Jump to content.

Easter egg on Guerrilla Mail

Hint.. There’s an Easter Egg on Guerrilla Mail.

Telnet to grr.la on port 25, then type in HELP (enter)

Apple wants to patent Disposable Email


A patent application has been filed by Apple Inc. on Feb 13, 2014, claiming to have invented an easy way to use disposable email. It can be viewed here: Patent application US20140047043

The patent claims that disposable email is difficult to use, and therefore, not widely used. The solution they propose mostly describes how to integrate a regular email client with their disposable email solution.

How do they make it easier? As best as we can interpret the patent,  your web browser will automatically detect an email address field, and then offer to use a disposable email address. If you receive a new email to that disposable address, it will arrive in your real inbox, and if you reply to it, it will not reveal your real email address.  (Email will pass through some kind of proxy which maps and changes the ‘from’ and ‘reply-to’ email headers). You can also choose how long the address will last for, and the system will also track which service the email address was used with, so that the source of any future spam can be traced.

It also describes a solution for circumventing the problem where some services may detect and refuse disposable email addresses. It does this by using a disposable address which looks like a real address. Eg, normally we can tell which Gmail addresses are disposable, because they have a + after the name. eg. user+something@gmail.com – however, if they looked like MikeSmithJones47@apple.com then it would be impossible to distinguish.

In a way, it is fantastic that a company such as Apple is thinking about providing disposable email to the everyday consumer. This is one of the things that Apple has always been good at – making things simple and easier to use. However, by filing out a patent application is not the best way in the spirit of the internet, and the general user.

Do we have a problem with this patent application? Our system works slightly different than what they propose, so technically it’s slightly different… However, if the patent is granted, what if Apple doesn’t do anything with it and simply sit on it until it expires years later? In that case, nobody will be able to provide a better integrated disposable email service for their users without being in danger of infringing on the patent.  Therefore, every disposable email user will be negatively affected by this patent.

We believe that the idea of disposable email should be open and free for everyone to develop and provide for the masses. The more of such competing services, the better, because spam fighting is a problem that we all share and should combat together.  Guerrilla Mail didn’t invent disposable email,  so if it wasn’t for the open nature of sharing ideas for free, we would not be around. (The idea and the development of the idea of disposable email should be credited to some of the early providers such as http://spamgourmet.com/ and http://mailinator.com/ and there are many other innovators in this field)

Besides, a tiny outfit such as Guerrilla Mail has no resources or funds to be able to file patent applications, even though Guerrilla Mail has an endless supply of unique ideas.

Reading the patent application, it looks like Guerrilla Mail could have come up with a similar idea presented in the patent in 30 minutes or so. Because patent applications are expensive, only those with large budgets can file them, even though they do not have a product yet and they do not intend to use them.  If the reason that we have patents is to protect the small inventor from being crushed by the bigger players, then this system is totally broken – small inventors simply do not have the resources or budgets to file patent applications.

There is a chance that we can get the patent application squashed by finding prior art. The date is prior to 8/13/12

A thread on “Ask Patents” has been created here: http://patents.stackexchange.com/questions/6054/disposable-email-addresses-apple-patent-application-prior-art-request/6124#6124

If you know of any prior art, please post your comment there, thanks.

Guerrilla Mail also provides an API. With the API, it is possible for developers to integrate disposable email features in to their products. Has anyone used our API to integrate disposable email in to their product / service? Perhaps you made a browser extension, a plugin for an email client or used the API in any way that makes disposable email easier / more accessible? Let us know.

Finally, here is an interesting link to a Wikipedia page with resources summarizing the software patent debate http://en.wikipedia.org/wiki/Software_patent_debate

Statement on Harvard incident, to clear up some facts about Guerrilla Mail

This is a response to the recent media reports about a student attending Harvard who used Guerrilla Mail and Tor (https://www.torproject.org/) to issue a bomb hoax in order to get out of a final exam. The story spread world-wide with a lot of miss-information about Guerrilla Mail and what it does.

We want to clear up some facts about Guerrilla Mail. The purpose of Guerrilla Mail is not for anonymous email accounts or to hide your identity for nefarious activity, as suggested by the recent articles in the media.

Selected articles –

False:  “Guerrilla mail provides anonymous email accounts”

True: Guerrilla Mail is an anti-spam solution

Guerrilla Mail is an anti-spam solution and is used to prevent spam. It provides disposable email addresses for receiving email. How does it work? Say if you stumbled on an interesting website which asks for your registration, but you don’t trust it with regular your email address. You can get a disposable address form Guerrilla Mail without any signup or registration. Any future spam will go to the disposable address, instead of your regular address.

Originally, Guerrilla Mail allowed you only to receive email. The sending feature has been added recently due to popular demand. Sometimes users may be required to send an occasional email, reply, or perhaps forward an email from their disposable address. We make it clear on the compose page that the originating IP will be added to the headers.

Nowhere on this website it says that we provide anonymous email accounts. Actually, Guerrilla Mail does not have a concept of accounts and it does not function as a regular email service. Moreover, any user can access any other user’s email if they know or can guess the address. For example, you can access the inbox for test@guerrillamail.com here: https://www.guerrillamail.com/inbox/test – there is usually email waiting there since ‘test’ is a common name.

In summary, it’s really important that the confusion is cleared up. Guerrilla Mail is not an anonymous email service, but an ant-spam solution.

Guerrilla Mail does a lot of good for the Internet

Guerrilla Mail receives over 50 gigabytes of email daily, most of these messages are spam that would otherwise land in someone’s inbox. Since 2006, guerrilla mail has received over 1.1 billion emails, and that number is projected to grow to 2 billion by the end of 2014. The service is free and runs on a shoe-string budget, just a one-person side-project.

Disclosing an IP address

Guerrilla Mail makes it clear to the users that the originating IP address will be added to the headers of outgoing email. It’s stated on the compose form, as well as the ToS.  This is how the internet works, and it is perfectly normal. The internet cannot function without this. For example, when every time you visit a website, you always have to give out your IP address so that the remote server can send text, pictures and video back to you.  Additionally, it’s standard practice for other web-based email services providers to insert a “x-originating-ip” header in to  emails as this helps to identify the source of spam and discourage serious abuse.

Note that an IP address by itself does not identify individuals, it usually identifies networks such as companies, institutions and internet services providers. Often, IP addresses are shared between hundreds or even thousands of people. Although, it can still be used to narrow down the search to get a rough idea of the source.

Hiding your IP address is beyond the scope of service that Guerrilla Mail can provide – it can only hide your email address to protect from spam. (However, if you need to hide your IP, one can achieve this by using a VPN, a proxy server or onion routing software such as Tor).

It has been a very unfortunate incident

Having read the story and the possible penalties the student could face, there could be a lot of sympathy for this student. A bomb hoax is a very desperate act to commit in order to get out of an exam, and this could indicate that the poor student was under a lot of stress and pressure to succeed. Harvard is one of the most prestigious universities, and the competition there would be immense. If you are under stress or generally feeling unwell, please think through the situation properly before taking drastic action.

Our policy for information disclosure to help with law enforcement

Guerrilla Mail has had no contact with law enforcement officials thus far, but will co-operate if required. However, email is kept on Guerrilla Mail for only 1 hour, logs are automatically deleted within 24 hours, so the offending emails have long been deleted by the automated systems from our server, so there is little information that can be provided besides what is already known by the receiver. Guerrilla Mail also cryptographically signs all outgoing messages, so whoever has the copy of the original messages can validate their authenticity using DKIM (http://www.dkim.org/).

Guerrilla Mail’s Sending feature – 1 year in retrospect

The email sending feature has been live for over a year now. Here is a blog post with some reflections thus far.

First, why was this feature introduced? The biggest motivation was because this was the most requested feature. Sometimes our users want to forward an email they have received. Sometimes they need to reply to an email that they received. Sometimes, they need to send a single email to someone, but they do not want to use their real email address.

Providing an email sending feature can be difficult. It opens up a can of worms, especially because of the potential for abuse.

How do we minimize abuse, including eliminate spammers from taking advantage?

1. CAPTCHA test. Users are required to type in the text they see in an image. This almost guarantees that the user is a real human, or at least spent some resources on the problem. (It’s a trade-off with usability, although Google’s reCaptcha usability has improved significantly the last few months)

2. Take the email through a spam filter before it is sent.

3. Aggregate the spam scores and also calculate the averages for each originating IP address. We have an automated banned IP list. This catches a lot of spammers. For the biggest spammers, we do not let them know that email was caught. This means spammers waste resources by filling out the form and solving CAPTCHAs.

4. Add the originating IP address to the email headers, to help the receiving back-end judge whenever the sent email is to be flagged as spam.

5. Do not allow to set a name for the “From” header to eliminate the possibility of impersonation or fake emails

6. Clearly mark the emails that they came from Guerrilla Mail in the signature.

7. Ability for receivers to report abuse and block all future email to their address.

Another issue that we have to deal with is the added anonymity that Guerrilla Mail provides. Guerrilla Mail does not require login or registration, and email is kept for only one hour. Although we still attach the sender’s IP address to each outgoing email, users could easily use Tor, VPN, or someone else’s Wi-Fi to mask their actual IP address.

Anonymity is not the goal of this service, rather an unintended feature. The goal of Guerrilla Mail is so that the user’s email address will not get collected by the receiver and avoid being added to some spam database. Anonymity can be an advantage. So why is anonymity an issue?

When we launched this service, we were worried that the added anonymity would attract abuse. Sure, anonymity on the internet can do a lot of good, such as whistle-blowing or provide a screen from persecution. Sometimes, anonymity can also bring out the undesirable traits of human nature, and that is what we were worried about. After a year of operating, we are glad to report that it has not been much of a problem, except for a very small minority who abuse the service.

Unfortunately abuse such as bullying or harassment is the dark side of human nature, and the written, non-verbal nature of internet communication can amplify or distort the interpretations of such messages. Bullying is not spam, it is sent by real people, and there’s no such thing as a ‘bully filter’, which makes these messages more difficult to filter.

We recommend that you:
1. Do not take these messages seriously.
2. Do not reply or show any response to such emails.
3. Use the blocking feature and block all email Guerrilla Mail. (This will report the email to us too)

Rule 2 is the most important. DO NOT REPLY. DO NOT REACT. If you do reply to the message, or make such a message public, then you will be giving the sender exactly what they want – a reaction.

As for the people who use our sending service, we ask them to be mindful of their actions, be forgiving and treat others in a respectful way.

One billion emails processed!

Yesterday, we passed the one billion emails processed mark!

Most of it has been spam or other junk including phishing and scam emails. Sure, there are probably billions of such emails sent daily, which makes our count just a drop in the ocean, but we’re glad to make a difference, however small…

The number of email coming in to Guerrilla Mail is increasing each day. We sure look forward to the next billion milestone arriving faster than ever.

Why we like Bitcoin @ Guerrilla Mail?

We really like Bitcoin here at Guerrilla Mail.

We first blogged about it in June 2011, when we were excited to propose a novel system for email stamps: https://www.guerrillamail.com/blog/stamps-for-email/‎

Since then, we have seen Bitcoin decline, rise again, decline and rise again. Each time, coming back stronger than ever.

We’re not talking here about the price of Bitcoin on the exchange. Bitcoin is not for investing, or at least investing is not why we care about Bitcoin. So why do we like Bitcoin?

The answer is that Bitcoin: 1. solved a very difficult problem of tracking decentralized transactions, 2. It plays well with the internet (after all, it’s just another protocol, as HTTP and SMTP are), 3. is easy to program and integrate in to many different applications, some that were not possible before.

The former reason is probably the most important. Bitcoin can be used for much more than just payment. For example, applications can include micro-payments, contracts, proof of ownership, automated meditation, escrow, authentication, and more. These features are there now laying dormant in the protocol, ready to be used by the next generation of the economy of the internet.

The adaption of Bitcoin is growing fast, and we can tell. As you may have noticed, we have added a bitcoin donation address. To our surprise, we have received quite a few more donations than expected! This could be because bitcoin removes a lot of the friction. Instead of the hassle of clicking on a button, going to another page to checkout, taking out a card, typing in the card, filling in the billing address, etc, … all users only do is scan a QR code and send a Bitcoin transaction instantly in one step!

(We really want to thank all of those unknown people who donated. With your donations, we were able to sit back with nice cold beer, purchased directly with Bitcoin! )

Bitcoin donations beat Flattr.com too. (And there was one mistake donation for 1.8 BTC was was promptly returned. Bitcoin transactions are irreversible, unlike credit cards which can be charged-back). What’s amazing is that people can send us their donations, almost instantly, from anywhere in the world, without the need for for trusting any intermediately such as a bank or a postal service. And yes, we can really spend our bitcoins on legitimate, common, every-day items, such as beer or a meal!

We are very interested in developing Bitcoin apps too. This year, we have seen the launch our first Bitcoin service: Ability to send Bitcoin via email, without the need to know someone’s email address: https://www.guerrillamail.com/bitcoin – which was a good warm-up in to the bitcoin services.

Development is now under way on a brand new Bitcoin application, something that’s never been tried with Bitcoin yet. The application is due to be unveiled in about a month from now.

New Feature: Send bitcoins without knowing someone’s bitcoin address

Guerrilla Mail has a new feature:


The way it works is that all you do is fill in the “To” and “From”, and then click “Send”. Then deposit some bitcoins and an email gets sent to the other party with instructions for how to withdraw them. You can also track it, and receive a refund, should the other party fail to withdraw them.

There are a few services like these around. What makes this one unique?

The system will validate the email addresses, and probe each of the email servers responsible for receiving the emails to make sure that TLS is available. TLS, the successor to SSL, is needed to make sure that the email is encrypted as it travels through the internet.

TLS is not only good for encryption, it’s also useful to ensure that the server that we are connected to is indeed the server that we want to connect to, because we can check the certificate.

At present, it looks like a lot of email providers do not support TLS yet, but we don’t know how many. For example, Gmail & Hushmail are good, but Yahoo and Outlook/Hotmail are not. You would expect Yahoo and Microsoft to support such a basic feature in this day and age. Of course, all of the major email providers have switched their web interface to HTTPS, but most users are unaware that their email still goes through the internet in clear-text when it travels between servers.

Other notes about the system:

– A unique deposit address is generated for each ‘To’ and ‘From’ combination, for each session. However, the deposit address is remembered forever. So you could add it to your address-book and send more coins to it in the future. The system will look up the address to get the ‘to’ and ‘from’ and send back a confirmation with the tracking code to your address.

– Minimum deposit is 0.0001 BTC, because that’s the economical spendable amount at present. This can change in the future, depending on the exchange rate of bitcoin.

– The emails with withdrawal instructions are sent out immediatelly, no waiting for bitcoin network confirmations. Confirmations are only needed to complete withdrawals. Only 1 confirmation is needed for smaller values, otherwise 3 at present.

– The other party has 7 days to withdraw the coins, otherwise, they will be refunded.

– There’s no login or registration. Use straight away.

Outlook.com / Hotmail does not encrypt your email

When you visit Outlook, your browser’s URL bar will turn green and a padlock icon next to it. You’re safe from snooping, or so you thought?

When testing Outlook’s servers today, it was discovered that their servers do not support encryption for incoming email. So if you send an email from someone@gmail.com to someone@hotmail.com, the email, according to our results, will go from Google to Outlook without any encryption at all.

Here is how it should work:

Say if you sent an email to someone@hotmail.com, your server would look up hotmail.com in a global directory (DNS) to see what their mail server is, asking for the so called ‘MX Record’. Your server would get the MX Record which points to mx1.hotmail.com and attempt to connect to this server (on port 25). Then this connection would be secured and your email gets delivered.

The only thing different is that mx1.hotmail.com does not provide the ability to secure the connection. Yep, it completely ignores the command.

So, for example, when you send an email from Gmail to a Hotmail address, the email will go through the internet, hypothetically, without, any encryption!

We’re not sure why this is… every other major email service provider should support this service in this day and age. Don’t you think?


If you are technically inclined and want to validate our result, here is the test was done:

first, we get the mx entry for hotmail.com
$ dig hotmail.com

Next, have a look to see what services are available for us:

$ nmap mx1.hotmail.com

So now we know that we can only use port 25, lets see if they have TLS:

$ openssl s_client -connect mx1.hotmail.com:25 -starttls smtp

Normally, the above command should print SSL certificate information. It does not do it when we try it.

The burden of Telecommunications data retention laws and subpoenas

Lavabit.com (an email service provider like Gmail/Hotmail, but with better privacy features) abruptly shut down this week, possibly due to complications from a subpoena, e.g. “National Security Letter” (NSL).

This brings some concerns for email service providers everywhere, uncertainty for the users of email services likewise.

Guerrilla Mail doesn’t store any email for more than an hour, so it should be immune from such problems – by the time such a request comes, the email(s) would be long deleted, automatically, because that’s how the system is designed to work. And there’s no account registration, so there’s no account data to disclose.

As at August 2013, up to 40GB+ of data is deleted daily. At present, our server access logs are turned off, to save the disk from frying. If the logs are ever turned on, it’s done so for troubleshooting problems or generating local reports, all raw access-log data is discarded quickly after such use.

One potential problem on the horizon is the introduction of Data Retention Laws. These laws are slowly being introduced world-wide, country by country, including the US, UK, EU. Wikipedia has an article about the current state of these requirements http://en.wikipedia.org/wiki/Telecommunications_data_retention

Why do they need these laws? To conduct mass surveillance of all citizens of course! What else can mandatory data retention laws be used for? OK, it’s understandable that some companies or industries have their own specific policies for retaining their communications data for their own purposes. However, it may be overreaching and unreasonable if these laws should be applied to the communications of ordinary citizens.

These laws also place additional burden on internet service operators, since they now have to store all that extra data and comply with the added bureaucracy. It would be a great burden on Guerrilla Mail to store 40+GB of data per day for such a long time.

Also there’s the burden of dealing with subpoenas. Some types of subpoenas can include a gag order, which can have quite a psychological effect, including an ethical dilemma, on the persons receiving such an order. Probably that’s why the operator of Lavabit decided to shut it down. (There’s speculation that the Lavabit operator was under a gag order, facing a position where they would need to to lie to their users, they chose the more honorable decision to shut it down instead)

Data retention laws already exist and are probably already in force where you live. In the European Union, “Directive 2006/24/EC” requires that communications, such as emails and email access data must be stored for 6 to 24 months. This directive has been implemented in most EU countries, some even going for more than the directive required. Fortunately, some countries such as Germany and Romania deemed the directive as unconstitutional. It should be noted that Germany and Romania are countries where many of their citizens can still remember what it is like to live under total surveillance.

There is no similar “Data Retention Directive” for the United States yet. Several attempts were made, but failed. Certainly, more attention needs to be given to these topics, or else very soon, we will wake up one day in an Orwellian 1984.

New short ‘domain hack’ – grr.la

GuerrillaMail has a new short ‘domain hack’ URL


Memorize this URL for when you need a new email address quick!

You can also use this domain for email. No need to pre-visit GuerrillaMail, just think of anything@grr.la and check it later. Your address needs to have the letters from a-z, numbers 0-9. Be creative. (But do not use common ones like postmaster@grr.la or webmaster@grr.la, these names are reserved).

Oh, July / August is the time when Guerrilla Mail will be getting some new features added – coming soon.

Next Page »