我的临时邮箱黑名单把我屏蔽了。
My burner email blocklist blocked me

原始链接: https://benjamin.piouffle.com/blog/burner-email-blocklists/

该作者曾开发过一款屏蔽“一次性”电子邮箱域名的工具,但现在他反对在用户注册时系统性地拒绝那些注重隐私的电子邮件服务。 其核心观点在于区分“公共共享收件箱”(临时的、任何人皆可访问)与“个人别名”(永久的、私人的转发地址,如 Firefox Relay 或 Apple 的“隐藏邮件地址”)。虽然公共收件箱常被滥用,但个人别名是用户保护身份、管理垃圾邮件及追踪数据泄露的重要工具。 作者认为,域名屏蔽列表对蓄意的垃圾邮件发送者而言并无成效,因为他们可以轻易通过自定义域名或 Gmail 别名绕过限制。因此,这些列表主要惩罚的是注重隐私的用户,却无法阻止真正的攻击者。 作者建议,服务商应停止将电子邮件验证视为衡量“可信度”的手段,而不应采取硬性屏蔽措施。如果必须使用列表,也应明确区分共享的一次性邮箱与个人别名。开发者应摒弃非黑即白的拒绝策略,转而将域名声誉纳入更广泛、更细致的风险评估体系中。

这篇 Hacker News 讨论帖探讨了使用邮件黑名单过滤“一次性(burner)”地址所面临的讽刺意味与实际挑战。 参与者认为,“一次性”邮箱与“别名”在功能上并无区别,两者都允许用户掩盖身份并批量生成地址。虽然一些服务商试图封禁热门的一次性域名,但用户指出,更强大的替代方案(如 Apple 的“隐藏邮件地址”、Fastmail 别名或自定义的泛域名解析)仍难以被有效封禁。 讨论还涉及了邮件“加号地址(plus addressing)”(例如 `[email protected]`)的局限性。多位评论者指出,这仅仅是一种约定而非严格标准;垃圾邮件发送者和数据聚合商可以轻易去除“加号”部分以获取真实地址,从而使这种保护隐私的策略失效。最终,该帖认为,封禁特定的邮件格式只是一场徒劳的军备竞赛,无法应对不断演变的用户变通手段和恶意攻击者。
相关文章

原文

A few days ago I tried to sign up for a public open-data service (the ECMWF, if you care) using a Proton Mail alias, and the form rejected my address as “potential spam”. My frustration was mixed with a bit of guilt: in 2018 I published Burnex, an Elixir package that compared emails against a large list of known burner domains, temporary inboxes like yopmail.fr that exist to receive a confirmation link and disappear. The library itself was relying on the fairly popular wesbos/burner-email-providers list.

At the time, I was working on a collaborative fact-checking platform where account authenticity mattered, and we needed some confidence that users were not fake or batch-generated. A domain blocklist felt like a cheap heuristic for a broader trust problem.

I may be late to the party, but let me put it clearly: I no longer recommend systematically blocking burner domains at signup.

TLDR;

If you are deciding signup policy today, do not automatically reject users for using privacy email services. Distinguish between public shared inboxes and personal aliases, and only block the former. The person behind an alias is more likely protecting themselves than trying to scam you, and the spammers have already moved on. If you maintain or consume a blocklist, consider splitting the categories and encourage good practices in your documentation.

Burners and aliases are not the same thing

A distinction that we often forget when it comes to email blocklists: a classic burner email is a public, short-lived inbox anyone can access, useful for clicking a verification link once and walking away. An email alias is the opposite: a permanent forwarding address tied to your account, that you control, can disable, and can trace back to a specific signup when your password appears in a breach.

Nowadays, tools like Firefox Relay and Apple Hide My Email are mainstream products, not edge-case hacker tools. Mozilla markets Relay as a way to keep your identity private when signing up for new accounts, and Apple sells Hide My Email as a way to share an address without sharing your real one (though they may be overselling that promise).

Blocklists that treat alias providers like throwaway inboxes end up blocking people who are trying to protect themselves. That matters beyond signup friction: aliases limit cross-site tracking, reduce spam after breaches, and let you know exactly which service leaked your address when junk mail starts arriving at a forwarding address you gave only to them. We should want more people using aliases, not fewer.

Blocklists don’t stop determined abusers

Determined abusers have never been limited to blocklisted domains. Gmail’s + aliasing creates unlimited variations of the same inbox ([email protected], [email protected]), services like Emailnator can help you generate infinite variations of these throwaway Gmail addresses on demand. Custom domains cost a few dollars a year while looking indistinguishable from legitimate business email. Unlike your users, spammers have the means and the time to work around a domain blocklist. For them it is a small obstacle, not a wall.

Yes, blocklists still catch some low-effort automated signups. But the cost is asymmetric: a naive bot gets slowed down slightly, while a real user with a legit alias gets hard-rejected with no recourse. You are optimizing for the attacker who gives up easily and punishing the user who takes privacy seriously. The people blocklists were meant to stop were never really stopped; they just learned to use domains you trust.

Beyond blocklists, email verification in general (including confirmation links) should not be treated as proof that an account is real, unique, or trustworthy. It only proves that someone could receive an email at that address once.

There are still valid uses

Checking whether an email domain appears on a known-disposable list is still a reasonable signal to feed into a broader trust or risk score, to surface suspicious patterns across a batch of signups, or to ignore them in your marketing campaigns.

If I were to rebuild Burnex today, I would narrow its scope to genuinely public and shared inboxes (addresses like mailinator.com where anyone can receive your verification email) rather than conflating those with personal forwarding services that happen to use a non-mainstream domain:

# Public burner inbox, probably ok to block
Burnex.is_burner?("[email protected]")

# Personal alias, usually not ok to block
Burnex.is_alias?("[email protected]")

But the problem is not just how one library categorizes domains: the upstream list Burnex relied on (wesbos/burner-email-providers) is consumed as-is by signup validators, third-party packages, and APIs worldwide. Many integrators block every domain in emails.txt without curating it, so the list’s categorization choices have real downstream effects.

For those who come after

I have opened an issue to propose exactly that split in wesbos’ list: keep one file for public shared inboxes (yopmail.fr, mailinator.com, and similar) and add a second for personal alias and forwarding providers (passmail.net, anonaddy.me, mozmail.com, and the rest). Then update the README with recommendations for good practices.

Due to a lack of time and because I don’t use Burnex anymore in the products I maintain, I deprecated the project in early 2026. Since then, Klemen Sever offered to take over the project, and I have transferred ownership.

联系我们 contact @ memedata.com