're making. Isn't that true of mailinator.com too? Have you never signed up for an account on a service you didn't trust not to spam you?
[+] crb002|7 years ago|reply
Unless you don't want an account. So many things require stupid email verification just to get at no transactional stuff like content.
[+] clairity|7 years ago|reply
and it pollutes the googleborg no less, by using a gmail account.

occasionally people (accidentally?) use my (long-in-disrepair) gmail account in this way, and it's amusing to see their little peccadillos. sometimes you get the devilish chance to change subtle details of an online profile =D

[+] fredgrott|7 years ago|reply
not to mention the damn google dot hack that still works with all gmail email accounts...
[+] 2019ideas|7 years ago|reply
If you are worried about your user details getting stolen after signing up with someone else's email-

You aren't using this service correctly.

The idea is to not give away your email or signup for a website, but get access to that website.

[+] ReadyPlayerNone|7 years ago|reply
Interesting, I've a few questions as food for thought.

- Is it allowed under GMail's TOS?

- Have you considered the security implications of having what is presumably a server somewhere in your name clicking on any link that's sent to it?

- You say startup - do you have monetization plans? Putting adverts on the associated website perhaps?

[+] alpb|7 years ago|reply
Why do you call this a "startup"? It's a nice hack for sure but I'm not sure if it's has a prospect of being a business.
[+] reaperducer|7 years ago|reply
[email protected] [email protected] [email protected]

Unfortunately, more and more services are rejecting + e-mail addresses. Either ignoring them, or flagging them as an error.

While it's perfectly within the RFC, companies are catching on to the trick.

(3M, I'm looking at you!)

[+] kidsil|7 years ago|reply
Gmail gives you another option - separate using dots.

[email protected]

The number of options is of course limited but it's still recognized as a separate address while still coming into the same inbox

[+] jpeeler|7 years ago|reply
Years ago I locked myself out of my Amazon account. Since I really wanted to keep using the same email account (and I didn't care about Amazon history, nor did I wish to go through an official account reset) I resigned up using a +suffix. I'm still amazed the second account was able to be created, though it's possible it's no longer allowed since this was around 2005 or so.
[+] dimensi0nal|7 years ago|reply
When Google inevitably shuts this down can you opensource the link clicking program?
[+] eralpb|7 years ago|reply
I will open source whenever I have time, I just did it last night and decided to share.
[+] justin_oaks|7 years ago|reply
The "link-clicking" can be done using a Google App Script. I've used it before to auto-accept AWS opt-in notifications for Elastic Beanstalk environments.

My code was tied to a Google Sheet that would hourly pull matching emails, use a regex to extract the link, send an HTTP request to the URL, and record the URL and response in the spreadsheet.

Having a high level description of the code isn't as useful as the code itself. Alas, my code was part of my Google account at a previous employer.

[+] O_H_E|7 years ago|reply
Just make sure that account is not associated with any of your real data (even IP). There have been horror stories at /r/TIFU about people getting their personal accounts suspended and the whole enterprise account with them.

If Google gets angry about you, your life MIGHT be ruined –partially–

[+] tnr23|7 years ago|reply
what about the gmail receive limit? its 60 emails per minute or about 80k per day

if you hit 1 minute over 60 you get blocked 24h

[+] programbreeding|7 years ago|reply
That seems like it would be incredibly easy to DoS someone.
[+] siruncledrew|7 years ago|reply
Did you get the idea from GuerrillaMail?

https://www.guerrillamail.com/

[+] protomikron|7 years ago|reply
More and more services recognize disposable e-mail domains and don't allow such addresses. Obviously they can't block the gmail.com domain.

I like the idea, but it probably is against Google's TOS, so there's that ...

[+] kodablah|7 years ago|reply
If something like this becomes popular, one might expect sites concerned about non-human verification to add a captcha to their verification page before the account is considered verified.
[+] herogreen|7 years ago|reply
Or: ask the user to use the same browser and check that cookies match / "sanitize" gmail adresses
[+] eXorus84|7 years ago|reply
Good luck for your startup with no website. It's very simple and clever.

I started my startup with a website to do a disposable emails service: mailcare.io It's also available in open source.

[+] rcfox|7 years ago|reply
I've always wanted sort of the opposite. I'd sign up to a website, and they wouldn't ask for a password. To login, they would email a link to click and I'd be logged in for however long that cookie lasted. Why don't sites do that?

(Is email still considered slow? I remember having wait times in the hours back in the 90s, but I'm not sure I've ever waited anywhere near a minute in the past decade.)

[+] Brozilean|7 years ago|reply
> I've always wanted sort of the opposite. I'd sign up to a website, and they wouldn't ask for a password. To login, they would email a link to click and I'd be logged in for however long that cookie lasted. Why don't sites do that?

> (Is email still considered slow? I remember having wait times in the hours back in the 90s, but I'm not sure I've ever waited anywhere near a minute in the past decade.)

Tumblr does this at the moment. It asks for either email click or a traditional username/password setup.

[+] overcast|7 years ago|reply
Passwordless authentication exists, Medium has it, I've implemented it before, and I prefer it myself. The biggest issue being it adds an additional step, that most don't want to deal with. What if they don't have access to their email on that machine? Blasphemy, but it happens.
[+] gpm|7 years ago|reply
This is basically how steam works these days.

Sure, there is a "password" - but they won't let you log in without also verifying you have access to your email account - and you can reset that "password" only knowing the username and having access to the email account.

[+] jonathankoren|7 years ago|reply
Tumblr does that now.

I’ve never used the feature. I have an integrated password manager.

[+] nijynot|7 years ago|reply
Medium actually does this.
[+] megous|7 years ago|reply
How'd you log in if you lose control of your e-mail?
[+] lifeformed|7 years ago|reply
Isn't it spelled with two R's? "Guerrilla"? I didn't even notice at first, and was going to say that it's a hard to spell word for something you have to manually type in. Now I notice even the service itself is misspelled! Or is it just this announcement of it that's misspelled?
[+] ArtWomb|7 years ago|reply
Nowadays, most require SMS confirmation that "You are indeed a human". And thus a mobile phone number. Have often considered wiring up something in Twilio so I can create multiple accounts, etc. But am too lazy to put in the effort. Perfectly willing to trade privacy for convenience in most cases ;)
[+] dewey|7 years ago|reply
I wouldn’t say “most”. The sites where you have to verify are probably more sensitive and not something you’d verify with this service or a throwaway email anyway.
[+] c22|7 years ago|reply
A lot of these sites know when you're using Twilio numbers and reject you anyway.
[+] rkagerer|7 years ago|reply
How well will this scale? I know GSuite Gmail accounts are limited to 3600 emails per hour, among other limits.
[+] megaman8|7 years ago|reply
What's awesome here, is that he/she's created a solution to a problem that almost everyone has. It might need a little work, as shown by other comments. but the core idea is a good workaround for sites that force you to give a bad email address to get at the content.
[+] giarc|7 years ago|reply
Is it a problem though for legit sign ups? I find the problem is that when you click the link in your email, you now have 2 tabs open. One with a verified login and one without.
[+] aogl|7 years ago|reply
A lot of services don't allow +uniqueSection in email addresses anymore; just bear in mind..
[+] ixwt|7 years ago|reply
Because it's a gmail address, you can put as many . as you want anywhere in the name. Gmail strips them out when determining the email address.
[+] apexalpha|7 years ago|reply
A bit weird to call it a startup but a clever idea!

Maybe Mailinator could implement this autoclicking.

[+] mandeepj|7 years ago|reply
Good thought. At the same time, it's a feature; not a startup. Sorry.
[+] timmit|7 years ago|reply
it is a geek idea! i like it.

you still get a website? ``` I will provide a website to see the inbox of your alias. (maybe for services who send your pw in the email, but then you might be better off using other established servers.)

Gmail API is a bit slow so it might take 30 seconds for email to be received on my end, keep in mind while testing! ```

just wondering does it break gmail's terms?