Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add simplelogin.co #846

Open
rrjanbiah opened this issue Aug 31, 2020 · 30 comments
Open

Add simplelogin.co #846

rrjanbiah opened this issue Aug 31, 2020 · 30 comments

Comments

@rrjanbiah
Copy link

Add simplelogin.co

@nguyenkims
Copy link

Like mentioned in #872, SimpleLogin isn't a disposable email provider. Email aliases aren't the same as disposable email address and offers the same advantage as a "normal" email address without compromising on the privacy.

@rrjanbiah
Copy link
Author

FWIW, for anyone checking this issue and baffled by attacks from multiple sockpuppet accounts... @nguyenkims is the founder of SimpleLogin

Even mailinator has a routing system, but it all depends on the marketing pitch. Our personal experience is that SimpleLogin and Firefox Relay accounts most of the spam mails these days.

@GeroldSetz
Copy link
Contributor

GeroldSetz commented Dec 7, 2020 via email

@nguyenkims
Copy link

Our personal experience is that SimpleLogin and Firefox Relay accounts most of the spam mails these days.

@rrjanbiah can you elaborate on the above statement please? All emails sent from SimpleLogin are scanned for spam twice: one by the user email service (Gmail, Outlook, etc) and the second time by us (using SpamAssassin) so there should be no spams sending out from our server. Please note that blocking SimpleLogin and other privacy-focused forwarding email service is harmful to user privacy and shows that your service doesn't care about user privacy.

In this case, feel free to block our domain on your service but please do not affect other website owners who use this list.

@jens1000
Copy link

jens1000 commented Dec 7, 2020

Please note that blocking SimpleLogin and other privacy-focused forwarding email service is harmful to user privacy and shows that your service doesn't care about user privacy.

I support that. I use simplelogin to avoid using only one mail address for privacy and security reasons. I wouldn't use services that won't allow it.

@TheLastProject
Copy link

I am a SimpleLogin user and I disagree with labelling the service as a service for disposable email service. Mailinator is designed to have the email address disappear after 24 hours or so. SimpleLogin is designed to hide the user's main email address but will forward to and from this main email address until explicitly told not to.

The important difference here is the following:

  • Mailinator exists to have an email address for like 24 hours just to sign up with a service and then have it deleted
  • SimpleLogin exists to have a difference email alias for each service so you can reset it when it leaks or gets spammed

Mailinator is a service for throw-away email addresses. SimpleLogin is more like a password manager but for email addresses. Just like you shouldn't use one and the same password everywhere because it can get hacked, it is helpful to not use the same email alias everywhere so you can actually do something if it gets leaked to spammers.

The reason to block disposable email domains is because the address disappears and you can't reach the account owner after X amount of hours. This is simply not the case for SimpleLogin, you can reach the account owner until they manually decide to block you.

@rrjanbiah
Copy link
Author

@nguyenkims

Our personal experience is that SimpleLogin and Firefox Relay accounts most of the spam mails these days.

@rrjanbiah can you elaborate on the above statement please? All emails sent from SimpleLogin are scanned for spam twice: one by the user email service (Gmail, Outlook, etc) and the second time by us (using SpamAssassin) so there should be no spams sending out from our server.

Based on your note above, I'm not sure if you understand the real use case of the disposable email domains list. Most often this list is used to block bogus requests to CRM and block people who game free tiers in SaaS, etc. So, disposable email domain list is a godsend here when people exploit others hardwork.

Please note that blocking SimpleLogin and other privacy-focused forwarding email service is harmful to user privacy and shows that your service doesn't care about user privacy.

With the GDPR, people have much control over their privacy. Perhaps the ideal use case of SimpleLogin may be privacy, but it is of course used for gaming and exploiting others hardwork.

@rrjanbiah
Copy link
Author

@TheLastProject

Mailinator is a service for throw-away email addresses.

Mailinator has routing system too. It all depends on how you position some services through clever marketing texts.

@FarisZR
Copy link

FarisZR commented Dec 7, 2020

@nguyenkims

Our personal experience is that SimpleLogin and Firefox Relay accounts most of the spam mails these days.

@rrjanbiah can you elaborate on the above statement please? All emails sent from SimpleLogin are scanned for spam twice: one by the user email service (Gmail, Outlook, etc) and the second time by us (using SpamAssassin) so there should be no spams sending out from our server.

Based on your note above, I'm not sure if you understand the real use case of the disposable email domains list. Most often this list is used to block bogus requests to CRM and block people who game free tiers in SaaS, etc. So, disposable email domain list is a godsend here when people exploit others hardwork.

Please note that blocking SimpleLogin and other privacy-focused forwarding email service is harmful to user privacy and shows that your service doesn't care about user privacy.

With the GDPR, people have much control over their privacy. Perhaps the ideal use case of SimpleLogin may be privacy, but it is of course used for gaming and exploiting others hardwork.

GDPR doesn't stop you from sharing emails address with third party's (advertisers).

and simplelogin protects us in the case of a breach, by not exposing our real email address.
i had that personally happen to me before, one service gets hacked, password linked to email address and then other accounts started getting hacked too.

@webdevterri
Copy link

It's clear that many people don't seem to understand what SimpleLogin is exactly. I'm working on an article of how to use SimpleLogin (or at least my method). It will be posted on my Github as a repo. It should be out soon.

@jimjoh
Copy link

jimjoh commented Dec 10, 2020

Thanks for your thoughtful replies @rrjanbiah and @GeroldSetz. I wrote issue #872 hoping to get answer so I could understand the purpose of lists like this, but I believe that answer has been provided here. Please correct me if I misunderstood the reasons (I try to summarize here). I believe two reason for blocklists like this are to:

  1. Prevent users from easily creating multiple accounts for online services
  2. Prevent spam

I anticipated and addressed the first reason in issue #872. The underlying problem here is that email addresses were never intended to be used as a unique identifier (as I state in issue #872 blocking disposable email addresses doesn't prevent duplicate accounts, which is probably why most large companies don't depend on this technique). IMHO the best solution would be to not use email addresses as a unique identifier or require some sort of secondary verification.

I understand that changing your unique identifier and/or adding other verification measures would impose an additional cost, so I can understand the allure of simply blocking services (email domains) that make it easy/easier to create multiple email addresses. However, IMHO the costs to this technique would outweigh the benefits for many businesses. A way to reduce the collateral damage would be to differentiate between disposable email addresses and email forwarding/alias solutions (under the assumption that email alias/forwarding domains would be less likely to be abused).

Preventing spam (reason 2) isn't a reason I had thought of. I would imagine disposable domains generate much more spam than email alias/forwarding services (again I have no data to back that up, just a guess). If my guess is correct then differentiating between disposable and alias/forwarding domains would also be beneficial here. Additionally there are many other techniques to reduce spam than simply blocking entire domains. By taking such a broad stroke you're bound to lose some legitimate emails.

@rrjanbiah
Copy link
Author

@jimjoh

A way to reduce the collateral damage would be to differentiate between disposable email addresses and email forwarding/alias solutions (under the assumption that email alias/forwarding domains would be less likely to be abused).
..snip..
I would imagine disposable domains generate much more spam than email alias/forwarding services (again I have no data to back that up, just a guess).

First of all, the difference between disposable email address services and forwarding services are virtually nothing. In either case, you can still read incoming emails--though some disposable email services delete them after some time. Some services already offer routing. So, it is all based on the marketing texts and positioning. Both the services are using privacy marketing keyword.

When you side with the forwarding services and agree that disposable email address services should be blocked, people will game the forwarding services for misusing other businesses. You cannot educate anyone with how to use forwarding services and so on. I have noted that nowadays, SimpleLogin and Firefox Relay are heavily used or misused for the purpose of misusing/exploiting other business services... and so I have already blocked both.

@nguyenkims
Copy link

@rrjanbiah As other users said, using email domain isn't a good way to avoid abuses. There are tools for that purpose like captcha, firewall, rate limiter, or invitation-only registration. Also Yahoo offers 100 aliases and Fastmail 600, maybe you should block Yahoo and Fastmail users too?

Privacy focused email alias service (there are less than 5 at the moment as far as I know) is an efficient way to protect user privacy and this is a known fact in the privacy-concerned community. You're free to block any domain on your website, just don't add our domains (or any other privacy-focused email alias service) here as this affects users who want their online privacy protected.

For information, we are thinking about creating a list of websites that don't accept email alias (and therefore don't respect user privacy) and this information is shown when someone visits a website via a browser extension. As developer, we should facilitate measures to protect user privacy as this is threatened and not the contrary.

@GeroldSetz
Copy link
Contributor

GeroldSetz commented Dec 10, 2020 via email

@FarisZR
Copy link

FarisZR commented Dec 10, 2020

Uhhh, this discussion seems to become controversial. For me I can break it down to: I’d like to reach my customers via their primary email address. It’s easy like that and my personal choice. The service I provide (bdea.cc) covers the same purpose as this github list. Of course, my service is more comprehensive :-) But I do not tell my customers what to do with the list. If they block users right away, if they politely ask for a primary email, if they limit the free access due to the status of the given mail, if they refuse from bonus programs - it’s up to them. I dont care. G. Son Nguyen Kim [email protected] schrieb am Do. 10. Dez. 2020 um 10:51:
@rrjanbiah https://github.com/rrjanbiah As other users said, using email domain isn't a good way to avoid abuses. There are tools for that purpose like captcha, firewall, rate limiter, or invitation-only registration. Also Yahoo offers 100 aliases and Fastmail 600, maybe you should block Yahoo and Fastmail users too? Privacy focused email alias service (there are less than 5 at the moment as far as I know) is an efficient way to protect user privacy and this is a known fact in the privacy-concerned community. You're free to block any domain on your website, just don't add our domains (or any other privacy-focused email alias service) here as this affects users who want their online privacy protected. For information, we are thinking about creating a list of websites that don't accept email alias (and therefore don't respect user privacy) and this information is shown when someone visits a website via a browser extension. As developer, we should facilitate measures to protect user privacy as this is threatened and not the contrary. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#846 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABGEGY5J7W3XIID7TNTIEW3SUCKZRANCNFSM4QQIPBOA .
-- --- block-disposable-email.com Trattenweg 234 9535 Schiefling am See Austria / Europe

What if we customers dont want to provide our primary email?.
What if we dont trust your service's privacy policies?

It doesn't make a difference to the service provider, its a permanent alias and the customer will receive you emails.

Whats the problem with that? Why do you need my actual email?

@rrjanbiah
Copy link
Author

@nguyenkims

Also Yahoo offers 100 aliases and Fastmail 600, maybe you should block Yahoo and Fastmail users too?

It depends. If any service gets spams and misuse of services from any email providers, they'll block that domain.

For information, we are thinking about creating a list of websites that don't accept email alias (and therefore don't respect user privacy)

How do you think that this sort of threatening and marketing will help you here? Remember that the Mailinator has solved the 'privacy' more than anyone here; but you're OK to block Mailinator!

As other users said, using email domain isn't a good way to avoid abuses. There are tools for that purpose like captcha, firewall, rate limiter, or invitation-only registration.

How do you think above tools will help here? Do you think that the services use this 'disposable email domains' list are not using these tools already?

@rrjanbiah
Copy link
Author

@fareszr

What if we dont trust your service's privacy policies?

Without accepting privacy policy of the site, why would the users want to create multiple free tier accounts?

It doesn't make a difference to the service provider, its a permanent alias and the customer will receive you emails.

Not true with the SimpleLogin. Also, you may want to do some self-realization on how the SimpleLogin is used by its users... like are they using multiple alias for a single domain or one alias per domain. Then, hopefully you'll understand how SimpleLogin used--for 'privacy' or for misusing other services.

@FarisZR
Copy link

FarisZR commented Dec 10, 2020

@fareszr

What if we dont trust your service's privacy policies?

Without accepting privacy policy of the site, why would the users want to create multiple free tier accounts?

the free tier thing is not exclusive to simple login, i have seen people creating email acounts to get free trials, its not simplelogin's issue.

It doesn't make a difference to the service provider, its a permanent alias and the customer will receive you emails.

Not true with the SimpleLogin. Also, you may want to do some self-realization on how the SimpleLogin is used by its users... like are they using multiple alias for a single domain or one alias per domain. Then, hopefully you'll understand how SimpleLogin used--for 'privacy' or for misusing other services.

how is it not true?, if your emails are actually useful the customer will receive them, unless you want to send trash mail, and force the customer to see it, then No that's one of the best things with simplelogin, i can disable any alias at any time if you start sending spam.

@rrjanbiah
Copy link
Author

@fareszr

how is it not true?, if your emails are actually useful the customer will receive them, unless you want to send trash mail, and force the customer to see it, then No that's one of the best things with simplelogin, i can disable any alias at any time if you start sending spam.

I understand that you're against to 'disposable email' providers such as Mailinator even though they provide 'privacy' and routing. But, you're only for the alias provider SimpleLogin as it provides better 'privacy' and ability to stop receiving email.

Now, please check how SimpleLogin is used in reality. Then, you'll understand the issue much better.

@jimjoh
Copy link

jimjoh commented Dec 10, 2020

After thinking about this more I think what this really comes down to is sites/services ban disposable and alias/forwarding domain because they can be abused by users to easily create multiple free accounts. There are two "simple to describe" but "difficult to implement" solutions to this that don't harm legitimate privacy focused users of email alias/forwarding services:

  1. Don't use email addresses as a unique identifier or require some sort of secondary verification as described above and in Why use this service? A respectful and thoughtful question/debate #872
  2. Responsible email alias/forwarding services and blocklist providers develop a framework for communication so that services that see abuse (users creating many junk accounts) can report this to the email domain's owner. Than the owner of the domain (like SimpleLogin) could take action against that user. I can't imagine a solution like this would work in practice because of the complexities and effort of this communication, the email alias/forwarding service would have to have TOS that say this type of abuse is not allowed and the email alias/forwarding service would have to have enough information about their users to be able to verify the abuse and stop it.

Realistically I don't expect either solution to be implemented due to the challenges involved with both.

@rrjanbiah wrote:

Now, please check how SimpleLogin is used in reality. Then, you'll understand the issue much better.

I'll have trust you that SimpleLogin is abused by some users. A few bad people always ruin the good things for the 99.9% of people that do the right thing.

@GeroldSetz wrote:

For me I can break it down to: I’d like to reach my customers via their primary email address.

The problem with this logic is that "primary email address" is very subjective. Would you like my work email, my school email, my gmail address I use with friends, my yahoo email address I use for soccer league? I think what you really want is an email address I check and read. For users who correctly use privacy focused email alias/forwarding services like SimpleLogin, their SimpleLogin email address is something they read. Ironically, by blocking domains you'll actually force some users to use an email account they don't read.

@GeroldSetz wrote:

But I do not tell my customers what to do with the list.

Unfortunately I think many customers don't understand the pros/cons of using such a list and use it when it's not appropriate. As I've stated before (especially in #872) some of the collateral damage is that users/customers of a website that blocks domains like this will either sign up with a junk account (gmail, yahoo, etc.) they never/rarely check or simply not use the service. Two example from my personal life:

  1. I like to support small businesses (not Amazon), so I was going to create an account at a smaller electrical store website. They wouldn't accept my alias email address, so unfortunately I did not create an account with them and went back to Amazon (which doesn't block domains) to buy my parts.
  2. Minecraft is the only "big" service I'm aware of that blocks some alias/forwarding domains. When setting my kids up with Minecraft accounts I had to do so with my junk gmail account (which I never check after an account is initially created).

In both examples above it doesn't make sense to block domains. Since Minecraft charges money for every account I create they should encourage me to create a bunch of accounts!

Thank you @rrjanbiah and @GeroldSetz for the civil discussion. I now understand the problem you're trying to solve. I hope you also better understand the legitimate reasons some use email alias/forwarding services. I think we both want to prevent abuse. It's too bad I can't think of a realistic solution that would work for both sides, but maybe someone smarter than me has a better solution I haven't thought of.

For me I plan on continuing to use my email alias/forwarding services and simply avoid (when possible) using websites that block domains I use. You'd be surprised how many times websites are compromised, email addresses are stolen and used for spam. In my experience the majority of the time this has happened the website owner either isn't aware of the breach or doesn't want to admit to it. By using an email alias/forwarding service I'm saved from receiving these spams forever.

@MevoDOTsite
Copy link

MevoDOTsite commented Jan 10, 2021

@jimjoh , I totally agree with you. It was said above that using this kind of list is not respecting users' privacy. I would say it's not respecting users, period. Also, you're right, it's bad for business: You WILL turn away some legitimate users for no good reason. The answers are unfortunately symptomatic of today's thinking of some people: View one side and be totally blind concerning the other one. And at the same time, burn the whole house down because there were a few mice in it. When you tell them it's silly to burn the house for such a reason and there are other more effective solutions, they will answer you: "Yeah, but there were at least 3 or 4 mice! And now there aren't any anymore." They also want to impose THEIR rules and don't really care about the users (or other people), it seems :(

Anyway, restrict bot account creation = ReCaptcha and such. Limit use of free tiers = For example a phone number only usable once. Even if there are some disposable SMS providers, every of these number will only be able to be used once without doing anything else.

It's just not logical to want to ban useful services (and for bad reasons!). Creating different emails is good practice like not reusing the same password everywhere. Pretty much everybody is able to create as many email accounts they want with free services like yahoo, gmail, mail.com, and even their own ISP which often propose to create several email addresses. Thanks to "new TLDs", you can register several domain extensions for 1 year for less than $1 and create a bunch of email addresses on it. So, if people want to game free tiers, they will do it. They will probably do it that way rather than using a paid service (aren't they after what's free in the first place? ;) )

So, all this doesn't seem to make much sense to me either.
I would even go further: These days, any legitimate organisation is supposed to ask for consent to send emails, especially marketing ones (GDPR in the EU, CAN-SPAM act in the US, and other such rules in many countries + the will of users). You're also supposed to stop sending email if the person unsubscribes. Or not even start if they indicate they don't want to receive any notification or other email. In short: People should be able to choose to NOT receive any email.

Why even ask for an email address to someone not willing to receive any? For many services, there should be an option to register without giving one. We got so used to provide it, and click a verification link each time, that it became kind of "automatic". It doesn't really make sense for people who will disable every email sending option they can, or in any case, not read them like you well described. There are arguments like password recovery and such, but there are also other solutions for this. Giving them troubles by not accepting a huge list of addresses (domains) and services, well... That's pretty silly IMHO.

@JasonHK
Copy link

JasonHK commented Apr 15, 2021

Let me share the services that had leaked my email address (and my personal information) in the past:

1617718978007
Screenshot_20210406-222839_Chrome-1
Screenshot_20210406-201239_Chrome-1

Can you promise that you will NEVER leak my personal information? Probably not.

As @MevoDOTsite had said, you can't really prevent registering spam accounts by blocking domains, since domains are so cheap to buy nowadays.

Actually, register multiple Gmail accounts aren't that difficult after all, but I think @rrjanbiah and @GeroldSetz probably won't block gmail.com, why? Because the population of these spammers are tiny compare to the legitimate users. Same could be applied to SimpleLogin.

@GeroldSetz
Copy link
Contributor

GeroldSetz commented Apr 15, 2021

Hey @JasonHK

My point of view as provider of block-disposable-email.com is as follows: there are services which provide free email addresses, such as gmail. And there are services which do have the only purpose to provide as many aliases as possible, such as simplelogin, emailondeck, mailinator. Just look how they position themselves. That's why I consider it fair to flag simplelogin as a disposable email provider.

Gerold

@ferraro
Copy link

ferraro commented Apr 16, 2021

Hello, I'm the owner of TrashMail.com. I created the service since the year 2002. I think its useless to block disposable email addresses: My customers wants to protect their privacy.
If you block them:

  • My customers move simply from TrashMail to another service
  • They uses custom domain names
  • They use again Plus adresses at their provider
  • They create again a second real email address at Gmail.com or other to use it as "Trash" address for temporary things

TrashMail.com tries to be something like a password manager (we call it address manager) for service:
For each service, a random forward address is created. Most addresses are created permanently, simply to detect leaks or to be disabled in case if they receive spam.

An email address is not a real person identifier, don't use it to identify persons. For this there exists solutions like bankident etc...
Anyway big corporations uses now too temporary addresses, like Apple with their Single-Sign-On feature, Firefox relay.
Accept, that email addresses are today dynamic.

@theAkito
Copy link

@rrjanbiah

From what you have said so far, you are strongly suggesting that you want to improve your failed business model and its execution by worsening the service of this project.

@ghost
Copy link

ghost commented May 8, 2023

I see this issue is still open. I would like to see all disposable e-mail domain providers added to this blocklist. I get why people use them, but there is too much abuse coming along with it for SaaS owners.

@theAkito
Copy link

I find it quite irritating, that so many people chime in on the issue "privacy" and "security", without actually knowing how it works. For example, having seemingly random modifiers to an identification code of any type, like an e-mail address for example, is a crucial part of "privacy". So, saying, "you can have your privacy, but without this privacy element" is like saying "you can drive the car, all I'm asking is that you leave the fourth wheel and drive with three". I mean, it is possible perhaps to do that, but it's not a secure (or private for the sake of this topic) car, anymore.

that the benefit of straight out blocking all of these options far far far far outweigh the costs

For example, I strongly disagree with this statement. Of course, it's always about whose perspective you are questioning, but I think the perspective everyone should take first and foremost, as the most valuable one, is the consumer's perspective. Speaking based on that, from a consumer's perspective, there is no benefit at all in blocking any such e-mail domains, at all. It just bothers those companies, that don't know what the heck they are doing or just complain about issues, when their actual problem relies in some other part of their business. Exhibit A: just look at the guy above, not knowing how to run a business and then complaining about e-mail address domains. It's simply ridiculous and kind of cringe, too.

@ghost
Copy link

ghost commented Jan 19, 2024

This isn't going to be merged ever so I guess this issue can be closed. I went a head and blocked all Simplelogin, AnonAddy etc. domains in my application without this package.

@paulomanrique
Copy link

paulomanrique commented Mar 5, 2024

The solution is simple: vote with your wallet. I won't ever use a service that wants my main email account. Like someone else posted: most of those services probably have a crappy security anyway, if they can't understand the basic of privacy.

"Ah, but some people abuse." Yeah, people abuse of everything, and blocking "everything" is not an option. But you know what is not an option? To use your crappy service. :)

@SuperS123
Copy link

The solution is simple: vote with your wallet. I won't ever use a service that wants my main email account. Like someone else posted: most of those services probably have a crappy security anyway, if they can't understand the basic of privacy.

"Ah, but some people abuse." Yeah, people abuse of everything, and blocking "everything" is not an option. But you know what is not an option? To use your crappy service. :)

Exactly, I don't know why someone would need to spend $4/mo to create spam accounts when you can just make new Gmail accounts and mess around with dots if you're that lazy.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests