Giving an exempt for Spamgourmet domains

[lwcorp]

https://www.spamgourmet.com is not your standard "launch and forget" disposable service, as:

1. It requires registration.
2. It forwards incoming mail into one's real address.
3. It can be set for unlimited messages from the original senders.

It's meant to stop websites from selling your addresses to a third party, not from you to get mail at all.

As a result, projects like Mantis Bug Tracker don't allow the Spamgourmet users to participate in trackers, while having every intention to get the trackers' replies, just not being affected in case the trackers should expose addresses.

Will you consider giving an exempt for Spamgourmet domains?

[vboctor]

Kickbox suggests that this domain is disposable. See here

I have added a feature that enables consumers of the library to add / remove domains from the list of disposable domains.

[lwcorp]

I've actually went ahead and approached Kickbox. They said unlike you they're a reporting service and not a blocking one. This statement suggests they don't mind stepping into gray areas and let someone else decide whether to use this info for blocking or not.

But your case is different because you take an active stand. If a domain is on your list, it's game over for it. Sure, now you let add/remove domains, but I think we can safely assume it's not like thousands of admins out there will know to start whitelisting Spamgourmet. Actually, even if they did, they'll need to register and sign in to Spamgourmet to even know which domains to whitelist other than the main one. And then sign in every time there's a new domain...

[fredericmora]

I am one of the maintainers of spamgourmet. This is not a disposable domain. This is a spam filter. Sure, you can register an account and never use it again, but that's also true for GMail and other online services. So why is spamgourmet penalized?

Once you have created an account in spamgourmet, you can use tags to identify intended recipients. This is exactly the same as GMail allowing you to register an account (joeblow @ gmail) and then specify a tag for all github email (joeblow+github @ gmail).

The one difference is that GMail does not allow you to use tags for anything but searches, whereas spamgourmet lets you block a tagged address that has been abused.

So please make an exemption for spamgourmet.

Thank you!

[x80486]

...so what's the status for this ticket? It's been opened for almost a year 😉

[gnasch]

I sustain this request, there is nothing "disposable" about Spamgourmet.
Every company I trade with receives their "own" Spamgourmet address to mail me.
They will get all their replies with the same address. Some do sell or lose their addresses,
I will cut them off. Some do not like this treatment, they will get no business from me.
Has worked well for more than 15 years
Thanks!
gnasch

[AgentCosmic]

Spamgourmet should be treated as a disposable email because users are empowered to abuse the "1 user 1 real email" rule. The important factor here is that the email address is disposable even though the account on Spamgourmet is not.

[fredericmora]

Hello AgentCosmic,

I am a spamgourmet developer and admin. What you are saying is true, but it also can be applied to numerous other email providers.

As an example, Gmail encourages users to supply suffixes after a +. So joe6pack@gmail and joe6pack+github@gmail are different addresses but go to the same account. GMail advises to use it to facilitate spam filtering. Which is exactly what spamgourmet is doing.

So by that yardstick, GMail should be blacklisted. It is not. Why apply a different rule to spamgourmet?

We are with the good guys in the fight against abuse. And we do it for free. So please support us.

[zzynx]

I too support this request for the full 100%.
I'm a very happy user of spamgourmet for more than 15 years.
Spamgourmet is an anti-spam service, not a disposable e-mail service.
I want to receive the genuine e-mails that are sent to my spamgourmet addresses.
And I want to be able to block the ones that come from sources that I did not allow to send me e-mails.
That's exactly what Spamgourmet let me accomplish.

[x80486]

Spamgourmet should be treated as a disposable email because users are empowered to abuse the "1 user 1 real email" rule. The important factor here is that the email address is disposable even though the account on Spamgourmet is not.

This @AgentCosmic folk can't be more wrong.

You would need to blacklist Fastmail, Gmail, Yahoo! Mail, etc. at the same time. You can have (almost) as many aliases as you want — there are limits, but hardly anyone is going to hit it.

[fredericmora]

Spamgourmet is also invaluable for traceability. For example, I routinely buy old books from specialty and used book stores, who unfortunately lack resources to police their IT and cannot keep their PCs exempt from viruses. Twice in recent months, I purchased a book from a mom-and-pop store, giving them a custom email address. A few days later, I started seeing spam coming to the custom address. Since I only ever used the address for the store, I was able to contact the store and prove that the store keeper's PC had been compromised. Obviously, the credit card used for the transaction was cancelled. The store owner was able to remove his virus and thanked me.

Of course, there is also the case of the "American Trade" stock trading company (name slightly obfuscated) who had an insider leaking client's email address and sending them pump-and-dump spam messages. The whole affair came to light because of a client that started getting such spam on an address exclusively used by the trading company.

This is why spamgourmet deserves help.

[foresto]

This project is grossly misrepresenting itself. The statement of purpose is: "a library that allows applications to check for users signup with disposable email addresses." [sic]

Meanwhile, it reports spamgourmet domains as disposable, which is, plainly, a lie. Perhaps it was an honest mistake two years ago, but the maintainers have had so much time to correct their mistake that there is no longer a valid excuse for failing to do so.

Spamgourmet is a forwarding service, not a disposable address service. Everything about it is designed to deliver legitimate email to real users, consistently and reliably. If anything, spamgourmet addresses are more likely to reach real users than gmail or other addresses, because our inboxes are not overrun with junk mail. We give out a spamgourmet address specifically because we want to read the incoming messages.

Sadly, lists like this one have led quite a few web sites to refuse signups to legitimate users, or worse yet, to silently discard outgoing messages to legitimate addresses. Congratulations. You're encouraging broken web sites, lost information, failed communications, increased spam, a lot of frustration, and just plain bad user experiences. I strongly suggest you rethink this.

Please stop being irresponsible, and fix it. Remove all of the following domains from your list, and start exercising at least minimal competence at screening domains in the future. Until you do, your service will remain little more than a denial-of-service attack on a lot of people's communications; one that should be shut down.

0sg.net
0wnd.net
0wnd.org
9ox.net
a-bc.net
antichef.com
antichef.net
dfgh.net
disposableaddress.com
inboxclean.com
mamber.net
neverbox.com
ordinaryamerican.net
recursor.net
spamcannon.com
spamcannon.net
spamcowboy.com
spamcowboy.net
spamcowboy.org
spameater.org
spamgourmet.com
spamgourmet.net
spamgourmet.org
wronghead.com
xoxy.net

[zzynx]

@foresto Please consider removing that list of domains from your previous post!
It's a bad thing to publish it in the wild.
I quote the FAQ from spamgourmet.com:
"There are other domains you can use, as well (search around the site and BBS, and the web, too). We don't list them all in one place, because some webmasters configure their sites to reject our addresses, and it seems like they come here to see which domains to reject."

[foresto]

@zzynx The domains I listed are already in this project's blacklist. The damage here was already done.

[zzynx]

The domains I listed are already in this project's blacklist.

In a list of 2000 domains it is not clear which ones belong to spamgourmet.
Your list unfortunately makes that rather clear.

[foresto]

In a list of 2000 domains it is not clear which ones belong to spamgourmet.
Your list unfortunately makes that rather clear.

I don't follow your thinking. Are you afraid that someone is going to grovel through bug reports so they can single out spamgourmet with some kind of spitefully targeted custom blacklist, rather than simply using the list that's already prepared? If you know of a plausible incentive for someone to do such a thing, then please share it.

Otherwise, I intend to leave my comment in place so that the blacklist maintainer knows which domains to remove. I'll be happy to redact my comment as soon as that is done.

[lwcorp]

I don't follow your thinking. Are you afraid that someone is going to grovel through bug reports.

I believe the meaning was that Google and other search engines' crawlers will make the Spamgourmet list public because of your comment, making it even easier for services such as this one to block Spamgourmet (if for example they decide this service's global list is too wide).

I'll be happy to redact my comment as soon as that is done.

It's not always guaranteed the edit right will be there forever.

[foresto]

making it even easier for services such as this one to block Spamgourmet (if for example they decide this service's global list is too wide).

If your hypothetical person who thinks the global list is too wide finds my comment through a google search, they will immediately learn that spamgourmet et al. don't belong on any such list, and leave it alone. That would be a good thing.

Also, if we expect the maintainers to correct their list, they need to know what corrections to make. Let's not make it difficult for them.

Finally, remember that this is a publicly visible revision control system. Every edit, including the diff when spamgourmet domains are eventually removed, is permanently visible to both web crawlers and humans. In other words, the information I posted was already available. (And correlated, in multiple places other than here; I checked before posting.) That ship has already sailed. Rather than fooling ourselves into thinking we can revoke the information, let's try to correct the misunderstandings that encourage people to misuse it.

[sysdbugfactory]

To the dev running disposable_email_checker you are the cancer behind why after 15 years of using spamgourmet services effectively and successfully it is now rejected on a growing number of places. I sincerely hate for being that thick and incompetent.

Relying on a third party provider for your library is not a smart move, specially when touching something as central as email and registration. This third party provider kickbox has clearly stated that spamgourmet is on their list not on technical reason but due to an arbitrary decision. they know this is a legitimate privacy and spam protection services but chose to blacklist anyway for fear that that their blacklisting of disposable address services would cause people to work around their blacklisting by registering and using a spamgourmet account. By this logic you would have to blacklist yahoo, gmail and pretty much any free registration email provider, but for some reason the arbitrarily chose to not apply the same policy to them.

Hopefully at some point you'll came to your senses and ditch kickbox for being too broad and raising a lot of false positives, impacting the online life of people. Or fix their broken filter by adding a default whitelist to fix their shortcomings.

[foresto]

See also: https://github.com/ivolo/disposable-email-domains