Mailinator changing '1 e-mail per person' mentality

Written by Adrian Holovaty on October 14, 2003

Mailinator is a free service that gives anyone open access to any e-mail address at the domain. (Read the FAQ.) Without a password, you can check the accounts at, or, or, or, just by going to the site's home page and typing in the username whose e-mail you want to check. Every account's inbox is open to the public.

Like, but simpler, Mailinator is great for when you're asked to provide a valid address for a confirmation e-mail from a Web site that you don't trust with your real address. Give 'em a bogus (but real) Mailinator address, then log into that account on and finish registration.

I love the idea. I think it's brilliant, and I admit to using Mailinator half a dozen times since I learned about it last week. In certain situations -- like the other day, when I needed quick access behind a news site's registration wall and didn't trust it with my real e-mail address -- it makes perfect sense. We live in a world where privacy policies are either too long to read or too short to trust. And a quick look in the inbox of any commonly used Mailinator username --, for instance -- proves that spammers are ready to attack at any instant.

But the honest online-content provider and Web developer in me don't like what's happening here. Requiring a unique, valid e-mail address is a convenient way to limit the use (or misuse) of certain legitimate Web applications. Typical Web bulletin-board software, for instance, allows only one person to register under a single e-mail address.

Yes, I know anybody can sign up for a free e-mail account at Hotmail or Yahoo Mail, but Mailinator removes even that small barrier-to-entry -- as Paul Tyma, the site's developer smartly notes on his Web site. And I'm not so sure many laypersons (read: non-Web-geeks) are familiar with free Web e-mail accounts and the importance of protecting one's e-mail address, anyway. That is, until services like Mailinator become widespread.

The point is, if Mailinator and its ilk get popular, Web developers are going to have to rethink the "one e-mail address per person" mentality. As the ease of accessing random e-mail accounts increases, the accuracy of user-submitted e-mail addresses declines. And that is a bad thing for content providers who have a legitimate need to ensure their customers' e-mail addresses are accurate.

One advantage of Mailinator, from a content-provider's perspective, is the obviousness of the address. If you get an e-mail at the domain, you can be 100 percent sure it's bogus. But, really, how long will it be before more services like this sprout up? And who wants to keep up with the list of domains? Sounds like an arms race to me.

There will always be people who go out of their way to beat the system, just as there will always be people who are honest (or naive, depending on your point of view) about giving away their e-mail address. But for the people in the middle, services like Mailinator accomplish one main thing: They spread the mentality that e-mail addresses are throwaways and most Web sites are out to spam you.

I still haven't decided how I feel about that.


Posted by padawan on October 14, 2003, at 11:02 a.m.:

I feel in a love-hate situation. I've used it personally once and loved the convenience. But I'm also a content provider and, until now, thought that the email address was the only piece of information worth relying on for a registration system. For now, I must admit that blacklisting mailinator in some situations came to mind, even if I agree with you that it's an arm race.

I spot two different issues that have unfortunately combined to become a bigger problem: privacy protection and spam. People have every right to ask for tight protection of their personal data (being French, I back up the European way, much more protective than the US one). And they are also right to be cautious about their email address, since it turns into a nightmare as soon as it falls on a spammer's list. There are solutions and best practices to the former issue, and pretty much nothing so far about the latter. I hope this does not lead good content providers to make their registration process more complicated.

Let's see how it evolves.

Posted by Simon Willison on October 14, 2003, at 12:22 p.m.:

This is a tricky one (I blogged it a while ago). As a web user, I love it; as a web developer, it's a nightmare. The web wants to be anonymous, but anonymity can breed abuse.

As web developers, we're going to have to face the fact that email addresses are no longer worth using as an "identity check". Instead, we need to look to ways of encouraging users to be honest. If a user has to register to use something, we should make their registration valuable to them (by tying it to personalisation services that they care about). Avoiding abuse is going to require vigilance more than anything else, but by sharing the responsibility for watching out for abuse among larger numbers of people this isn't as huge a task as you might think. Wikipedia for example allows anyone to edit any page, but has a small army of supporters constantly monitoring the "recent changes" list watching out for abuse. Abusive content often vanishes within minutes of being added, but because the monitoring task is shared between a large number of people it doesn't require a huge time sacrifice from any single individual.

Web development has always been full of interesting challenges, and the loss of email as a proof of identity just means we'll have to come up with more interesting solutions to common problems. What doesn't kill us only makes us stronger ;)

Posted by Wilson Miner on October 14, 2003, at 4:37 p.m.:

I think Simon's right. E-mail stopped being a unique identifier a long time ago. Even some of the least-savvy computer users I know have more than one AOL/Hotmail/Yahoo account. Most college students I know have the e-mail provided them by the school in addition to that. Last year for a while I had 4 e-mails that I checked every day - school, work, .mac (waiting out the expiration date), and my own domain. Now I use my catchall address at my domain to create a unique address for every site I register with. If I get viagra e-mail I know who sold me out, and I can block just that address (and direct my righteous fury at the offending site).

Point being - spam, free unregulated e-mail, and the sheer popularity of it means if you need to identify somebody for sure, the old Name/Email trick just hasn't been cutting it for a while. Short of collecting everybody's SS# every time they want to post a comment or a product review, I don't know what's next.

It's a bigger challenge, but I think there is a path to follow in paying attention to the community model - making it worthwhile for members to maintain a persistent "reputation" within a viable community, and to maintain the integrity of the community. It doesn't necessarily prevent misuse - I can still go out and create an alter ego and wreak havoc - but if you build a strong enough sense of community, i think this kind of behavior is deterred to a certain extent. I've seen it happen both ways.

Posted by Steven Moussawer on October 15, 2003, at 5:26 a.m.:

Why not just block out the Malinator domain?

Posted by Daniel Von Fange on October 15, 2003, at 11:12 p.m.:

You can't even just check for in the address. Anyone can point their domains to the service, and many have.

(I use mailinator too.)

Posted by Rob Ballou on October 21, 2003, at 5:18 p.m.:

Another scary addition to this story: Yahoo is giving their web-based email customers the abillity to set up dummy email addresses for entering personal information on the web site.

Posted by on January 6, 2004, at 2:43 a.m.:

I prefer mailinator. Actely if peple use mi program enter email adres mailinator, I will be fine with that. I prefer that I dont care how meny email per persen. If sumbudy makes up to meny acounts I will delete ther acount watever email adres it is.

Posted by ne1 on January 23, 2004, at 5:57 p.m.:

What's the prob? If you are requiring an email to verify ID then you should be limiting registration to that email to only one person, e.g. should only be able to register for your site once and any subsequent attempts to try that ID should show that it is already registered at your site. The next person would have to come up with another name such as

Comments have been turned off for this page.