1. 35

Code Repo https://github.com/mozilla/fx-private-relay

  1.  

  2. 5

    I’m wondering what anti-abuse mechanisms are being employed. I’ve had to filter out several disposable email domains in the past (as per business directives). What’s to make this service any different from the rest? Granted, making a disposable gmail address is rather easy, but a counter argument would cite that gmail is more often used by legitimate people for legitimate purposes unlike other simple disposable email address solutions.

    1. 5

      As far as I know, this is only for receiving emails, which makes anti-abuse a lot easier.

      1. 4

        Here, you should think of “abuse” as in “making a ton of accounts with one e-mail address”.

        Most services ban specific services similar to this one. Some even whitelist domains such as gmail.com, so you can’t even use your own domain.

        1. 4

          The proposal appears to be a rate limit on new addresses over time

    2. 4

      Fastmail has a feature where you can have <anything>@user.domain.com go to the inbox for a user. It’s handy, and it’s much harder for people to block (assuming you’re using your own domain). If I want to block a sender, I can just block everything for that particular address. It also makes it easy to organize mails, for example I could use slack@brenden.brndn.io for a slack account.

      1. 4

        I accomplish the same thing with Office 365. It’s quite confusing to customer service reps though. I have to explain the idea behind it at least once a month, but the sense of security that comes from knowing who leaked/sold my email is really nice.

      2. 3

        I wish there were something like this for phone numbers. Of course, they’re more artificially scarce than email addresses, but still.

        1. 5

          You can use https://jmp.chat/ for this - it supports short codes so should work for most services.

          There is work being done to facilitate this particular use case, but in the meantime you can use a new trial account for each new number. As you alluded to, phone numbers are scarce, so re-use is much more likely after the number has “expired”. Also, phone numbers cost real money, so it’s harder to offer the service.

        2. 3

          I used to run a service like this. I took it down because it was a side project and needed more attention than I could give it. Plus the times are weird with regards to email and logging. I guess an organization bigger than a single person can handle this better.

          1. 3

            I’ve used https://www.spamgourmet.com/ for ages and works quite well for me. Will be interested to see how this goes once generally available.

            1. 2

              I’m so glad this is being explored and implemented by Mozilla, I imagined something like this for a while and really envied that Apple offered such first. I can’t wait to change all of my catch-all-gibberish addresses to something like that.

              1. 2

                I made something like this (though with a bookmarklet rather than an extension or add-on) as a fun project in 2010 when node.js was still very, very new and I wanted to try my hands on that new-fangled server-side JS.

                I even got to talk about it on jsconf.eu (it was my first ever public speaking engagement, so be very patient). And I did write a series of blog posts about its development (remember: in 2010, node was very new, so this was interesting).

                It was all fun and games until two somewhat mainstream-y articles were posted about it. That’s when the spammers found out that this was practically a free relay because they would request one alias for each spam mail they wanted to send out, abusing my infrastructure’s good mail sending rep.

                I tried battling them for a few months but then I came to the conclusion that I must be mad to sink so much time into a fun project and pulled the plug.

                I wish mozilla the best of luck with their endeavour.

                1. 1

                  Thank God this technology is finally gaining some traction. I’ve been using Abine Blur’s free tier for the longest time, but I’ve been really let down by the clunkiness of their solution, whether it’s the website or browser extension or mobile app. Hopefully we get a high-quality, comprehensive solution to identity control in short time.

                  1. 1

                    GMail has this somewhat built-in: username+anytextABC123@gmail.com.

                    It’s not that I’m advocating using GMail as a solution for privacy concerns :D, but if one day you’ll get a spam message containing the text username+servicename@gmail.com, you’ll know which service leaked the address ;).

                    1. 1

                      FastMail supports this as well. Additionally, they support (free) aliases on hundreds of very generic domains like “eml.cc”, which allows you to have a similar setup on those websites where a “+” in an email address is deemed to be an illegal character.

                      Mozilla’s new service covers more ground, though, and it’s far more automated than any of these approaches. I’m looking forward to it!

                      1. 1

                        Well, that will hold until the spammers start filtering out the +thing part of the email address before sending their stuff :(

                        1. 1

                          GMail has had + aliases for at least a decade or more. Spammers know about them but it doesn’t matter since Google’s spam filtering is quite aggressive anyway.

                          The more annoying thing is that either through ignorance or malice (I’ve encountered both), many mainstream services and websites will not let you use a + in an email address. They claim it’s not a valid character even though it most certainly is.

                          This was actually one of the main reasons I decided to host my own email, I can tell Postfix to use . as the alias separator, which all companies and web forms accept.

                          1. 2

                            I know of sites that discard / disallow the plus sign because of abuse when they offer fremium services. So with user+one@example.com you get one month free, user+two@example.com a second one, etc.

                        2. 1

                          If you use your own domain, service@your.domain is always a thing..