Intro

Recently, I’ve come across a stream of users registering accounts on websites I own using temporary or “disposable” email addresses. These addresses exist for reasons like protecting user privacy, preventing spam emails from cluttering real inboxes, increasing account security, and allowing users to bypass one-account-per-email restrictions. I’d like to explain my thoughts and my response to this issue here. If you only care about technical details, skip to Part 3.

Part 1: The Balance of Power

When deciding on a response to the issue of disposable email addresses, the perspective of the user should not be forgotten. A balanced and well-reasoned approach is the goal, so let’s begin by understanding how the user views the situation.

First Perspective: The User’s Side

User Concern #1: Privacy

There’s nothing wrong with protecting your privacy. Online tracking is hard to avoid, and your profiles on different sites can be connected by third parties whenever you reuse an email address. Using a disposable email address allows you to break that connection. Privacy is a human right, yet it’s often overlooked by decision makers (in my opinion).

User Concern #2: Spam

How many times have you received an unwanted email from a company after you’ve tried to unsubscribe? How many times have you regretted signing up for marketing letters from online stores for a quick 10% discount? With a temporary email address, those regrets disappear because you’ll never be notified about mail going to that disposable inbox in the future. Better yet, many services will let you go back and receive new mail if you really need to access your old fake inbox.

User Concern #3: Security

If you’ve used a service like have i been pwned before, you may remember that the way to check if your password has been leaked is not by entering your at-risk password, but by entering your email address. One of the main reasons that reusing passwords is risky is because it’s coupled with email reuse: attackers don’t have the resources or the time to try every password with every email for any random account, so in non-targeted attacks they check known email and password combinations from previous data breaches. Outside of targeted attacks, email address reuse is almost as bad as reusing a password.

Second Perspective: The Operator’s Side

Given the myriad legitimate concerns that a user may have regarding privacy and security, is it ethical to block the use of disposable email addresses? The answer isn’t very simple, because there are a critical factors to consider on the operator’s side.

Operator Concern #1: The Law

If your website has a legal duty to verify the identity of all users, then a reasonable effort must be made to comply with the law. While having a real email address from every user may not be as legally important as having a real first and last name, it can help track down the rightful account owner if needed. Thus, a reasonable effort must be made to collect a real email address from each user.

Operator Concern #2: The User

After considering the law, priority number 2 for a business is the user. How will your temporary email policy impact the user experience? Could it harm the experience?

Users may be discouraged if your temporary email address policy slows down their onboarding, and privacy-concious users will be especially turned off. Online privacy protection has only gotten harder over time, so the number of genuinely concerned users is likely to be lower than the number of bots who try to use fake email addresses. On a social website, bots can impact public opinion and ruin the experience for real users.

I would argue that social media sites should not take action against a user during the signup stage if a temporary email address is provided, but use of a temporary address should be considered a strong signal in anti-bot algorithms.

Operator Concern #3: Weak Wills

Users are fickle. Imagine how many users will be lost if you slow down the registration process by blocking signups from fake addresses. Are the potential lost leads worth getting a real email address out of the more persistent users? Probably not. If requiring valid email addresses isn’t legally required for your organization, maybe it’s better to afford users the freedom to use disposable inboxes.

Operator Concern #4: Emergency Scenarios

In the event of a data breach, an interruption of service, or any other emergency where communication with users is paramount, those who provided a temporary email address will be in the dark. This is a compelling reason to check for legitimate email addresses, but it really depends on what your site does: most users care if there’s a problem at their bank, but they may be indifferent about an online forum. Block temporary emails from signing up for anything of great importance, and for everyone else, communication is key: be upfront and tell the user as early as possible that without a real email address, they might miss important information. If they still choose to provide a disposable email address, that’s their choice and you’ve done everything you can.

Operator Concern #5: Security and Spam

Depending on what your registration process entails, it’s entirely possible that anyone providing a disposable email address has something to hide. They may be looking to gain unauthorized access to your systems, or perhaps a way to acquire another free trial after their last one ends. It could also be the case that fully registered accounts in good standing on your site are valuable to a bot farm or malicious actor. These reasons alone are often strong enough to make valid email addresses a requirement, but they only apply to certain types of websites.

Part 2: My decision

After going through this list, I decided that I would make a real effort to prevent the use of fake email addresses. The website I’m running is small, yet it has been the target of targeted attacks. It’s not running on a big server, and the service that’s offered is directly related to security. My users are entrepreneurs so they should be using a business email anyway. I also don’t sell user data and I don’t send marketing emails, but there have been cases where I’ve needed to contact users urgently. For those reasons, I believe that blocking temporary email addresses protects my interests without asking for too much from my users.

Part 3: Enforcement

This is where the fun starts.

A google search for “block disposable emails” returns a lot of paid API services that claim to have extensive lists of bad domains. I’m sure many of them work pretty well, but are many public lists of domains used by these disposable email services right next to the paid services. A blacklist based on free lists is an enticing solution, but it’s not a complete answer. On StackOverflow, one user points out that new domains are constantly being registered by disposable email services, meaning that these lists of bad domains are probably worthless today, especially because most of the lists haven’t been updated in months or years.

I don’t want outdated lists, even if they’re free. I could pay for an API that claims to track disposable email sites, but that’s yet another bill to pay without a strong justification. So, I decided to create my own list.

Disposable email services are almost exclusively offered through websites which own hundreds of domains. These websites display everything they receive directly in the browser, which means that any links clicked will generally include the Referer header. Due to its use in marketing and tracking, the Referer HTTP header is controversial. Most users are unwittingly revealing information about their browsing habits, that’s exactly what I am counting on.

My email verification system involves sending a link to the new user via email, so when the user clicks the link they received in their disposable inbox, my website will see that the user came from a temporary email site. When this happens, the account is banned and the user is notified.

While the domains that are used for disposable addresses change frequently, the website that hosts the service rarely changes. I built my own blacklist by finding about 10 different sites that offer disposable emails. The Referer header of any user trying to verify their email is checked against blacklist, and all non-detected Referer headers are stored for future reference. This helps me grow my provider blacklist with sites I haven’t seen before. My email verification system involves sending a link to the new user via email, so when the user clicks the link they received in their disposable inbox, my website will see that the user came from a temporary email site.

Implementation note: While it might seem smart to also automatically blacklist domains in found in email addresses of uses who came from a disposable email website, this is actually a bad idea because it relies on user input twice. The first time is when you let the user select the domain they want to blacklist. The second time is when the header data is trusted. A malicious actor could register using an email from a popular provider, like Gmail or iCloud. If they spoof request headers to include a blacklisted Referer value, then no more users would be able to use emails from the targeted provider. For this reason, I recommend an approval system where a log is created any time a bad Referer is detected. After manually reviewing domains in the log, an administrator can choose to blacklist the new domains.