Jump to content.

New Feature: Send bitcoins without knowing someone’s bitcoin address

Guerrilla Mail has a new feature:


The way it works is that all you do is fill in the “To” and “From”, and then click “Send”. Then deposit some bitcoins and an email gets sent to the other party with instructions for how to withdraw them. You can also track it, and receive a refund, should the other party fail to withdraw them.

There are a few services like these around. What makes this one unique?

The system will validate the email addresses, and probe each of the email servers responsible for receiving the emails to make sure that TLS is available. TLS, the successor to SSL, is needed to make sure that the email is encrypted as it travels through the internet.

TLS is not only good for encryption, it’s also useful to ensure that the server that we are connected to is indeed the server that we want to connect to, because we can check the certificate.

At present, it looks like a lot of email providers do not support TLS yet, but we don’t know how many. For example, Gmail & Hushmail are good, but Yahoo and Outlook/Hotmail are not. You would expect Yahoo and Microsoft to support such a basic feature in this day and age. Of course, all of the major email providers have switched their web interface to HTTPS, but most users are unaware that their email still goes through the internet in clear-text when it travels between servers.

Other notes about the system:

– A unique deposit address is generated for each ‘To’ and ‘From’ combination, for each session. However, the deposit address is remembered forever. So you could add it to your address-book and send more coins to it in the future. The system will look up the address to get the ‘to’ and ‘from’ and send back a confirmation with the tracking code to your address.

– Minimum deposit is 0.0001 BTC, because that’s the economical spendable amount at present. This can change in the future, depending on the exchange rate of bitcoin.

– The emails with withdrawal instructions are sent out immediatelly, no waiting for bitcoin network confirmations. Confirmations are only needed to complete withdrawals. Only 1 confirmation is needed for smaller values, otherwise 3 at present.

– The other party has 7 days to withdraw the coins, otherwise, they will be refunded.

– There’s no login or registration. Use straight away.

Outlook.com / Hotmail does not encrypt your email

When you visit Outlook, your browser’s URL bar will turn green and a padlock icon next to it. You’re safe from snooping, or so you thought?

When testing Outlook’s servers today, it was discovered that their servers do not support encryption for incoming email. So if you send an email from someone@gmail.com to someone@hotmail.com, the email, according to our results, will go from Google to Outlook without any encryption at all.

Here is how it should work:

Say if you sent an email to someone@hotmail.com, your server would look up hotmail.com in a global directory (DNS) to see what their mail server is, asking for the so called ‘MX Record’. Your server would get the MX Record which points to mx1.hotmail.com and attempt to connect to this server (on port 25). Then this connection would be secured and your email gets delivered.

The only thing different is that mx1.hotmail.com does not provide the ability to secure the connection. Yep, it completely ignores the command.

So, for example, when you send an email from Gmail to a Hotmail address, the email will go through the internet, hypothetically, without, any encryption!

We’re not sure why this is… every other major email service provider should support this service in this day and age. Don’t you think?


If you are technically inclined and want to validate our result, here is the test was done:

first, we get the mx entry for hotmail.com
$ dig hotmail.com

Next, have a look to see what services are available for us:

$ nmap mx1.hotmail.com

So now we know that we can only use port 25, lets see if they have TLS:

$ openssl s_client -connect mx1.hotmail.com:25 -starttls smtp

Normally, the above command should print SSL certificate information. It does not do it when we try it.